This article goes into more detail about how these new measures will actually work compared to the blog post earlier this year from Google. Namely:

  1. Enabling the OEM unlocking setting will no longer prevent FRP from activating.
  2. Bypassing the setup wizard will no longer deactivate FRP. FRP restrictions will apply until you verify ownership of the device by signing in.
  3. Adding a new Google account is blocked.
  4. Setting a lock screen PIN or password is blocked.
  5. Installing new apps is blocked.
  • KickMeElmo
    link
    fedilink
    English
    arrow-up
    68
    arrow-down
    7
    ·
    2 months ago

    Sounds like good ideas that’ll be a pain in the ass for innocent power users.

  • shortwavesurfer@lemmy.zip
    link
    fedilink
    English
    arrow-up
    38
    ·
    2 months ago

    Okay, according to the article, this functionality will only activate after you have signed into a Google account for the first time on the device. So, at least for those of us who use custom software such as lineage OS, that won’t matter since we don’t put a Google account on the device to begin with in a lot of cases. A lot of us boot the phone for the first time, skip the entire setup wizard as fast as possible without signing in or any of that stuff, and then immediately enable OEM unlocking and flash the lineage or whatever software.

      • shortwavesurfer@lemmy.zip
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        Well, that won’t matter unless it’s a brand new phone or has been properly erased because you won’t be able to install lineage anyway unless one of those two conditions are met.

    • henfredemars@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      I think the reason this hasn’t been done yet is because their implementation comes with benefits like portability and low maintenance when the feature is implemented in just one app and just one part of the code. I think they hoped that patching bypasses in one app is viable and would eventually close most of the holes, but it turned out not to be so simple because bypasses emerged time and time again even with very limited initial access.

      You’re not supposed to be able to skip running the wizard. A stolen phone was unusable and effectively had all of these features, but with a single point of failure that has turned out to be more of a problem then the maintenance benefit is worth.

  • Kokesh@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 months ago

    So… I flash wrong ROM, wipe everything and install the correct one and I’m screwed? Or do I just login with my Google account?

    • henfredemars@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      I think you would be fine. You’re only restricted if you log into the vanilla ROM, do some stuff, and later if you want to use the vanilla ROM again you’ll be required to login to the account you used last on the vanilla ROM to make it happy with the device.

      I don’t expect custom ROMs will have any compatibility with this feature. I believe they would bypass it entirely.

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      2
      ·
      2 months ago

      for me it’s been the same since 8. sure there are some good changes, but generally it’s forced restrictions upon more forced restrictions, and I hate it

    • claudiop@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      2 months ago

      Why exactly is this worse?

      It is an optional feature that the majority of people will be using, making herd immunity for those who do not

    • henfredemars@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      True! But it still hurts the resale value because users are likely to notice a device with broken secure boot if you were to somehow use it to forcefully flash a modified ROM.

      Are you proposing this mode could be used to somehow clear the secret data?

      My understanding is EDL mode can refuse to flash some partitions and some devices will not enter this mode if fastboot is working, which also enforces preventing access to some partitions. Most people who use EDL already unlocked the bootloader, but I don’t think this method works on all devices if the boot loader is still locked.

  • jbk@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    4
    ·
    2 months ago

    This could still be bypassed by flashing a new OS that deliberately messes up the userdata wipe-persisting secrets. Well idk if there’s a way to prevent that, but I guess really needy and tech-savvy people could recover lost devices that way

      • jbk@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        2 months ago

        Is the bootloader unlocking requirement that FRP is not triggered a hard one or just because the settings screen isn’t (or shouldn’t) be reachable? Now that OEM unlocking and FRP aren’t tied together anymore, it doesn’t seem like a hard one