Custom roms dead?
Recently I got a discarded Motorola G84 phone, which is supported by LineageOS, version 23 no less (Android 16, so the latest!). I unlocked the bootloader and flashed LineageOS (and MindTheGapps, turned out it’s important to start Lineage once before you flash it, not right away) and started setting up apps and data, as I have done now with nearly a dozen phones.
The first sign things were not well arrived when an app, that required entering my phone number to retrieve my account, errored out with an issue related to Firebase authentication. It just wouldn’t work. I suspected the issue was in the Google Play Services, which is why you load up MindTheGapps (or other such Play Store reimplementations), as regular apps (obtained through F-Droid or manually downloaded apks) worked fine. Even some apps from the Play Store worked. So I first searched for the issue in this direction, trying out NikGApps and microG as well. I even tried /e/OS. All the same issue.
Since it was related to authentication, I started to suspect it was about the unlocked bootloader, not an error in the Play Service app or provider. Perhaps a signing issue in LineageOS itself? Few clues remained, but one was that a banking app reported it could not set up my account because the phone was not secure or somesuch (didn’t write down the error). LineageOS has no public forum, chat (IRC and Discord require an account), so it’s kinda difficult to find a place to find user experiences about this. The XDA forums are really the largest knowledge base, but it’s not very structured and this phone (G84) is apparently not that common so not a lot of forum presence.
I quickly came across SafetyNet [1] (pre Android 13), Play Integrity [2] and the Trusted Execution Environment (TEE) [3], the latter two of which report that my phone indeed is not passing any sort of validation. It is strange that all my earlier phones do pass MEETS_BASIC_INTEGRITY. Although payment (e.g. Google Pay) never worked (I guess because MEETS_DEVICE_INTEGRITY==false), at least everything else I (want to) use works. So what changed?
I don’t have to full pciture, but it seems to be the confluence of Play Integrity updates (May 2025) to Android Key Attestation. Some XDA posts speak about outdated or non-forward-compatible keys on the device (so a new Android version with a newer kernel may cease to work, although I managed a downgrade to LineageOS 22 by way of /e/OS which didn’t help). Others mention invalidated fingerprints. I can’t be 100% sure, but this is the part that must be failing. When I get my hands on a Windows machine, I’ll try Motorola’s fix tool to reset me back to stock. Some say relocking the bootloader works, other’s say it doesn’t.
There are ways that fake the return values (Play Integrity Fix, TrickyStore?) and could enable apps checking for them, but they require rooting the phone, something I prefer not to do. Moreover, if apps use this API, they usually also check other things (i.e. rooting) and people reports it’s a game of cat and mouse. Wouldn’t want to have apps disable themselves all the time!
In any case: it seems my days using LineageOS are over. GrapheneOS seems to make sure that you always at least meet BASIC, but that requires fairly recent Pixel phones, phones that I probably won’t soon get my hands on. This is not great.