Unlocked Bootloader Security Risk

I own a Samsung S10+ with iodé (bought from iodé). It works fine but lately I started to think about switching to a Google Pixel and install xxx (you know what but I don’t want to mention it on your site). The reason for this is that iodé (like it’s “father” lineageos) has an unlocked bootloader. This is a big security risk. Therefore I feel more and more uncomfortable with my phone. For minimizing the attack surface, I am looking for a device that is non-rooted and has a custom ROM with a locked bootloader.

… is relative depending on how you look at it, and presents itself to me in theory and practice very differentiated.

In 99.9% of custom ROMs, the bootloader remains unlocked and thus offers an increased attack surface. But how big is the real chance that these gaps are exploited by malicious software and criminal elements?

I know of three Android device families (“I don’t want to mention it on your site)”) where the bootloader is relocked after installing a custom ROM . Fairphone is one of them.

Hello Fidèles and Iodysseus, can you specify for novices these problems of unlocked boot loader flaws?
Bonjour Fidèles et Iodysseus, pouvez-vous préciser pour les novices ces problèmes de failles du chargeur de démarrage déverrouillé ? (j’ai un problème avec mon traducteur)

@Patrice, this matter is complex and controversial. Don’t let an unspecified statement drive you crazy and sit back and relax. iodéOS is ‘a thousand times’ more privacy friendly than any googled Stock Android.

Ce sujet est complexe et controversé. Ne vous laissez pas déconcerter par une déclaration non spécifiée et détendez-vous. iodéOS est mille fois plus respectueux de la vie privée que n’importe quel stock Android googlé.

A device with an unlocked bootloader can only be compromised by a physical access to it: pluging it to a computer and changing the recovery, the system, … The data cannot be directly accessed though, as decrypting it requires the user pin code or schema (which can unfortunately be bypassed with some manipulations - changing the recovery, deleting a system data file, which still requires a physical access to the device).

1 Like

Merci iodysseus pour votre réponse et votre bienveillance.