• [deleted]

I like to have the ability to unlock the bootloader and restore the phone to the factory OS whenever i want to.
(Maybe an update broke something etc.)

I didn't find much information about what security issues does this introduce.
Since if i unlock the bootloader the phone would wipe itself anyways so i don't see how userdata could be endangered while leaving this feature on.
When it gets turned off or on, it says "device protection features will be enabled/disabled" but there isn't much info about what does that exactly mean.

(I'm also not concerned about my phone being stolen and wiped. I only care about intrusions into the system and personal data being accessed.)

    I did see an impact if you look at my other posts. I have two phones. The first one I purchased to check out the OS from a reputable third party. After I liked it I bought another for family and set it completely up myself. Same model and same variant of that model, however the first one was left with OEM unlocked.

    The first one had an odd error I went through the time to try and source its cause after just a routine update. After reviewing the differences between the two and testing them out as much as I can, it is my opinion that not disabling the OEM unlock has the potential to cause errors. This may also be why Grapheneos website install directions state to disable OEM unlock after completion.

      OEM Unlocking permits the ability to install a new ROM image or a new bootloader. After booting the phone into the bootloader, we use Fastboot to unlock the bootloader (fastboot flashing unlock) or lock the bootloader (fastboot flashing lock) so that a new operating system or bootloader can be installed on the phone.

      For GrapheneOS

      • Enable OEM Unlocking
      • Reboot the phone and unlock the bootloader
      • Flash the GrapheneOS ROM which also includes a signed bootloader
      • Lock the bootloader then start the OS
      • Go into settings and disable OEM Unlocking

      For Jailbroken Phones
      The phone is rebooted into the Bootloader, the flashing is unlocked and it can never be enabled again as long as the phone remains jailbroken: the custom bootloader must remain unlocked because it use a special bootloader with supervisory privileges and additional software that runs at the supervisor level. As a result, jailbroken phones are huge security risks since anyone with sufficient knowledge can modify or even erase the jailbroken bootloader or the custom ROM image installed on the phone. In addition, malware or other nasty software can be easily installed on a jailbroken phone.

      [deleted]

      It shouldn't be necessary. The updates are tested by lots of people and automated tests are done before updates reach stable. Also, if an update is broken the phone will switch back to the other slot with the working version.

        • [deleted]

        unwat Do you think i'd lose out on anything if i keep it enabled? Im a bit more comfortable having an always working way to reset the phone independently from the os.

          [deleted] the advice from our team is to ALWAYS DISABLE OEM Unlocking.

          If you wish to leave it enabled. You must understand that this reduces our ability to support you should you encounter issues. Whenever you wish to comment or create a new thread or seek support by any other channels then you MUST disclose the fact that it was never enabled.

          You are leaving attack surface available in not doing so but we can't force anyone to do anything and individuals must make their own informed decisions and take the responsibility for not following any directions provided.

            [deleted]

            Yes. It makes your phone less safe and some apps just won't work because the phone is unlocked.

            An update won't mess up your phone. If you ever want to unlock the bootloader later to modify your system, you'll be able to.

              • [deleted]

              • Edited

              MetropleX i want to again clarify that the bootloader is still closed, only the option to unlock it is enabled. Could you please explain it in more detail how does this affect anything at all beside the attack surface? The offical guide provides a lot of info about other things but i couldnt find technical details of this anywhere.

              • [deleted]

              unwat My phone is not unlocked. Only oem unlocking is on, which are two different things. "get_unlock_ability" is set to 1 if that means anything for you. This does not affect the behaivour of any application.