OEM ROM:
- just works / ootbe
- proprietary features
- project mainline: security updates and some system components updated independently of OEM after EOL
- safety net / play integrity
- look & feel is on a higher level than an average custom ROM
- years after EOL, majority of apps will still support the ROM, kitkat is loosing support from play services this year, majority of apps target lolipop.
Custom ROM:
- fun with tinkering
- risks, worries, time spent
- more updates
- hit & miss -> either better or worse battery life, these are often targeting middle-school boys fanatic about anime, overclocking destroys heat management and battery life, safety net can stop working any day
- sketchy hacks to get some services for free etc.
- nice hacks to get 80% battery charging limit, underclock, automate tasks
- huge fragmentation and duplication of effort that leads nowhere among tons of ROMS, competition among them does not do any good currently as they have no incentive to compete
- unlocked bootloader -> less security when it's confiscated; but some people are able to lock the bootloader on a custom ROM.
- on one hand increased privacy, but not many people audit custom ROMS, so they pose higher security and privacy risks.
I just scratched the surface, but I think custom ROMS have failed people like me who value having no worries about safety net limiting their contactless payments, cards for public transportation within apps, those who value battery life and love underclocks, professional look instead of kitsch, peace of mind, features out of the box like dolby atmos, additional features from the OEM like gesture screenshots, scrolling screenshots and a lot other features.
Let me know if I'm wrong in the comments.
Long-term custom ROM user here.
Regarding security: as always, it depends on your threat model. If you fear a government actor getting access to your phone, a locked bootloader won't slow them down.
Regarding privacy: I've had both VPN logs and external Wireshark running against traffic going in&out of my custom ROM phones & sometimes I still do it for fun. If you know what you're getting into (e.g. LoS still using some Google services) then a Custom ROM usually holds far fewer surprises than some questionable OEM ROM (and which is terrifyingly scarce regarding changelogs while still having OTA update power).
tl;dr: stick with well-known ROMs & you get ... not the best of both worlds ... but a "good enough" of both worlds.
- If you're going custom ROMs, always go with an official custom ROM. Go with a well - trusted one that is consistent with updates, not an official ROM that may be dropped at a moment's notice.
- Always choose devices that have long - term support and are consistent with security patches like the Google Pixels (5 years). Do not choose brands like Xiaomi as their lackluster updates mean that you will receive late security updates, and proprietary drivers for the components in your device will go out of date in 2 years. Your phone will be insecure and cannot be made secure when those 2 years end.
I just flash LineageOS even when the device is currently supported by the OEM. I buy the hardware from them, not the software.
Edit: Like, the vast majority of actual custom ROMs users are either using Pixel Experience or LineageOS, there are a bunch of other ROMs, but those are mostly "purpose built" for enthusiasts of what they offer. Like, GrapheneOS is for security reasons, and things like that.
There is a bit of headache installing custom ROMs, but once you install it, it is usually pretty stable. Also, I don't get the locked vs unlocked bootloader thing in regards to security. The device is stolen and outside your hands, it is doubtful that a thief would go through the steps of flashing a ROM, but wouldn't be smart enough on how to make the device unusable if it had a bootloader locked. Either way you are screwed.
If the bootloader is locked it won't let the theif bypass the screen lock delay. This will make it much harder if not impossible to get you data. They will have to factory reset it to make it of any value
On the other hand if it isn't locked they can just boot into a brute forcing program and brute force you pin. They also could modify the os since it isn't encrypted. The modification would collect your pin for later or could be full malware that sends data to them over the internet
Yeah, and thieves are definitely going to use your data rather than sell it anyway
Its hard to say what an advisary can do or what they are. I want general protection a wide range of threats
I understand there are use cases that require high security, like a whistleblower. But at the same, security is about minimizing risks that are likely to happen, you pay attention and obey traffic laws, you don't stay inside your house forever fearing a car accident.
True but I don't want to have to concern myself with what happens if I lose my device.
I want a basic level of security
I flashed a custom ROM even before the first year of life of my device and never looked back 😅
I picked my current device for it to be compatible with a custom ROM
I just use lineage os and its nice. I don't use google stuff so I run mostly stock
/e/OS is a fork of lineage os and replaces google play services with microg and open source apps annnd it doesn't break safetynet