New phone: custom ROM, and root in 2025

After an 8 year streak, I swapped my phone. Requirements for the new model were tight: powerful for years to come, not overpriced, and the ability to install a custom operating system.

The breathtaking colors of the new OLED display.

The hardware choice

Initially, the list of candidates was disturbingly short: only the Pixel phones qualified. They come at a premium, but last year's models (Pixel 9 line at the time of writing) were at an acceptable price. At the last minute, LineageOS support for OnePlus 13 landed together with the Black Friday deals. That flipped it from “nice hardware, but locked to vendor OS” to “long-term viable”. It outperforms the Pixel in raw CPU+GPU by a wide margin, undercuts it budget-wise, and its Snapdragon platform is traditionally more open-source friendly than Pixel's Tensor. So, OnePlus won.

Why custom OS?

If installing Linux over Windows on a PC to get more breathing room rings a bell, then custom ROMs are similar concept for phones. Custom ROMs are built from the open source parts of Android (AOSP), providing the bare essentials—even the Play Store is optional. A custom ROM is community maintained and usually supports the device long after the manufacturer has moved on. For example, my old phone started on Android 7, with the manufacturer's official support ending in 2020 on Android 10. In contrast, LineageOS distribution for the same device is still alive with Android 15 today (at the time of writing).

A minimal installation. Ready to load hundreds of apps from backup.

Finally, an installation of a custom ROM opens the device to endless customization. Being open source, you can directly change or contribute to the code. Secondly, you can get access to the root account (administrator) which you normally don't get. Typical uses are non-cloud backup/restore apps, firewall, system-wide ad-blocking and fixing annoyances, that aren't mainstream enough to drive vendor response.

The question of safety

I have been installing custom ROMs on Android phones for quite a while. While things could get a little flaky in the past, the days of being nervous while flashing firmware are gone. If your phone is supported and you follow instructions carefully, you are miles away from damaging the phone.

In the past, some manufacturers tried to play the warranty card. If you have tampered with the software and then the power button falls off, it's your fault, no questions asked. In the EU, this stance is much weaker than it used to be: the burden of proof is on the manufacturer to show that the software changes caused the hardware defect.

Some things can break though: various apps refusing to work when they detect a custom ROM, root, or in general fail “attestation”. From what others say, these mechanics are sometimes employed by “sensitive” apps such as payment or banking. But for me, the reality is that money apps are completely fine, while random meaningless things such as collecting points for shampoo break.

Sometimes, security compliance teams take a shortcut in thinking that “custom” means “insecure” and that attestations such as Play Integrity are meaningful approximations for real risk. That's not necessarily true, and leads to bad security design: if you assume an attacker has complete control over client's device, your resulting security is robust: proper server-side fraud detection, hardware tokens, etc. On the other hand, if you blindly trust the device just because it reported itself as safe, you could be placing all your eggs in the wrong basket.

The good, the bad, and the ugly

Is newer always better? There was a definite upwards trend in the first decade of Android. Phones got bigger, more powerful, and integrated more hardware. The Android ecosystem was maturing, features got in, SELinux was stabilized, a lot of community support, power-user friendly. Subjectively, the peak came around version 9 (Pie). Android 11 still felt like the same OS with more polish. After that, the desserts branding changed and so did the direction.

From Android 1 to 16.

The changes roughly in the past 5 years are a mixed bag. The hardware still keeps getting bigger and more powerful, but some things got axed too. Headphone jack gone, notification LED gone. Feature updates seem to be more scarce: yes, there is an odd feature, but my feeling is that Android is mostly dumbing down. For example, take the extended notification controls. I agree they can be a problem when they get out of hand, but maybe it's better to set them up in a manageable way or use sane apps in the first place, rather than having to “force disable” or “burst control”?

And finally, the ugly. For one reason or another, manufacturers and vendors are not embracing openness as much as they once did. The open source community that once thrived is becoming increasingly threatened by things such as play integrity and the developer decree (restricting independent developers outside the official store model). On my new device, PI refuses to give any positive verdict at all, despite the same setup working on my old phone. That's where “ecosystem policy” stops being abstract and starts removing real-world functionality. We live in interesting times.

Overall, I am happy with my choice. It hit one of the sweet spot islands that exist. I have bought a phone for its real strengths—camera, display, SOC. It came with a bit of nonsense that I promptly patched over. I learned a lot about the latest developments in the ecosystem. And I'm curious to see how the situation changes next time.