> And how exactly do you propose achieving that, when that someone else might have tampered with the phone before you got it?

Wipe the device as a condition of unlocking the bootloader root trust keyset. Easy, and more secure than any classic x86 UEFI bootloader. That gets rid of the threat of dodgy repair shops.

The only issue will be manipulating devices before they're sold the first time, but tamper-proof packaging resolves that.

Tamper-proof packaging is a poor replacement for a first-time boot replacement warning. Not to mention the sheer impracticality of properly implementing tamper proof packaging (the factory would have to cover the packaging in shiny nail polish or something, encrypt and send a high-res picture of that somehow to the final buyer across the supply chain, at which point the final buyer makes sure the glitters align). Much better to do it the way it's currently done

If a repair shops wipes someone's phone they'll be pissed, but they aren't going to throw out the phone. As soon as they get back that phone they'll reinstall all their apps and log back into all their accounts and any malicious firmware added by that repair shop will wreak havoc.

I 100% agree that we should have ways of getting rid of these warnings on our own devices, but this isn't a simple problem.

> If a repair shops wipes someone's phone they'll be pissed, but they aren't going to throw out the phone. As soon as they get back that phone they'll reinstall all their apps [...]

This depends on whether consumers are made aware that a repair shop that "accidentally" wipes your phone might be trying to steal your bank account etc.

While education is difficult, the consumer has an advantage in this scenario because the event itself is impossible to miss and very disruptive and could lead them to start searching on the internet for advice.

Apple frequently tells customers that their data would be wiped if they send their devices in for repair, I don't see why customers would challenge a repair shops assertion - it doesn't seem implausible either!

I guess the lesson is/would-be less "all resets are signs of nefarious intent" and more like "if seems reset, always reset it again yourself to be safe."

Or maybe just have the phone tell you it’s been tampered with?

Depends on what "wipe the phone" means. That could involve clobbering early-stage bootloaders and firmware on daughter microcontrollers - the kinds of things that can only be replaced through JTAG and a good bit of tribal knowledge. It doesn't stop the most sophisticated attackers, but it certainly would disincentivize a large-scale attack of this variety, especially when you consider the wild variations that exist between Android phones at a hardware level.

>And how exactly do you propose achieving that

A signed-by-google first-stage bootloader could display a message warning the user before handing off to an unsigned second-stage bootloader.

>The goal of Google's security architecture is that a dodgy phone seller/repair shop can't pre-root the phone

I'm curious how big a problem this was with refurbished second-hand laptops that often come with a pre-installed OS. At the very least, I have the freedom to reinstall Windows/Linux.

We need to find real solutions to the e-waste problem, it's unacceptable to be throwing away so many working phones simply because their manufacturer has decided to stop publishing OS updates after 2/3/4 years. I own a few older computers that are almost a decade old and run the latest version of Debian/Ubuntu. There is no reason phones should be treated any different.

That's an easily solved problem. We already have the pre-boot warning. It fixes that problem just fine. Add a reboot on initial setup and make it scarier if you're just setting up the phone and you'll be fine. A week after you've setup the phone there's no reason why you'd keep it.

> Mr Evil

Erm, it's Dr. Evil to you sir.