You must have gone without security or other OS updates then, which I would consider a deal breaker with a phone. Google only recently extended the Pixel OS support timeline to be on par with Android.
> Yes, I don't care about getting updates. If they're important to you, that's fair.
Hardware devices with embedded software couldn't get updates (or was a difficult job so didn't happen) until somewhat recently. It is unfortunate that the ability to do updates is used as a crutch to ship faulty software that then needs updates. A phone shouldn't ever need an update in its lifetime if it was properly built in the first place.
I only recently stopped using my Motorola cellphone from 2005 (only because they decommissioned the towers). It never received any update in 17 years. It also never needed any.
I would like to buy devices with that level of quality today.
Well, yeah, and I'd like a pony. The main issue is security updates. I'm guessing you weren't accessing things like a banking app with highly sensitive financial data on your 2005 Motorola.
> I'm guessing you weren't accessing things like a banking app with highly sensitive financial data
For anyone who has done any serious threat modeling exercises would never ever do that from a 2023 phone (I'm fully aware many people do it regardless).w
Yet somehow millions of people do, and I'm not aware of a single banking app breach caused by a zero-day device flaw.
This advice to not use a 2023 phone is just plain silly. I'm not saying it's 100% locked down, but neither is going to a bank branch and talking to someone in person.
If security is a concern, getting a newer Pixel and installing GrapheneOS is your best bet. It's still not perfect and nothing beats just not having a cell phone, but that's a choice very few are okay with today.
The trick with GrapheneOS, or any privacy setup, is that it requires attention to stay reasonably secure. The OS won't matter if you enable Google services and install apps that track and sell all your data.
Ah yes, android is perfectly secure as long as you install an aftermarket os, and then don’t install google services or any android application which uses google services (all of them).
Or you could just use the brand that gives 6-7 years of OS updates and 10+ years of security updates out of the box…
I would 100% use iOS if I preferred to keep a stock OS and needed those apps.
I just don't need that in a phone and am totally fine with the limitations of a degoogled device.
I don't recommend that for most people. I was simply responding to a question of what device to consider with regards to privacy/security. I even tried to include caveats that it isn't right for everyone and had real tradeoffs.
> If security is a concern, getting a newer Pixel and installing GrapheneOS is your best bet. It's still not perfect and nothing beats just not having a cell phone, but that's a choice very few are okay with today.
> The trick with GrapheneOS, or any privacy setup, is that it requires attention to stay reasonably secure. The OS won't matter if you enable Google services and install apps that track and sell all your data.
Not sure how I could have been more clear here, I literally started by saying "if security is a concern". I stand by that, if security is a concern I would not use an iPhone or stock Android. I also stand by the assumption that for most people security isn't a concern.
So yes, I wouldn't recommend graphene for most people but I would recommend it to anyone both concerned about security and willing to sacrifice some functionality and convenience (both caveats in my original post).
You make it sound as though I changed my recommendation or story half way through. If that's your opinion, please do me a favor and point out specifically where I walked it back or contradicted myself.
What about the Exynos RCE bugs? Now that they are patched they are secure again or how is this supposed to work? What about the intentional backdoor unearthed in the pixel phone (the sim swap thingy)? Who was that for?
My problem is, as a user, whose expertise is not 100% security, how can a layman decide which device to trust? Trust the neighbor, trust the expert who thinks is an expert, but doesn't see his own limitations, trust the newspapers parroting whatever they find (or their security advisor), trust the marmots or trust the looks, because you don't know what the silicon does. You might know one domain, but not multiple ones, like you might know the IT domain, but doesn't know the underlying physics domain, so you might think the phone is secure in the IT domain, but since you don't know jackshit about the physics, you have to again rely on someone's advice.
The iPhone is locked down tight, even security experts have complained in the past because analysing the core internals is cumbersome. But that's a double edged sword, when you can't even get basic info about phone's status without resorting to some hacking shenanigans.
Any way to know your firmware has not changed? How come there are zero tools for the layman to verify the status of his device? You don't know whether your usb's firmware is intact, whether your motherboard is a-ok and the list goes on.
According to newspapers, it is/was the panacea of security (iPhone), yet sec bugs after sec bugs are coming out all the time. You don't even have complete control over the phone, since the software switches (like wifi) are not actually disabling the wifi circuitry.
How come banks are sitting on ancient systems and are seemingly fine?
Should you trust zerodium's bounty prices, should you trust exploit brokers? (they ought to see what's an emmentaler right?)
Encrypted secure phones? Look how many criminals got caught, by putting their trust blindly into something, that someone parroted about how secure that is.
GrapheneOS says they are secure, but where are tools that show you that yes we do this and that and that solves these kinds of attacks, thwarted these attacks in the past, demonstrated?
Should you consider Mikko's advice. Use a phone that is made by a country, whose intelligence agency is not a threat to you? But how do you know that a phone, which is made in X country is actually controlled by that country's IA? And how do you know which IA is not a threat to you? :DDDDD Do you even have to fear against a nation state's capabilities or since they have unimited budget you are fucked when somehow get in their crosshairs?
It's like flipping a coin, putting your trust into someone's solution blindly.
Hardware devices with embedded software used to be air-gapped.
As soon as phones got Bluetooth, you got Nokia Bluetooth viruses that would spread via public transit, and you had to go to a service center to fix it since it wasn't designed to be updated.
Even in the days of "software was complete on launch", security was absolutely abysmal and we just relied on most people being honest.
Yeah, saying "embedded software used to be complete and final back in the day" is such a rose-colored glasses take. When I was a kid we could occasionally pick up car phone (that's what we called cell phones back then) conversations by changing to a particular channel on the TV.
The pixel 6a will get 3 years of updates and 5 years of security updates. On a phone that was released 12 months ago.
So it hasn’t been tested yet. Plenty of time for google to renege on that.
The Pixel 6a is at least a cheaper phone. But the Pixel 7 are flagship prices for the same support.
iPhones have been getting this level of updates since almost day one. The last iPhone I ran into the ground was a 6 and that had 5 years of OS updates. iOS 8 through 12.
My current XR has been getting updates for almost 5 years and will get iOS 17. So at least 6 years of updates?
When I got my last Pixel Google were giving 3 years of security updates. I bought it one year after release. For an average consumer doing the same thing they would have had an unsecure doorstop with very low resale value after two years. Should be criminal.
I installed some ROM and kept it alive (not by far as secure as using an iPhone, of course).
This is exactly why I own an iPhone. I don't even personally like apple as a company. I don't like Mac computers. There are things that really irritate me about iPhones, but I use them anyway because of how long they get updates for.
My son's now 4 year old Samsung S10-5G (my old phone) is still getting updated. It is a flagship phone, the first with 5G - will be interesting to see how long they do it.
Google and Samsung appear to be on the same page; I think the front runners in the Android world are a lot better than some would like to give them credit for.
The phones do stop working properly, e.g. unicode doesn't work, and unsupported android OS's aren't no longer developed, not to mention security updates.
It's risky, especially in todays world where financial information is stored endlessly on a cell phone. 5 years+ for iphones make a very nice deprecation curve / alongside a viable resell market. It's nice to sell a 2yr old iphone for 70-80% of it's purchase price and then buy a new one and not have to worry about anything for another 5 years.
If you only buy devices with LineageOS support, you can continue to get updates for a very long time. I would not want to be at the mercy of the manufacturer for the software.
Every Android phone I've had has lasted that long or longer. If I got less than 5 years out of any smartphone, I'd consider it faulty.