Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sadly I don't think Android as a platform is less secure. but still, in comparison to iOS (the common comparison) or desktop platforms. Most phones stops getting security updates earlier than the other platforms.

I had a Nexus 4, Nexus 7, Nexus 5X. All which should get top notch security updates. stopped where other platforms kept getting updates.

Just a few days ago I saw on HN some great news for Android (https://news.ycombinator.com/item?id=23692257). but again, this isn't a security update. It a broader security improvement equivalent to a major update on other platform.

While my 1st iPhone SE will get iOS 14, my Nexus 5X is still on Android 8.



> While my 1st iPhone SE will get iOS 14, my Nexus 5X is still on Android 8.

Google has improved this in the Pixel line, with three years of updates. https://support.google.com/pixelphone/answer/4457705

My original Pixel (2016) received Android 10 last year. That's pretty good.


Three years of updates is better than it used to be, but iOS devices average around five years of support, and I'm not sure that's enough either. Hardware devices should receive security updates until they start physically failing.


The original iPhone SE is about to start it's sixth year of OS and Security updates.

That's less than $70 per supported year.


> Hardware devices should receive security updates until they start physically failing.

That's just entirely unreasonable. I recently dug my original iPhone (now 13 years old) out of a box and it still works fine, but, you can't expect Apple or Android to support 13-year-old devices.


Consider that Windows 10 still runs on some 13 year old devices. macOS supports devices almost eight years old. That's MUCH longer than the average mobile support period. Desktop/laptop users can also switch to Linux after the support period ends to extend the life of their hardware further.

If mobile vendors can't do that, then they should limit support to the expected life span of a the battery under average daily usage conditions, starting on the date that device sales are discontinued. That's certainly less than 13 years.

Alternatively, the manufacturer could just unlock the boot loader after the official support period ends and provide the community with the resources they need to support the device.

Some people will continue to use their device until it is no longer functional. Either they can't afford frequent upgrades, or they're trying to reduce electronic waste, or whatever. It's wrong to strand those users on an unsafe platform.


It is reasonable to not support 13-year-old operating systems but there shouldn't be any reason current operating systems can't support old devices. Certainly Linux based operating systems manage to do that.


this is exactly why Apple still rock at phones

you may choose Android for the specs, guess what, your phone will still get deprecated in 2 years


Hmm. My $170 phone from the middle of 2014 is still working perfectly and shows no signs of being "deprecated". Every application I use gets frequent updates, including the browser. I don't have to worry about targeted attacks (as I am not a billionaire/movie star/CEO of a large company/whatever), and a new shiny iPhone won't help with those anyway. µBlock Origin (with JS disabled on most sites) protects me from everything else.


Yeah the security patches are still worth thinking about. There was a Media Framework bug that needed nothing but a PNG on your phone to get RCE and there was a bug with the bluetooth stack this year which also could achieve RCE when your bluetooth was turned on and an attacker knew the BSSID

PNGs are easy to send and in times of Contact Tracing via Bluetooth... well there are certain risks to running unpatched


Apps may be getting security updates, but when was the last time that the version of Android it's running was patched?


Isn’t that the point though? Your phone works perfectly, shouldn’t it still receive OS updates?


Didn't we recently learn that only Android 10 prevents background apps from constantly watching the contents of the clipboard?


For a lot of folks, especially those at Hacker News, that is totally fine. It is interesting how people's perspectives change when it comes to defending their choice. So in this case, yeah Android seems secure but what happens after 2yrs - even though that point doesn't apply to them. Call out what is important to you vs. just talking about averages.


I’m on hacker news and I care about the environment. I don’t want perfectly good hardware going in to landfill.

Apple supporting their phones for 5+ years is good, and they should be commended for doing this, but we should be introducing laws to make sure all manufacturers are doing this to a reasonable level.


Aside from gaming, which isn't prevalent aside from casual games in NA and EU to my knowledge, I'm not sure what someone may possibly need it's phone for where something like a S7 (a bit more than 4 years old) isn't largely sufficient. Not a diss on Apple, I think the iPhone 5 is vastly better than circa-2012 Android phones, I just disagree with the premise of throwing phones every 2 years as being remotely necessary (perhaps until the next paradigm shift in computing/web/mobile usage where current tech starts to be too sluggish).


Yeah but in the context of security your point is moot. No more updates means no more security patches, right? Throwing phones away every two years is of course not necessary, an Android phone from 2012 is probably perfectly usable - yet horribly insecure.


Yeah I could have amended about security, but I was replying to a comment about specs and Android phones being deprecated after 2 years, which I don't interpret as being security-related.


Fair enough, I was thinking in context of the overall thread. Cheers


I had an S3 from launch for ~7 years before switching, and it was completely unusable by the end. Most websites and big-name apps halve in performance every 18 months or so. Doesn't help that your battery will be on its last legs by then. 2 years is definitely much more often than required, but until ad-tech corps and web developers call off the assault, we're stuck on the phone treadmill to some degree.


on Apple’s case, means good app experience for the users and the developers. for example, SwiftUI comes to iOS 13 or later. If most devices were to be left off without updates(which is the case with Android) most developers would be hesitant to pick up the newer shiniest technology. apps on android still tend to be ugly and old fashioned. sure, there’re exceptions but generally apps on iOS are fresh and consistent probably because developers can depend on the users having the latest platform.


Thus LineageOS (for those who want droid), or in the future postmarketOS (for those who don't care about app support).

No, neither of these support all android phones, but they each support several.


So many phones can't install those, though. Like every single US Samsung model.

If we had a law forcing phone makers to unlock bootloaders once support ends, then we could talk.


> So many phones can't install those, though. Like every single US Samsung model.

Unfortunately true. If you were going to want to use either of these you would have to purchase a phone specifically for it. The only reason I brought these up was the parent comment implying the purchasing of phones anyways.

> If we had a law forcing phone makers to unlock bootloaders once support ends, then we could talk.

Honestly, this would be amazing. This is one of the reasons I haven't purchased a phone yet, and am waiting on the PinePhone to become a viable daily driver.


I'm a long-time fan, but Lineage breaks the Android security model - knowingly.

Other AOSP variants are more secure by an order of magnitude.


> Lineage breaks the Android security model - knowingly.

That's gonna be a big nope from me then. I was unaware of this, thank you for bringing it up.

I've been mostly unsuccessful trying to find other android variants that appear to still be maintained, would you mind pointing me towards one? I'll probably still wait for the PinePhone, but I'd like to stay knowledgeable on the subject.


GrapheneOS might be something you like.

https://grapheneos.org


Thank you, this is super interesting and may well wind up being something that I wind up using in the future.

I noticed that it only officially supports the Pixel devices.

I've always avoided the Pixel devices because I assumed that the firmware was closed source and therefore a privacy issue, especially coming from google.

However, the FAQ states "These devices meet the stringent privacy and security standards and have substantial upstream and downstream hardening specific to the devices."

Am I mistaken about the Pixel drivers being closed source? If not, how is this statement verified?


The author doesn't mean that the drivers are open source. It's impossible to have a device with all drivers open sourced at the moment, hence the Pinephone. From the "supported devices" faq:

"Devices need to be meeting the standards of the project in order to be considered as potential targets. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. Devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios (NFC, Wi-Fi, Bluetooth, Cellular), media decode / encode, image processor, etc., because if the hardware / firmware support is missing or broken, there's not much that the OS can do to provide an alternative. Devices with support for alternative operating systems as an afterthought will not be considered. Devices need to have proper ongoing support for their firmware and software specific to the hardware like drivers in order to provide proper full security updates too. Devices that are end-of-life and no longer receiving these updates will not be supported."

Source: https://grapheneos.org/faq#device-support


Thank you for the info and being so responsive to my questions. Sorry if I'm slow, this is outside of my normal range and my duckduckgo-fu is weak on this subject.

I saw this part of the faq, but it was a bit beyond my comprehension.

This is an extremely interesting topic to me however, could you point me toward where I could do better research on the topic? I'll keep looking around myself and post something here if I see it for anyone else who's interested.


Asking questions is not a sin. I will endeavour to answer where I can. :)

I'm no expert in this area myself (read as I've been educated by the internet and been too lazy to dig deeper), but I hope this reddit thread[0] leads you to some answers. Daniel Micay is the author of GrapheneOS, formerly CopperheadOS.

[0]: https://www.reddit.com/r/GrapheneOS/comments/bddq5u/os_secur...


Thank you :)

This link does seem like a good place to start, thank you much.


+1, this all day, over Linux phones with dubious security models/hardware switches that just delay exfiltration if it's going to happen on a non-verified boot device.


In what way does Lineage break the Android security model?


> deprecated in 2 years

They get security updates for 3 years (longer for enterprise devices). System libraries and builtin apps such as browser are updated via play store indefinitely.

But how many people _really_ use a phone more than 3 years?


Anecdotally, most of the older folks I know will use hardware until it disintegrates because they don't use many apps and "it still works." I've seen a seven year old iPhone 5C in the wild.


I totally agree.

Pixels are getting better, and Samsung flagships are getting their OS updates for 2-3 years and an additional 2 for security patches. That is.. barely good enough in my eyes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: