Conversation

If you want to use a phone for 5-6 years while retaining a decent level of security, buy an iPhone XR. You don't have other options. Please stop using insecure old Android phones and don't bother pretending that ROMs unable to ship full security updates change that situation...

Replying to

Thoughts on this for LG G4's and Huawei P20's? Or same boat?

Replying to

The same boat. Neither device had competitive security features on release. LG G4 is end-of-life and doesn't have full security patches anymore, no matter which ROM you choose. AOSP security updates only provide a subset of the security fixes, not all device-specific fixes.

Replying to

and

Huawei P20 still seems to receive security updates but not at the proper monthly schedule and likely only with the mandatory fixes rather than all recommended ones. Security is about far more than just fixing bugs but these vendors can't even get that done properly. It's a joke.

Replying to

Interesting. Ty for your input. So where could one do these recommended fixes themselves? In the phone develop settings somehow? Or has to be done by the company?

Replying to

For closed-source components, it's only realistic for the companies producing the software to properly maintain it. It's possible to make binary patches, but it scales very poorly to more complex issues and simply isn't a viable way to maintain software in the long term at all.

Replying to

and

For the low-level firmware, there's signature verification and downgrade protection. Similarly, peripheral components (as in separate from the SoC, like Wi-Fi) are supposed to do the same for their own firmware. It wouldn't make all that much difference if this wasn't the case.

Replying to

and

There are many device-specific components that are open source including the entire kernel and all the kernel drivers. However, no one is taking that over and porting the entirety of the drivers forward to a still maintained LTS kernel branch. It's a huge amount of boring work...

8:08 PM · Nov 2, 2018Twitter Web Client

Replying to

and

It's unrealistic to expect a community to take over maintenance of projects with millions of lines of code that are essentially obsolete. It isn't happening. At most, people do some minimal hacks to keep things mostly working. They don't take over security and other maintenance.

Replying to

and

It's certainly possible to take over that maintenance and fully rewrite all of the closed source userspace components of the drivers. Not much can be done about firmware, so it would be important to keep all radios disabled and there would be major holes in the security model.