It may not be for Google phones but I fully believe the researcher is correct with the basis of the article. I have the Galaxy S8 (locked to a US Carrier) and updates are a shitshow. Extremely high impact vulnerabilities (such as BlueBorne) were patched over a 3 month period to the world. Interestingly enough you can't even fully blame the carriers because a lot of the time Samsung's own unlocked version gets updates last...
Security is the reason why I switched to an iPhone.
Updates are guaranteed and encryption is second to none.
I had tons of fun “encrypting” android on my milestone and Samsung galaxy S2 but it was just a show, and things really haven’t improved since then even on google devices.
Heck after doing proper analysis of ARM trust zone and getting first hand access to some of the trustlets the industry uses to facilitate HVB, encryption and other security features on ARM devices there is no way I’m touching them again if I can avoid it.
As for security patches even a Google device isn’t guarantee of updates as if you buy one through a carrier they are responsible for the updates which is something I found out with the original LG Nexus (5?).
Even flashing a Google clean ROM didn’t help getting OTA updates since it seemed they were checking the IMEI.
After the let down which was the One Plus One it was iPhone all the way.
Well, the mentioned analysis app the researchers placed on the Play store is potentially quite useful. If Google will "bless" it -- can we at least have a link to a copy of their statement as posted securely on their own domain?
The Android ecosphere particularly with respect to security is a really good case for the appropriate use of the word "clusterfuck".
And even once a user is aware their phone may not be up-to-date, it's not easy for them to determine this nor what they are missing.
So, why not at least give users a good overview of this? Turn them into a more informed consumer?
Thank you for that. I see it requires non-standard access to the OS.
What I meant was, to see Google endorsing it -- on their own site(s). Even if/where they do, obviously in its current state the app won't be functional for the average user.
Sorry, I didn't read further in before making my comment.
Regarding that, it would be useful if Google provided or enabled such a tool for the average, locked-down user to review the exact state of their Android OS (less carrier specific modifications) and updates to same.
I switched away from Android phones in the "Stagefright" aftermath. My device was only three years old but the only response to my requests for an update was "Get a new device". So I did.
As I understand it you generally have 5 years for hardware and software support with software requiring that you upgrade to major versions as they're released for continued updates. Perhaps someone can share a link or provide better details for software support/EOL info?
As an ordinary consumer using my phone, how would I know when it's going to become unmaintained and I'll need to buy a new phone (if I want to continue having security maintenance)?
This is one thing I think Linux distros could do better: not just advertising upgrades to the next release, but warning when the current release is (soon to be) no longer maintained.
They don’t announce it, but based on their current cycle, which has been going on for at least 5+ years, they drop support for an “A” chip every year. Currently the last chip to lose support was A6, so you should get about five years out of an A11.
I have a few WP devices that had more updates than all my Android systems together.
Until Google gets really starts forcing the OEMs to provide updates, nothing will change for the regular users.
Treble is not the solution, as the OEMs are the ones that should provide the updates and certification is only required if devices are actually shipped with 8.0.
Of course technically inclined users will just root their devices, assuming they are willing to trust random downloadable firmware blobs.
Last year I got a brand new 32GB SE from Walmart for $140, locked for a year of $25/month minimum usage, although I'm just using it as an iPod touch replacement, i.e. not using it as a phone or paying monthly.
Even assuming you meant Librem, where can I buy a Librem device? After sending the money, I have a tolerance of 21 days until holding the device in working condition in my hand. Any offers?
Are you kidding? Maybe the earlier Samsung phones, sure. But ever since the Galaxy S6, Samsung phones with Snapdragon CPUs (i.e. all the US models) have had locked bootloaders that are notoriously difficult to circumvent. Pretty much all custom ROM development on recent Galaxy's are aimed at the International Exynos-based processors for that reason. The GS8 even takes it one step further, where if the phone detects it has been rooted, it will cap the battery at 80% charge.
