/e/OS is android lol. Yes it’s better than the version of android that ships with phones by default, but grapheneos is still way better than e/os (even though they’re all android)
We need hardware requirements so that not just pixel phones can get grapheneOS. Giving into Google hardware to escape Google software is a step I don’t want to take. I’ll take calyxOS or divestOS until then.
We need hardware requirements so that not just pixel phones can get grapheneOS.
GOS has strict hardware requirements to increase security that currently only Pixels meet. They won’t, and shouldn’t, compromise their standards which would give you a weaker OS. Want GOS on other vendors? Convince those vendors to up their hardware game.
Yes, hardware requirements for Android need to be higher. That’s the only way you get other manufacturers.
My main issue with Pixels is their price, even the Pixel A. They are completely unaffordable new, and only hit below $300 when they barely have any support yet (or are used). I don’t mind using an EOL phome because with short support like on phones it is unavoidable, but that would be after alreafdy overpaying.
Honestly the short 5 year from original release till EOL thing really fucking annoys me, but it’s literally every phone on the market. I’ve looked, it’s impossible to find a phone that doesn’t force you to replace it every few years unless you go to a plain dumb phone that only supports voice calls and maybe basic SMS with no apps. That’s just a nonstarter in this day and age.
Even alternative Android firmware like GrapheneOS and /e/OS are dependent on the stock firmware releases by the phone manufacturer so when the manufacturer goes EOL and stops releasing updates your alternative installs also are effectively EOL.
The only solution to this problem I’ve seen that seems like it has a chance is Linux Phone OS, but it still has several problems that make it unusable for most people (biggest one probably being that it provides absolutely terrible battery life).
It’s really revolting to be forced to change phones just because of this.
A phone should be secured for way more than this!
I mean realistically you would not be replacing the phone just because it hits EOL, maybe if you’re wealthy and/or have a higher threat model.
Honestly the short 5 year from original release till EOL thing really fucking annoys me
It’s 7 years now.
Although Americans typically keep their smartphones for 2.5 years, according to Statista, so 5 years seems more than long enough.
I would only buy a used one anyways. Even when they’re pretty new you can get good deals on swappa, even for new in box ones
My main issue with Pixels is their price, even the Pixel A
Have you priced out any comparable phones? They’re practically a steal at their discounted prices.
Most people around me carry budget phones under $200. so no, far from a steal.
I mean, that’s fine, but that absolutely does not make a $450 phone “completely unaffordable”…
Most people around me carry $1k+ iPhones.
You live in a richer area then. Most people where I live make less than 1k a month.
They’re not rich, they’re just stupid. They pay $25/mo or whatever for 80 years. It’s not wealth, it’s just shitty culture.
Unfortunately the fact that NFC can’t be used on anything that’s rooted anymore is kind of a deal breaker. If I could use google pay and my normal banking apps with GrapheneOS I would switch to it today.
Unfortunately the fact that NFC can’t be used on anything that’s rooted anymore is kind of a deal breaker.
NFC can be used on GOS, and they frown on rooting.
If I could use google pay and my normal banking apps with GrapheneOS I would switch to it today.
It’s due to PlayIntegrity API wanting a “Google certified OS,” which is ironically less secure than hardware attestation that GOS supports. I doubt Google would change their model, but your bank might. Some banks do support GOS, and they have changed at the request of their customers before. Send them the GOS documentation and you might get lucky.
https://grapheneos.org/articles/attestation-compatibility-guide
not being able to use contactless pay does not equal “NFC can’t be used on anything”.
Technically you’re correct, but it’s effectively the same thing since I’ve literally never used NFC for anything besides contactless payment and initial phone setup when migrating from an older Android phone to a newer one. For most people NFC is synonymous with contactless payment.
it’s effectively the same thing since I’ve
big detail. I connect my Sony XM4s to my phone with NFC multiple times a day. not to mention that you still can use Google Pay on rooted devices with some workarounds. not to mention that some bank apps don’t use Google Pay for contactless payments at all. I’ve been paying via NFC with my bank app on a rooted phone for years until they scrapped their own solution and adopted the GPay approach instead.
Sorry, I don’t understand the motivation here, you want to not let Google spy on you via their OS, but are perfectly happy to give them your entire payment record?
Not my entire payment record but certainly everything I use my phone to pay for. I’m willing to give Google some of my info as long as I’m in control of what info I’m giving them. Everything I do on my phone is too much. If a 3rd party offered a NFC payment app I’d happily use that over GPay, but until that exists GPay is the only option. Ultimately GPay is safer than using actual credit cards because it’s more resistant to skimming. The extra security outweighs the loss of privacy in this specific case. I’m not happy about that but there doesn’t seem to be a better alternative at this time.
You know that if someone skims your card and makes a fraudulent purchase, you will likely be able to get your money back, right?
What do you think will happen if someone exploits a 0-day in GPay to do this? How could your bank know the purchase was fraudulent? At least with a card it is obvious that this can happen.
If you care about “secure” payments that much, why not use cash?
You know that if someone skims your card and makes a fraudulent purchase, you will likely be able to get your money back, right?
Sure but it’s a major pain in the ass. Every time it happens I have to cancel my current cards, request a new one, find all the services I’m currently paying with the now cancelled card and update them to a different card while I wait for the replacement, and then maybe remember to swap them back when the new card shows up. It doesn’t happen constantly but if I use cards to pay they seem to get skimmed about once every year or two.
What do you think will happen if someone exploits a 0-day in GPay to do this? How could your bank know the purchase was fraudulent? At least with a card it is obvious that this can happen.
Literally never happened before, but same way they know a credit charge is fraudulent, I tell them. Also if someone found a 0-day in GPay I wouldn’t be the only one complaining of fraudulent charges, they’d be flooded with complaints.
If you care about “secure” payments that much, why not use cash?
Because that’s a pain in the ass. I don’t care about “secure” payments, I care about not having to spend days dealing with the aftermath of it. Paying with cash means I need to constantly go to ATMs to withdraw money, and if I’m doing that my odds of getting my card skimmed actually go up so it doesn’t even protect my from that.
Literally never happened before, but same way they know a credit charge is fraudulent, I tell them.
The reason I brought this up is because I read a story of a European guy who had someone pay for something in Brazil using his card, through GPay. He didn’t get his money back, as the bank didn’t believe him (as GPay is supposed to be secure). Take this with a grain of salt though, as I can’t find this story now.
Also if someone found a 0-day in GPay I wouldn’t be the only one complaining of fraudulent charges, they’d be flooded with complaints.
Not necessarily. Maybe a company like Pegasus is already exploiting a 0-day to see the purchase history of people, but they’re smart enough to not attract attention by stealing.
Banking apps work, at least mine do. NFC works.
Only tap to pay doesn’t work.
Been using GrapheneOS for close to 2 years, love it. Not perfect, but it’s solid & does everything I need well enough. Even with the minor bugs, it’s a hell of a lot better than having Google’s or any other vendor’s proprietary bloatware stuck on there.
I would say you should use GrapheneOS first, if you don’t have a Pixel, use DivestOS, if you can’t use that, use /e/. That’s the order I would put them in for security and privacy.
Not only is it still Android but the thing that the article says is special about it, blocking trackers and stuff, is trivial to do without installing a custom OS image. Change your DNS, trackers/ads gone.
Iirc E/OS is based on Lineage, but takes a horrifying long time to patch in security updates on top of Lineage’s already somewhat laggy patches. If you choose to use it make sure you’re aware of that going in.
Also, like IIGxC said it’s a android. Maybe slightly more private that most stock versions on most phones. But that’s like saying [insert Linux distro] is better than Linux.
LineageOS will only patch Android. It will not patch hardware vulnerabilities after the device no longer has support from the manufacturer.
Both of these OSes are dangerous for privacy and security.
What’s your suggestion for hardware patches after the manufacturer ends support?
There is no option. There is too much variation in the various phone chips for the hardware hacking community to reverse engineer more than a bare handful. And as soon as the hardware has been reverse engineered, it will never be used again by a manufacturer making the exercise largely pointless.
Add to that, the fact that Qualcomm actively discourages long term support of their chips….
That’s why Fairphone choose a QCM6490 for the fairphone 5. It’s far from being the best, but it has longer term support than mainstream oriented SOC.
Since the SOC will probably be enough for most of users, it’s not a bad option I guess.
Well then I really hope the Fairphone 5 is gonna get really long term support and start a new trend in that regard.
Just buying a new phone every 5 years isn’t sustainable!
They advert for a support between 8 and 10 years (at least 5 major version of Android, and security patches after that). I don’t know their politic about the availability of the repair parts, but if it’s for the same amount of time, I’ll be happy.
I changed the battery and the usb port of my OP7 last year… the oneplus site didn’t sell them anymore, I had to go on aliexpress to have both … That’s quite frustrating for a device that is 5 years old…
8 to 10 years is good, but it should be just a start.
I’m still using my PlayStation 3 and a computer from 15 years ago (as a backup) and I think it should be the same with smartphones
Exactly my point. Thank you.
Get a new phone the vendor does support.
Firmware patching is applying low-level firmware to the modem or baseband, similar to a BIOS update on a desktop or server. These binary libraries are (a) proprietary, and (b) opaque to the user (meaning they’re not documented like normal software)
Once a vendor drops support for a platform, that’s it, that’s the end of the line. The device will still work, but any, glitches, firmware vulnerabilities, or updates for network-side changes will no longer be addressed.
This is just not realistic though, as the support is so short. You cannot buy phones ever few years. Only thing you can realistically do is apply at least Lineage and exercise caution.
Denying reality isn’t realistic either.
Knowing your threat model and being aware of your tradeoffs and decisions is useful. Maybe security isn’t more important than longevity, but the phone owner should be making a deli rate choice.
With the new pixels having 7 years of support things are improving. It would be nice for them to open source the hardware specs at the end of the support window…
Who’s going to be digging into the depths of a 5+ year old phone on the off chance they can find a baseband vulnerability though?
Even if they do find something, the number of people for them to exploit is probably going to be vanishingly small.
https://www.theverge.com/2021/5/18/22440813/android-devices-active-number-smartphones-google-2021
There are 3 billion Android devices. So basically everyone is incentivized to break in. Especially if the firmware is not updating, that means once you find an exploit it’s good forever
Plus, and most people don’t realize this, the same chips are used in multiple different phones. So you just have to break the baseband once, and you get into multiple different phone models
Although using an up to date Android userspace is still less bad than stopping all the updates once the vendor jumps the ship.
It’s not going to stop a dedicated attacker, but having a somewhat secure webview that’s not going tu crumble under the first piece of malicious javascript goes a long way towards the peace of mind.
If a rootkit is hiding at the hardware level, it may not matter what operating system or web browser you’re using on your phone. A rootkit at this low level could potentially evade detection by the OS and modify files or memory without the operating system’s knowledge. It may also be able to disrupt secure boot processes and monitor radio transmissions like Bluetooth, WiFi, and NFC.
Once an exploit is found that works on a particular device model, and attackers know the device manufacturer will never release firmware updates again, they could start searching for any users of that phone model. A rootkit installed this way may remain on the phone permanently since firmware updates are no longer being provided. The phone user may be unaware their device has been compromised.
LineageOS does not employ a dedicated security engineer for each phone model. Maintainers with LineageOS typically take the latest firmware from the original device manufacturer and import it into their build process. But if the latest firmware release from the manufacturer is already three years old, it’s possible there may now be several undiscovered vulnerabilities in that outdated code.
So for the average users that only want to go on with their lives and not buy brand new phones every 2-3 years (or don’t live in places where fairphone and pixel phones are available) what would be the solution?
If a person is not some POI, don’t you think that wouldn’t be better to flash something that at least includes some relatively up to date security patches?
And how those rootkits are being loaded to phones with outdated firmware? Bundled with the last OS that was flashed or remotely by exploiting security flaws? Not a dev, but curious about it.
It’s generally best to get a phone that receives software updates and security patches for more than 2-3 years. This is because vulnerabilities can be discovered in older hardware that cannot be fully fixed with a software update alone. While updating the OS helps with security at that level, flaws in the underlying hardware may still exist. Additionally, threats can come from various sources like malicious apps, texts, USB devices, or physical access, not just online attacks. Choosing a manufacturer that supports phones longer can help reduce these risks over the life of the device.
It’s generally best to get a phone that receives software updates and security patches for more than 2-3 years.
See first paragraph again, not everybody is as affluent as you’re, look at the problem from the other perspective
Additionally, threats can come from various sources like:
malicious apps,
will take control of the phone from the inside out, nothing will withstand that
texts,
Pegasus will use 0day, nothing to do about that
USB devices, or physical access,
Once somebody have physical access because you’re some POI and not an average Joe, not much you can do
Choosing a manufacturer that supports phones longer can help reduce these risks over the life of the device.
See first paragraph, parenthesis content. Also phones are made with short lifespan on purpose, this gives steady inflow of money for the manufacturers, only few will give you what you want
See first paragraph again, not everybody is as affluent as you’re, look at the problem from the other perspective
There is no blanket advice for which device to use. You will have to look it up yourself. But if you’re using a phone beyond its supported time, then you are vulnerable.
will take control of the phone from the inside out, nothing will withstand that
Nothing can withstand a 0-day attack, but it’s on your manufacturer to prevent a 1460-day attack.
Pegasus will use 0day, nothing to do about that
See above statement.
Once somebody have physical access because you’re some POI and not an average Joe, not much you can do
You can be a random person walking in a busy metro area and happen to get in range of someone who is scanning for a particular device to use a side-channel attack on. You don’t have to be a POI.
See first paragraph, parenthesis content. Also phones are made with short lifespan on purpose, this gives steady inflow of money for the manufacturers, only few will give you what you want
The manufacturers are still responsible for patching their devices. Once they stop doing that, you should know that device can’t be trusted with your privacy and security. This is the minimum baseline standard. If you are trying to extend the life of a device by yourself, and use it as a daily driver, you have decided that your data is free for anyone to have.
100% you are correct.
Shame on the down voters.
Running a phone without firmware and driver security patches is a huge risk, that goes up geometrically the longer the phone is out of support.
Lineageos is great for making older devices useful but they are not secure, and they shouldn’t be used for anything sensitive like money
For the down voters. Imagine I have a time machine and bring a precontact native American to present day. I know this is dangerous, so I make them read every modern medical textbook first. Chances are they are going to catch a fun modern disease rapidly and die. Not because they didn’t have the knowledge, but because their immune system didn’t co-evolve with the threats. Being stuck out of time is in anachronism, but that’s exactly what we’re asking our cell phones to do. We prevent them from co-evolving with current threats, and then expect them to match all the threats in the future…
Ultimately the real solution to a lot of these problems is likely to be a Linux phone OS. It’s something being actively worked on, but it’s still only half baked and I wouldn’t recommend anyone daily drive a Linux phone. Maybe in a few more years it will reach a state where it’s actually usable.
One thing that would help a lot is if some company stepped up to provide a platform agnostic NFC payment solution that worked on both iOS and Android. As far as I’m aware if you want NFC payment you have exactly one choice depending on your OS, and both Apple and Google brick NFC if you root your device.
I really want to use my PinePhone Pro, but it’s been in a box since the week I bought it.
I thought I was going to start hacking around, but then I didn’t have the time. It has everything I want from a phone, except for software.
Almost every paragraph is it’s own, self-sufficient, malignant cancer. How did this even get published?
AI: ¯\_(ツ)_/¯
Even the name is a marketing turd
I like /e/OS, but the app lounge bothers me a lot. There is no uninstall button and it is not possible to add Fdroid repos… So I have Fdroid installed in addition to it.
I do not see an added value as if I had the aurora store installed + Fdroid.
IMO, the best addition of e/OS compared to lineage is clearly the tracker /ad blocker app.
Unless it has changed the app lounge is just a different frontend for Aurora store.
It has a confidentiality notation system based on exodus privacy. It makes it more visible than on the aurora store. It has the possibility to install app from fdroid, well, at least from the main repo as it is not possible to add more.
There is a high chance that they forked the aurora store, as, most (if not all) of their app are based on open source app. (but if so… why did they remove the option to uninstall app…).
Their app “maps” is just magic earth with an other name and icon.
edit : phrasing
I think the greatest hindrance to /e/ is the fact that so few devices are supported. The article lists Fairphone as a supported device but that doesn’t retail in my country. Most Chinese OEMs (that form the bulk in my nation) won’t be supported by it. I have had a Nokia and a Samsung but even those two models are nope. One would need to go with the express purpose of installing alternative OS’s and then purchase supported phones like Pixel probably, if they wanna indulge in this. But normal people aren’t gonna do this. They are going to purchase the phone that fits the price vs performance ratio for them rather than alternative OS criterion.
I’ve brought it up before with /e/, that because it’s based in Europe it tends to focus on the European market, IMO too much so. Lots of Europe-exclusive phones supported, barely any US-available phones that support tech like 5G (which is not available in Europe). If you want 5G in the US, you’re pretty much stuck with the Pixel or the Fairphone, and like you said, you also won’t find the Fairphone in a US store (though you can order one from /e/'s website in the US). While I did buy a Murena One (which is a cheap Chinese OEM) in the short time they were selling them in the US market on their website a couple years ago and I’m using it now, good luck finding a US carrier that will support it (T-Mobile was the only one that would) or a repair shop that will touch it if it breaks. I’ve dropped it a couple times and have a large area of dead pixels on the bottom of the screen, but nobody can get a replacement screen for it.
Huh? We in Netherlands have 5G
Yeah, it’s been pretty universal in the UK for at least the last couple of years. Not sure where this idea came from.
tech like 5G (which is not available in Europe}
wtf are you talking about
It officially supports 250 variants including many going over a decade back. If one were to include all smartphone models/variants released during the previous decade, it won’t even hit the 10 % mark.
I love /e/OS, but it’s not better. I’ve had a lot of issues ranging from GPS being inaccurate, MMS not working, and most annoyingly : the play store alternative works (app lounge) works 1% of the time…
Which version and phone are you on ? I’m on “t” version on a Oneplus 7 et I have none of these issues.
I first installed the “s” version and got annoying bugs, then switched to the “t” one and everything was OK. I now all the version aren’t available on every devices, I hope you can switch on a more stable one.
I would definitely try it, but all the phones I’ve been looking at recently don’t have any support whatsoever for any of those types of custom OS’s. No Lineage, no anything. All because they’re not flagship models and are more budget friendly phones (and have what I’m looking for: headphone jack and SD slot).
