my final straw with Android was pixel 4a stopping security updates in 2023. that phone was released in 2020. the iphone 12 released in the same year will receive security updates until 2027. from a hardware perspective my pixel 4a has a great screen, great battery, great camera, great 4g speeds, i have 0 desire for a new phone. too bad Google arbitrarily turned into an insecure piece of etrash after 3 years.
I don't really get people's obsession with security updates for a smartphone. It's not a public webserver, bro. It's a phone. You're the one who decided it was etrash.
Not only is it not reachable by anyone except your mobile provider, but every app is sandboxed anyway. Unless you're downloading random apps every day, why would you care? What do you think is going to happen? Just stick to reputable apps.
You know what I do on my still-supported phone? Set it up, then disable automatic updates, for both Android and the Play store. I update the browser weekly, but that's it. I update the whole manually after a few months or year if I feel I have a good reason to.
I learned > 10 years ago that every phone "security update" is just a patch to disable workarounds people use to root their phones. And every update unroots it. So yeah, disabling automatic updates is also the first thing I do.
A modern smartphone is a mishmash of proprietary, closed-source, burn-before-reading secret wireless stacks, and unsurprisingly they all suck.
I can’t really speak about the cellular parts. (Although the fact that your SIM—including your eSIM—is a standalone computer with over-the-air installable applications, arbitrary access to the cellular network, and zero end-user ways to inspect it fills me with dread simply on general grounds. Oh and on all networks pre 4G the base station is not authenticated. And the auth implementations on 4G are often completely broken, especially once roaming enters the picture.)
But the Wi-Fi and Bluetooth stacks are wide open to everybody within 10s to 100s of metres of you who wants to grope them, every minute of your life. And given there’ve been pretty spectacular exploits by (smart and knowledgeable) randos even with the difficulty of reverse-engineering them as a rando, I feel fairly confident in expecting them to be a horror show internally.
Pixel 4a is built on a Qualcomm Snapdragon 730G (and 4a 5G on a 765G). It is Qualcomm’s policy that consumer chips like these get 3 years of support for baseband, driver, etc. updates.
Mind you, I’m not saying we shouldn’t complain to Google if we want them to transmit some backpressure on Qualcomm, just that basically the whole ecosystem is like this due to depending on a single chipmaker.
(In other news, Pixel 6 and later get three years of version updates and five of security patches; Pixel 8 and later get seven years of both. As far as I know, this us some sort of Google-specific sweetheart deal—other phones with Qualcomm consumer chips don’t get the same treatment.)
