Re: Owww.
It keeps looking like the only truely smart option is not to buy a smartphone in the first place
Well if you exclude good old poisoned SMS messages, you'll be fine
Of any single product, CVE Details reckons, Android had the most reported vulnerabilities in 2016 – but as a vendor, Adobe still tops the list. The analysis is limited by the fact that only vulnerabilities passing through Mitre's Common Vulnerabilities and Exposures (CVE) database are counted. That's a statistically worthwhile …
This post has been deleted by its author
Possibly Cyanogenmod (now Lineage OS) hasn't been tested in some time, but one vulnerability for 2012 is not bad.
Yeah, I would feel better if my phone ran OpenBSD.
Its based on Android, so it would have almost all the same bugs. Your contention fails the 'duh' test - there's no way in hell they found and fixed all but one of those hundreds of Android bugs before Google or security researchers found them!
The only way to make a secure mobile OS these days is to have it do almost nothing. Look at all the Android bugs around receiving MMS messages - the fix for that is to disallow MMS. The only fix for the various bugs everyone has where a web page with the right code can exploit the browser is to not support web surfing. Basically if you make your smartphone a feature phone that can't browse the web, can't run apps, can't do anything besides calls and SMS, you can probably make it bulletproof. You do everything a modern Android or iPhone can do, you are going to have to accept security issues as a consequence of that convenience.
OpenBSD won't help you here, BTW. Perhaps it has a more secure userland, but that doesn't help if you are running Chrome or Firefox and getting all their bugs.
OpenBSD won't help you. These cellular modem chipsets have an iommu that can do DMA to any RAM on the device.
"There are no secure smartphones."
https://www.devever.net/~hl/nosecuresmartphone
That appeared on Hacker News nearly a year ago.
Not true, wife's phone got November 2016 security update on 4.4 a few weeks ago. Don't fall into the same flawed assumption that many plebs make, Google release monthly patches for 4.4, 5.x, 6.x and 7.x
You do that need android 7 to be secure, you don't even need android 7 to run the latest stuff from the app store either, Google play services and Google compatibility libraries take care of that. If you have an older phone, essentially as long as you get security updates, you are better off with the OS the phone shipped with, rather than a bogged down, less tested full version OS update.
It is and always has been getting them to the phones. If your wife got really lucky with a purchase I guess she got one that is still getting updates for 4.4, but I'll bet that's true for less than 1% of all the phones that were sold with 4.4.
Timeliness is also an issue. If Google issues a 4.4 fix tomorrow and a phone doesn't get it until July, that's a lot of time for hackers to reverse engineer the exploit that was fixed and use it against you.
Because of the Linux monolithic kernel architecture that provides speed instead of the inherent security of a microkernel, Linux is more susceptible to security flaws.
Security is best built in intrinsically at lowest levels. Adding security as an after though still leaves the original problems there.
While Linux has proven good for well-managed server systems where performance is required, it is bad for end users who don't maintain their machines or want the freedom to download apps and use their devices for 'fun'. These users want automatic security built in, rather than managed security.
This does seem like a paradox that security is more important on end user devices than servers. However, it is how that security is provided - built in to the OS, or managed by IT professionals. When a user's machine is compromised, it does not just affect that user - hackers can mount DDoS attacks against servers. This also applies to unmanaged security on IoT devices.