Reply to post: Re: Brave New World

Exposed: Lazy Android mobe makers couldn't care less about security

GIRZiM

Re: Brave New World

But almost NONE of the decent smartphones out there today feature user-replaceable batteries: a make-or-break for me as that's the thing I replace most often.

That a whole 'nother issue that I also take issue with but for privacy reasons more than anything else - if the phone isn't going to be secure for as long as the battery lasts and I'm going to replace it for that very reason then a replaceable battery is a nicety as far as I'm concerned.

There's also the fact that, when something does go wrong and the phone hangs, I can't fix things by popping the battery, but that's only ever happened to me twice and it simply meant having to wait for it to die.

Nothing to date compares to my Note 4 which is why I stick with them through thick and thin.

Performance-wise, I couldn't comment, but security-wise, I'd suggest upgrading. The Moto G5 came/comes with a removable battery, however, and not only supports Nougat but is officially slated to receive an update to Oreo as well. So, unless you've got some reason to hang on to your Note 4 for the camera, some other hardware feature that you absolutely must have or because it will still outperform the G5, I'd suggest having a look at that latter as a possible upgrade sooner rater than later - before you can't get it any more (which will be the case RSN).

Yet because of Verified Boot, Knox, and root-aware apps, I have to stick to stock firmware.

The Moto G range phones all have unlockable bootloaders so far.

So far, it seems to me that, based upon your need case, the Moto G5 is something you might want to have a look at - I can't tell you anything about its performance (never had one myself) but the specs aren't bad for a phone in that price range (albeit the 5.0" display is a bit small) .

But you're still gonna be fighting a losing battle, as I said. You'll get the update to Oreo, eighteen months to two years of security updates, you might squeeze another couple of years out of it by rooting it and/or flashing a ROM but after that it's a security breach in your pocket.

What people forget to factor in is that, by and large, apart from the serious security flaws in things like the SSL libraries, kernel, etc., for the most part the biggest attack surface isn't the OS but the apps. Once the devs upgrade to supporting the latest version of android, unless they're corporate, it's unlikely that they'll dedicate much time to ensuring that previous versions get fixes for more than the most serious security flaws (the kind of thing that could see them getting sued), and then probably only one or two previous versions at the outside.

You're more likely to be compromised by a flawed app that hasn't been updated than you are by your Android version having a serious exploit in it because you don't access things with Android but with Apps. You're more likely to find your identity stolen thanks to the breach of the customer database on a smalltime dev's home server or their self-managed AWS security. And that's why the OS version is significant more than due to any real shortcomings of the OS itself - it won't support the latest (secure) version of the apps.

After Oreo, I'm sure there'll be improvements made to it over time but the principle of being able to upgrade the security separate from the rest will at least give you a fighting chance of keeping a device running a bit longer because the community might release security patches after Google/the OEMS stop doing so.

Underlying flaws in drivers are a separate issue - if the OEM doesn't release a closed source update and nobody can/does reverse engineer the device/chipset then a security flaw in your networking is going to be worth upgrading your phone for and a more serious consideration than "can I get a removable battery?"

Seriously, I know what you mean - If I could, I'd still be using my Sony P910! But your Note 4 is not gonna get Oreo and you're not gonna get that separation of concerns, so, any security flaws in the OS/apps are there to stay and, furthermore, won't be fixable with a community driven Oreo patch. Although I can't vouch for the performance myself, the G5 looks like a worthwhile consideration for you. It'll get you Oreo and a bit more lifespan security-wise, give you the option of rooting/flashing afterwards and squeezing a bit more lifespan out of it than that.

Ultimately though, the model is based upon the 2-to-4 year upgrade cycle. There's even the 'free upgrade' option on phone contracts - which are, oh, so coincidentally, one or two years normally. Until that changes, don't expect my description of the state of play to change unless, as I said, some miracle OS appears that can handle all the different hardware platforms. And even Ubuntu gave up trying with that one!

Sure you can. It's called "Eat, drink, and be merry, for tomorrow we die."

Yep, nail on head.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon