Ask HN: Options for Android phone no longer getting security updates?
Yesterday’s epic thread about blue and green bubbles, which of course branched off into a comparison of iPhones and Androids, made me think about my own phone more than usual. It’s a Moto G Power (2020) running Android 11 that received its last security update in April.
I’m embarrassed to say that I didn’t realize this, or realize that this is Motorola’s policy (one version upgrade and two years of security updates) until yesterday. I admit that this has given me a new perspective on paying $500 for an iPhone SE that might receive updates for 5+ years vs. $200 for a budget Android phone that might get less than 2 years of support from my date of purchase.
Anyway, I’m otherwise perfectly content with the phone. I bought a budget phone in the first place because I’m not a heavy phone user, which makes the thought of buying a new phone that much more painful. My options seem to be:
1. Stick my head in the sand and don’t worry about the lack of security updates for another couple of years. I’m obviously in good company with millions (billions?) of other Android phone owners, but how foolish would this be?
2. Replace it now with a new phone.
3. Maybe go down the rabbit hole of LineageOS or other custom ROMs? Is this viable for a daily driver that I don’t use much but needs to work when I need it? How mature are these compared to, say, the major desktop Linux distros?
33 comments
[ 2.8 ms ] story [ 98.1 ms ] threadAnd for me, that's good enough. I don't actually care about someone reading my texts. I simply don't access the internet on my phone. (Cataracts made it hard to focus close enough to read a screen that small. Yes, you can enlarge the text, but then I'd be scrolling my fingers off.) My personal life isn't tabloid material. I don't have any stalkers. (So far as I know - if I do, hi!) So someone could read my contacts, read my texts, and see pictures of my granddaughter and my cat. Under these conditions, I see no reason why I should care very much about the security of my phone.
Am I missing something in my threat model?
On custom ROMS, a security researcher named 'madaidan' states that ROMs such as Lineage are insecure (https://madaidans-insecurities.github.io/security-privacy-ad...) with GrapheneOS being an exception.
On the GrapheneOS website, it recommends getting a Pixel 6 and above which has 5 years of guaranteed full security updates (https://grapheneos.org/faq#recommended-devices).
Louis Rossmann recently released a video talking about GrapheneOS as his daily driver and breaks down some usability misconceptions. (https://www.youtube.com/watch?v=yIZmUINSvQ4)
The keyboard kind of sucks.
Assuming you are unwilling to use google location services, GPS is flaky. As a consequence, Camera image location tagging is flaky. Most apps that use map views are broken. (Third party map apps like Here WeGo and Organic Maps and are generally fine, oddly enough.)
Backup is non-existent. (There is a thing. It does not work.)
Unless you want to sync documents through google or some other untrustworthy third party, there aren't any competitive "keep a text document synced between N devices" programs. (Standard Notes is the closest on this front.)
Phone calls and notifications work. Google Camera can be coerced into working (but geotags are iffy).
Google services that normally support anonymous users (especially Meet) aggressively detect android and refuse to work if you are not logged in.
Battery life is OK (as advertised) if you install google services in a sandbox. Stellar without them.
The pixel wireless fast charger has settings that cannot be changed through graphene. The charger setting app requires kernel level permissions for some reason.
Bluetooth support is the best I've seen.
No kernel panics, or strange battery drains, in my experience.
Always on VPN seems to work.
Performance is good.
My next phone will not be an android.
The tire fire caused by not allowing google location services is the main reason. App ecosystem is number two. Lack of working backup is three. The system keyboard is number four. The over processed aesthetic of the camera is number 5 (this last one comes down to taste).
Edit: I shouldn't have said app ecosystem. I meant the lack of non-privacy-invading apps that provide functionality that should be built in: Open PDF/docx/etc, scan + OCR to PDF from camera, print without granting randos permission to send documents to third parties, note sync, photo search, health data, etc...
Hope this helps!
You can also change to use Google's geolocation if you like, cf. https://grapheneos.org/usage
https://grapheneos.org/usage#sandboxed-google-play
There's also a per-app exploit protection compatibility mode toggle for apps with memory corruption bugs uncovered by `hardened_malloc` or which have compatibility issues with the larger address space (48-bit as opposed to 39-bit).
Due to the advances in the sandboxed Google Play compatibility layer over the past year and the exploit protection compatibility mode, only a few apps aren't working. Most of those apps are choosing to disallow using a non-Google-certified OS via the Play Integrity API. SafetyNet attestation API was the previous legacy approach.
GrapheneOS has a system backup service and it does mostly work. It doesn't have great UX, and has a lot of issues, which is why we plan to replace it. It was originally developed for GrapheneOS but was taken over by a hostile group and we're going to make our own instead. Until then, we still have the existing one.
Many Android apps still disallow backups from backing up their data but this problem was solved for apps targeting Android 12 and above which is about to become mandatory for the Play Store for both new apps and app updates. That issue will be resolved by the end of the year. It was caused by a poorly designed Android manifest configuration option for disabling backups. Most apps just wanted to disable cloud backups for bandwidth, size or privacy reasons. It now means disable cloud backups for apps targeting Android 12 and above. It's still possible to exclude files from backups but it requires a new Android 12+ API with separate lists for local backups, E2EE cloud backups and non-E2EE cloud backups. This issue isn't in any way GrapheneOS specific. It applies just as much to Google's device-to-device backup/restore system shown as part of the initial setup wizard and their cloud backups. It just takes time for the new API level to become mandatory: a bit over a year after the new OS release.
Install LineageOS on it, if it's supported?
https://wiki.lineageos.org/devices/#motorola
But read this about LineageOS, et al to understand the risks: https://madaidans-insecurities.github.io/android.html
>The default updater even allows you to downgrade versions yourself.
I think this has changed as I do not see this anymore in my own install. I've read this article in the past and the date is updated but the content may not be?
Buy an iPhone. You do not need this fuss in your life.
Both are well supported by lineage and co (I don't use lineage because they refuse to include signature spoofing so microg doesn't work properly) but otherwise fine.
It costs quite a bit less than an iPhone ($349 as of this writing).
A Moto G7 Power like above? Motorola devices can be bootloader unlocked I think.
We have a couple Moto G7 Plus devices and use microG, I use VPN and have a firewall app. Works great. Even notifications can work with apps you choose.
I have been a LineageOS user for awhile. There's no guarantee a particular device will always be maintained but if is, it's not that hard to install. The instructions are pretty clear. I've used it on a old Samsung 3, an Honor5x, Samsung S5, and now Moto G7.
I have had some issues with GPS accuracy and Bluetooth connections from the S4 to a certain device occasionally dropping out, but I haven't done careful before/after tests so these may be hardware problems. I would recommend giving the LineageOS a try, at least before replacing the phone, if that's the path you want to take.
#u€k these handset manufacturers like Moto whose lack of mainline support feeds our trash heaps - they know exactly what they're doing.
Assuming this is your phone, looks like you might have to use nightlies: https://wiki.lineageos.org/devices/ocean/
Still, I've used nightlies for significant stretches of time without any major issues. You'll probably see a significant speed boost too vs the OEM software
You will need to follow a guide and do a little tinkering to set up the OS, but I think this is a viable path forward for you
Android 9 got its last regular security update in January of 2022. If Google's pattern continues, Android 11 itself should continue to get regular security updates until Q1 2024.
What a waste.
So the answer 1#, dont worry about it, somebody else does the worrying for you.
[1]: https://www.navit-project.org/
1. Bluetooth headset audio had some kind of bug. Something like this is a deal breaker or something you would never notice depending on what you do on the phone I suppose.
2. There's no sign of a key partition to support orange(?) booting. I just see N/A for the keys of whatever OS I might have booted.