Hi,

A friend wants to degoogle his phone, so I suggested the OS I’m currently using. The one we can’t talk about… He wants a small/compact phone, so I suggested pixel 4a (not buying second hand though), but I’m afraid that planned obsolescence may kill the phone rather soon. What’s your opinion?

Cheers and thank you for your help,

@toastal@lemmy.ml
link
fedilink
-3
edit-2
6M

Pixel 4a was one of the last in the Google lineup with a headphone jack (5a being last). The OEM lost its way after that. This enough to not recommend their devices as far as I am concerned.

@ssm@lemmy.sdf.org
link
fedilink
2
edit-2
4M

deleted by creator

Umm one question by the way , why use Google phone to degoogle? There are plenty of good Android phones out there right?

@jet@hackertalks.com
link
fedilink
2
edit-2
6M

Google makes the most open and customizable phones. Unlocked bootloaders, the ability to sign your own code. Rapid security updates for baseband drivers.

Nobody else comes close.

https://grapheneos.org/faq#future-devices

Actually pine phone is really open, but it’s not android and nowhere ready to be a daily driver.

While it is ironic, the pixels are easy to unlock the bootloader and have good support across lineage, calyx, and graphene. Been using one to degoogle for awhile and would recommend them

Can someone explain to me under what circumstances would using an old phone be risky (under a common reasonable threat model)?

No security fixes once the device reaches end of life. For pixel 4a end of security updates was 10 months ago. That mostly is a problem with malicious apps - there were some privilege escalation bugs in those 10 months - but sometimes you get a banger that can get exploited by simply loading a page or opening an image.

I get it about malicious apps but what about just using mainstream apps and surfing the web with adblockers?

Wouldn’t those be typically handled at an OS level? If you’re using an OS that actually gets updates, you’re only vulnerable to attacks at the kernel or driver level

@tty5@lemmy.world
link
fedilink
1
edit-2
6M

If you are on stock software on EOL device you are not getting os updates either.

Also a bunch of recent vulns were in SoC specific stuff - outside os.

foremanguy
link
fedilink
136M

I think it’s a bit too old, if you want to stay in the pixel ecosystem maybe try to grab a 6, 6a or 6 pro. They are around $250, and they are great!

qaz
link
fedilink
46M

I recently got a 6a to replace my iPhone SE for €160 and it’s been working great.

foremanguy
link
fedilink
36M

Great

@ben_dover@lemmy.ml
link
fedilink
10
edit-2
6M

4a is end of life already, so no firmware updates from Google. GrapheneOS has legacy builds available for it but doesn’t recommend using them, and they might go away anytime soon

get a used device which is still properly supported, don’t buy brand new e-waste

You could just jot use Graphene OS. They create ewaste just as much as Android. Lineage OS will run on 8 year old phones.

I have a 4a running graphene and I love it but after 3+ years the battery life is shot. I really didn’t want to buy any of the new pixels because they are all too big and I hate big phones. I was thinking of just buying a new 4a and installing graphene again (because got forbid making a phone where you can just swap out the battery in this day and age) but are you saying this would be a bad idea at this point? Like even if they keep graphene up to date the phone will still be outdated (and therefore vulnerable) at the kernel/hardware level?

@ben_dover@lemmy.ml
link
fedilink
4
edit-2
6M

yes and P4a is already one major GOS/Android version behind, it’s only getting “extended legacy support” releases. i.e. security fixes are merged and backported where possible, but it’s overall not the best setup and they recommend to switch asap.

I’m pretty sure GOS will drop Android 13 (and therefore P4a) as soon as they release Android 15, since the team won’t be maintaining three major Android versions.

CalyxOS ported Android 14 to P4a, so you might squeeze an additional year or so out of it if you switch.

I’d either replace the battery in the old P4a, or get a newer model with 7y software support. But buying a new 4a is probably not your best possible move

Titou
link
fedilink
166M

The one we can’t talk about…

I don’t get it ? Why can’t we say it’s name ?

StormWalker
link
fedilink
06M

Because GrapheneOS is a debatable triggering subject for some people. Basically the OS itself is amazing and very good. But the project leader is apparently arrogant and offensive. And offended a load of big known online personalities. Apparently he says his OS is the best and better then everyone else etc etc. So the question is: do you use and support a project where the product itself is amazing and just what the world needs, but where the project leader is offensive? Some say yes, some say no. = Controversial subject.

Personally I use GrapheneOS because I need a good camera and I like having a flagship modern phone. Currently I’m using a Pixel 7 Pro. I also like the privacy and security features that graphene offer. I don’t see another project out there that can offer me the same. The product is good.

Titou
link
fedilink
16M

But the project leader is apparently arrogant and offensive.

“apparently”

StormWalker
link
fedilink
16M

Well yes exactly. It’s all just big personalities online that say that these things happened. Who knows really what the guy is like. A few big names online say these things about him, but I personally have never had any Interaction with him. So it could all be true, or partly true, or not at all. I guess no smoke without fire… but there is always 2 sides to every story.

Pixel 5 is end-of-life and shouldn’t be used anymore due to lack of security patches for firmware and drivers.

I understand if your friend is on a budget and simply can’t afford a non EOL phone but, they should really consider a 6th gen Pixel or better if they care at all about their data security.

Has there been a successful exploit against a phone with old firmware but modern Android security patches?

I am not sure if there is an example of that specific situation as it would be pretty odd for a phone to be receiving security patches but not firmware updates.

Anyway its not super relevant as the Pixel 5 does not receive firmware or security patches anymore.

OP also seems to be inferring he suggested to his friend to use a very specific security / privacy OS that does not recommend using that model phone anymore for the exact reasons I mentioned. Plus the model is only receiving partial support as a stop gap for users to have time to get a newer model and won’t be supported much longer anyway.

Possibly linux
link
fedilink
2
edit-2
6M

Custom ROMs will receive upstream Android security patches but not patches from proprietary components (firmware). For instance, my Moto g7 power has Android security patches from May but the latest vendor security patch level is 2021. (I’m running Lineage OS) I’m curious to know if the older firmware is a problem. I don’t think it is easily exploitable outside of government backdoors. Not that it matters much as I plan on keeping my phone until it dies.

Not sure where your getting your information but the Pixel 5 has not gotten Android updates or security updates in over 7 months.

There are tons of examples of exploits being used to target EOL phones as its common for people to not care about these updates, or be misinformed, so they are easy targets.

If OP or anyone else wants to use an EOL phone that’s fine but, don’t pretend its a smart security practice. Although even if I were to use an EOL phone, LineageOS doesn’t have the greatest background and isn’t really degoogled

Possibly linux
link
fedilink
2
edit-2
6M

You are still missing my point. All phones actively supported by Lineage OS get Android security patches. Those aren’t vendor patches but they do patch the OS and sometimes the kernel.

For instance, the Pixel 5 was last updated June 28. https://wiki.lineageos.org/devices/panther/

Not to say that you should still buy it. However, if it cheap it might be worth it.

Also from the article you linked:

Although the incident forced LineageOS to take offline all its service, it did not impact the signing keys that authenticate distributions because they are stored on hosts separate from the main infrastructure.

Those are partial security patches (its not in the same ballpark as a non EOL phone).

Even non EOL phones are usually updated dangerously slow when it comes to LineageOS.

Some more sources, not sure why I’m even adding them as you seem hell bent to believe LineageOS is secure regardless of the facts.

https://eylenburg.github.io/android_comparison.htm

https://www.kuketz-blog.de/lineageos-weder-sicher-noch-datenschutzfreundlich-custom-roms-teil4/

If my device is so insecure why haven’t I been compromised? Your “facts” are only important if it promotes Graphene OS.

I think lineage is a good operating system for a limited exposure use cases. Like a project phone on a safe network, or as a webcam, or is like a embedded hardware controller. But not on the raw internet, not processing raw internet data, not with open Wi-Fi, not with open Bluetooth.

Even with all of that, it should still be segmented from the rest of the network

Writing from a 3 years old 4a running CalyxOs: the phone is a perfect choice if you want a small sized phone with a 3.5mm jack and that gets constant updates. The camera might be a little better but I don’t take many pictures so I don’t mind.

the camera is amazing, but you need to use the Google Camera app for it to take advantage of all the Pixel magic. 3rd party camera apps will yield lousy shots comparatively.

I bought a used Pixel 5 in Feb for my daily driver. Replaced my Pixel 3 only because the power button was flaky. They both still run great. By my standards, getting two years out of a phone I paid $150 for is better than getting three years out of a $700 phone.

I am far from unbiased as I just switched back to my pixel 4a from my new Sony Xperia. I think the Pixel 4a is a flat out GREAT phone, full stop. It is perfectly sized IMO, has been very reliable, good battery life (though at this point I should look into replacing the battery), and it has a headphone jack. That being said, picking it as a new phone now essentially means going with a custom rom and hoping it stays supported. That’s fine and all, but it’s not something most people want. Just to be clear, the xperia isn’t a bad option per se, I only switched back because the phone came carrier locked when it was supposed to be unlocked and the carrier it was locked to was uncooperative so I refunded it.

Yes, it is. You should not recommend such a phone. And this only in terms oft update.

The arguments against the company behind this phone would Film books, but that’s another point

Kairos
link
fedilink
46M

It is currently not being updated

Corgana
link
fedilink
-16M

The Pixel 5 is not much more expensive and is still a great phone with good battery life and good camera, and the last Pixel small enough to used one-handed. It also has wireless charging which is missing on the 4a.

If your friend isn’t gaming or doing anything CPU-intensive the P5 is what I would reccommend today. Everything afterwords has been an incremental upgrade for significantly more money.

Corgana
link
fedilink
-3
edit-2
6M

deleted by creator

don’t they have issues with randomly getting stuck in edl?

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.12K Posts
  • 78K Comments
  • Modlog