That is not the only issue, it’s just one of the more major ones that shouldn’t be dismissed like it’s nothing. Another major one is the unlocked bootloader. You can take a look at all the Android ROMS here.
I think people should treat carefully when changing the OS of a mobile device. Changing your OS to something less secure just because you want to shove it to Google and Apple is not enough to warrant it. Better to stay with something safe that you know than with something insecure like /e/OS.
Luckily we have Graphene so you can actually switch to a more secure and private OS that is not made by an American corporation hungry for data.
I am not dismissing it, I am saying that is not as big as you make it to be. Most users lag behind in updates anyway, besides using minimal and trusted applications, the outside exposure to exploitation is relatively small, for a device without a public address. I am not the one APTs are going to use the SMS no-click 0-day against.
Similarly for the bootloader issue. The kind of attacks mitigated by this are not in most people threat models. They just are not.
As someone else wrote, it’s possible to relock the bootloader anyway with official builds (such as my FP3). But anyway, even for myself the chance that my phone gets modified by physical access without my knowledge is a fraction of a fraction compared to the chance that someone will snatch the phone in my hand while unlocked, for example (a recent pattern).
If these two issues are what prompts you to call a “security dumpster fire”, I would say we at least have very different risk perceptions.
If these two issues are what prompts you to call a “security dumpster fire”, I would say we at least have very different risk perceptions.
We do. I can’t in good conscience recommend it as an alternative to friends or relatives when even stock Android has improved security. I can’t speak for your social circle, but all the people I know update their phones accordingly. Maybe they delay the update for a few days, but they don’t stay months with their phones like that. Fairphones improve the situation a bit since you can lock the bootloader, but the substantial delay in security updates is still a major risk.
I don’t get why anyone would choose /e/OS over Graphene if they had the option. Graphene offers the highest security and privacy, it works wonderful and most banking apps support it. /e/OS just has the advantage of supporting more models, but if you can get a Pixel what’s the point?
I definitely wait more than a week to update for example. The marginal security risk is completely irrelevant for me compared to the operational risk of a buggy update. N-1 is a common practice for updating software in fact, unless there is absolutely a great reason to upgrade.
Also, I want to be in your circle, because most people I know if the phone doesn’t update automatically they probably won’t even think of updating their phone (or their computer) at all.
For me the reason is simple, I don’t care about the advanced threats that would be mitigated by GrapheneOS enough to buy a pixel and migrate. I already own a FP3 and that’s what I am going to use until it breaks.
I might consider Graphene in the future, but having to buy a Google phone (even a used one) already pisses me off, compared to a FP (or similar). eOS also tries to be a “noob-friendly” distribution, that you can buy phones with and you never have to mess with the phones, which means people who don’t have the skills or don’t want to mess with their phones might trade the risk with ease of operation, and it might be the right choice for them.
I already own a FP3 and that’s what I am going to use until it breaks.
That’s fair. I can get behind that.
I might consider Graphene in the future, but having to buy a Google phone (even a used one) already pisses me off, compared to a FP (or similar).
You’re not the only one. I loathed that I had to go back to Google to switch to Graphene, but life’s a compromise most of the time.
eOS also tries to be a “noob-friendly” distribution, that you can buy phones with and you never have to mess with the phones, which means people who don’t have the skills or don’t want to mess with their phones might trade the risk with ease of operation, and it might be the right choice for them.
Graphene does that well too. I’ve been using it for a few weeks now and I never had to look up guides like I’m doing for Linux.
That is not the only issue, it’s just one of the more major ones that shouldn’t be dismissed like it’s nothing. Another major one is the unlocked bootloader. You can take a look at all the Android ROMS here.
I think people should treat carefully when changing the OS of a mobile device. Changing your OS to something less secure just because you want to shove it to Google and Apple is not enough to warrant it. Better to stay with something safe that you know than with something insecure like /e/OS.
Luckily we have Graphene so you can actually switch to a more secure and private OS that is not made by an American corporation hungry for data.
/e/OS has official builds for the fairphones, you can re-lock the bootloader there, afaik. At least according to this: https://doc.e.foundation/devices/FP5/install
You can also buy the phone directly with /e/OS pre-installed & closed bootloader, from what I read on the fairphone website.
I am not dismissing it, I am saying that is not as big as you make it to be. Most users lag behind in updates anyway, besides using minimal and trusted applications, the outside exposure to exploitation is relatively small, for a device without a public address. I am not the one APTs are going to use the SMS no-click 0-day against.
Similarly for the bootloader issue. The kind of attacks mitigated by this are not in most people threat models. They just are not. As someone else wrote, it’s possible to relock the bootloader anyway with official builds (such as my FP3). But anyway, even for myself the chance that my phone gets modified by physical access without my knowledge is a fraction of a fraction compared to the chance that someone will snatch the phone in my hand while unlocked, for example (a recent pattern).
If these two issues are what prompts you to call a “security dumpster fire”, I would say we at least have very different risk perceptions.
We do. I can’t in good conscience recommend it as an alternative to friends or relatives when even stock Android has improved security. I can’t speak for your social circle, but all the people I know update their phones accordingly. Maybe they delay the update for a few days, but they don’t stay months with their phones like that. Fairphones improve the situation a bit since you can lock the bootloader, but the substantial delay in security updates is still a major risk.
I don’t get why anyone would choose /e/OS over Graphene if they had the option. Graphene offers the highest security and privacy, it works wonderful and most banking apps support it. /e/OS just has the advantage of supporting more models, but if you can get a Pixel what’s the point?
I definitely wait more than a week to update for example. The marginal security risk is completely irrelevant for me compared to the operational risk of a buggy update. N-1 is a common practice for updating software in fact, unless there is absolutely a great reason to upgrade.
Also, I want to be in your circle, because most people I know if the phone doesn’t update automatically they probably won’t even think of updating their phone (or their computer) at all.
For me the reason is simple, I don’t care about the advanced threats that would be mitigated by GrapheneOS enough to buy a pixel and migrate. I already own a FP3 and that’s what I am going to use until it breaks.
I might consider Graphene in the future, but having to buy a Google phone (even a used one) already pisses me off, compared to a FP (or similar). eOS also tries to be a “noob-friendly” distribution, that you can buy phones with and you never have to mess with the phones, which means people who don’t have the skills or don’t want to mess with their phones might trade the risk with ease of operation, and it might be the right choice for them.
That’s fair. I can get behind that.
You’re not the only one. I loathed that I had to go back to Google to switch to Graphene, but life’s a compromise most of the time.
Graphene does that well too. I’ve been using it for a few weeks now and I never had to look up guides like I’m doing for Linux.