Hi,

A friend wants to degoogle his phone, so I suggested the OS I’m currently using. The one we can’t talk about… He wants a small/compact phone, so I suggested pixel 4a (not buying second hand though), but I’m afraid that planned obsolescence may kill the phone rather soon. What’s your opinion?

Cheers and thank you for your help,

    • StormWalker@lemmy.zip
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      6 months ago

      Because GrapheneOS is a debatable triggering subject for some people. Basically the OS itself is amazing and very good. But the project leader is apparently arrogant and offensive. And offended a load of big known online personalities. Apparently he says his OS is the best and better then everyone else etc etc. So the question is: do you use and support a project where the product itself is amazing and just what the world needs, but where the project leader is offensive? Some say yes, some say no. = Controversial subject.

      Personally I use GrapheneOS because I need a good camera and I like having a flagship modern phone. Currently I’m using a Pixel 7 Pro. I also like the privacy and security features that graphene offer. I don’t see another project out there that can offer me the same. The product is good.

        • StormWalker@lemmy.zip
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          6 months ago

          Well yes exactly. It’s all just big personalities online that say that these things happened. Who knows really what the guy is like. A few big names online say these things about him, but I personally have never had any Interaction with him. So it could all be true, or partly true, or not at all. I guess no smoke without fire… but there is always 2 sides to every story.

  • foremanguy@lemmy.ml
    link
    fedilink
    arrow-up
    13
    ·
    6 months ago

    I think it’s a bit too old, if you want to stay in the pixel ecosystem maybe try to grab a 6, 6a or 6 pro. They are around $250, and they are great!

  • Ilandar@aussie.zone
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    edit-2
    6 months ago

    Yes, that is too old for a new phone considering it’s already past its end-of-life for both official support and your OS. I’m not sure why you’d recommend them to buy new either - a phone like that is only going to be good value if you pick up a used one for cheap. A new model will be massively overpriced for what it is (and may not even be new, just refurbished and repackaged).

  • ben_dover@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    6 months ago

    4a is end of life already, so no firmware updates from Google. GrapheneOS has legacy builds available for it but doesn’t recommend using them, and they might go away anytime soon

    get a used device which is still properly supported, don’t buy brand new e-waste

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      You could just jot use Graphene OS. They create ewaste just as much as Android. Lineage OS will run on 8 year old phones.

    • Misk@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      6 months ago

      I have a 4a running graphene and I love it but after 3+ years the battery life is shot. I really didn’t want to buy any of the new pixels because they are all too big and I hate big phones. I was thinking of just buying a new 4a and installing graphene again (because got forbid making a phone where you can just swap out the battery in this day and age) but are you saying this would be a bad idea at this point? Like even if they keep graphene up to date the phone will still be outdated (and therefore vulnerable) at the kernel/hardware level?

      • ben_dover@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        6 months ago

        yes and P4a is already one major GOS/Android version behind, it’s only getting “extended legacy support” releases. i.e. security fixes are merged and backported where possible, but it’s overall not the best setup and they recommend to switch asap.

        I’m pretty sure GOS will drop Android 13 (and therefore P4a) as soon as they release Android 15, since the team won’t be maintaining three major Android versions.

        CalyxOS ported Android 14 to P4a, so you might squeeze an additional year or so out of it if you switch.

        I’d either replace the battery in the old P4a, or get a newer model with 7y software support. But buying a new 4a is probably not your best possible move

    • Grippler@feddit.dk
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      6 months ago

      To be more helpful than the joke comments you’ve received so far, it’s graphene OS that’s causing a lot of controversy.

            • FutileRecipe@lemmy.world
              link
              fedilink
              arrow-up
              5
              ·
              edit-2
              6 months ago

              Do they all really? I know GrapheneOS does, and I think DivestOS even says “use my OS to stay as up to date as possible, but if you have a current/supported Pixel, use GrapheneOS instead for superior security.” But I don’t recall other OSes really going “we’re more secure than GrapheneOS and here’s why.”

            • lemmyvore@feddit.nl
              link
              fedilink
              English
              arrow-up
              1
              ·
              6 months ago

              Hence the controversy! 🙂

              Also, Graphene tend to act superior about it and it pisses people off.

                • jet@hackertalks.com
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  6 months ago

                  https://www.privacyguides.org/en/android/

                  There is no controversy. There’s a lot of people memeing. I haven’t seen a single security analysis, or survey of options, that didn’t put GOS at the very top. Look at privacy guides, they say graphene is great, but if you can’t use that divest is okay.

                  People may not like the leader, and the developers are very opinionated which turns other people off, but I don’t think there’s any questioning the pedigree and the level of security provided

        • Grippler@feddit.dk
          link
          fedilink
          arrow-up
          1
          ·
          6 months ago

          I’m honestly not quite sure, I just know people are getting riled up when it’s mentioned.

          • fossphi@lemm.ee
            link
            fedilink
            English
            arrow-up
            3
            ·
            6 months ago

            It gets people going, (Daniel) 'Mkay?

            I stole this from another lemmy comment, please don’t come after me

              • fossphi@lemm.ee
                link
                fedilink
                English
                arrow-up
                2
                ·
                6 months ago

                Can’t really remember right now. I think it was a thread on which phone to buy and people were talking about graphene os on pixels.

                Someone commented something along the lines of “m’lady” but with Daniel Micay’s name as a pun

    • GolfNovemberUniform@lemmy.ml
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      6 months ago

      The open-source one that’s so powerful it summons an online fight with at least 50 members if mentioned. It’s kinda anomalous so it is recommended not to mention it online until further research.

  • AnxiousDuck@feddit.it
    link
    fedilink
    arrow-up
    5
    ·
    6 months ago

    Can someone explain to me under what circumstances would using an old phone be risky (under a common reasonable threat model)?

    • tty5@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      6 months ago

      No security fixes once the device reaches end of life. For pixel 4a end of security updates was 10 months ago. That mostly is a problem with malicious apps - there were some privilege escalation bugs in those 10 months - but sometimes you get a banger that can get exploited by simply loading a page or opening an image.

      • AnxiousDuck@feddit.it
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        I get it about malicious apps but what about just using mainstream apps and surfing the web with adblockers?

      • ReveredOxygen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Wouldn’t those be typically handled at an OS level? If you’re using an OS that actually gets updates, you’re only vulnerable to attacks at the kernel or driver level

        • tty5@lemmy.world
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          edit-2
          6 months ago

          If you are on stock software on EOL device you are not getting os updates either.

          Also a bunch of recent vulns were in SoC specific stuff - outside os.

      • mnmalst@lemmy.zip
        link
        fedilink
        arrow-up
        7
        ·
        6 months ago

        FYI: “Extended support” from a custom rom means the OS level software gets updated, not the device firmware. So you still end up with a not fully up to date phone.

        Written from my Pxiel 4a. :)

  • Maxe@feddit.de
    link
    fedilink
    arrow-up
    3
    ·
    6 months ago

    I’m using a 4a right now which I bought last year, refurbished. It’s a great phone and has a headphone jack. If you’re concerend about updates, install an alternative OS. If you want to degoogle that should be the path anyway.

  • Imprint9816@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    6 months ago

    Pixel 5 is end-of-life and shouldn’t be used anymore due to lack of security patches for firmware and drivers.

    I understand if your friend is on a budget and simply can’t afford a non EOL phone but, they should really consider a 6th gen Pixel or better if they care at all about their data security.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      Has there been a successful exploit against a phone with old firmware but modern Android security patches?

      • Imprint9816@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        6 months ago

        I am not sure if there is an example of that specific situation as it would be pretty odd for a phone to be receiving security patches but not firmware updates.

        Anyway its not super relevant as the Pixel 5 does not receive firmware or security patches anymore.

        OP also seems to be inferring he suggested to his friend to use a very specific security / privacy OS that does not recommend using that model phone anymore for the exact reasons I mentioned. Plus the model is only receiving partial support as a stop gap for users to have time to get a newer model and won’t be supported much longer anyway.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          6 months ago

          Custom ROMs will receive upstream Android security patches but not patches from proprietary components (firmware). For instance, my Moto g7 power has Android security patches from May but the latest vendor security patch level is 2021. (I’m running Lineage OS) I’m curious to know if the older firmware is a problem. I don’t think it is easily exploitable outside of government backdoors. Not that it matters much as I plan on keeping my phone until it dies.

          • Imprint9816@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            6 months ago

            Not sure where your getting your information but the Pixel 5 has not gotten Android updates or security updates in over 7 months.

            There are tons of examples of exploits being used to target EOL phones as its common for people to not care about these updates, or be misinformed, so they are easy targets.

            If OP or anyone else wants to use an EOL phone that’s fine but, don’t pretend its a smart security practice. Although even if I were to use an EOL phone, LineageOS doesn’t have the greatest background and isn’t really degoogled

            • Possibly linux@lemmy.zip
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              6 months ago

              You are still missing my point. All phones actively supported by Lineage OS get Android security patches. Those aren’t vendor patches but they do patch the OS and sometimes the kernel.

              For instance, the Pixel 5 was last updated June 28. https://wiki.lineageos.org/devices/panther/

              Not to say that you should still buy it. However, if it cheap it might be worth it.

              Also from the article you linked:

              Although the incident forced LineageOS to take offline all its service, it did not impact the signing keys that authenticate distributions because they are stored on hosts separate from the main infrastructure.

            • jet@hackertalks.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              6 months ago

              I think lineage is a good operating system for a limited exposure use cases. Like a project phone on a safe network, or as a webcam, or is like a embedded hardware controller. But not on the raw internet, not processing raw internet data, not with open Wi-Fi, not with open Bluetooth.

              Even with all of that, it should still be segmented from the rest of the network

  • pH3ra@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    6 months ago

    Writing from a 3 years old 4a running CalyxOs: the phone is a perfect choice if you want a small sized phone with a 3.5mm jack and that gets constant updates. The camera might be a little better but I don’t take many pictures so I don’t mind.

    • ben_dover@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      6 months ago

      the camera is amazing, but you need to use the Google Camera app for it to take advantage of all the Pixel magic. 3rd party camera apps will yield lousy shots comparatively.

  • s38b35M5@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 months ago

    I bought a used Pixel 5 in Feb for my daily driver. Replaced my Pixel 3 only because the power button was flaky. They both still run great. By my standards, getting two years out of a phone I paid $150 for is better than getting three years out of a $700 phone.

  • ssm@lemmy.sdf.org
    link
    fedilink
    arrow-up
    4
    arrow-down
    2
    ·
    edit-2
    6 months ago

    Random hardware suggestions, using mobile Linux support as a litmus test

    • Pinephone (Pro): Main downside is that OG Pinephone has extremely anemic hardware, and the charging circuit is not controlled through hardware for some insane reason; hope the kernel devs of whatever OS you put on it knows how to not turn your phone into a bomb. Also Pine64 as a company has gotten flak for their support of Manjaro. Can’t deny how good the price is though.
    • Fairphone 4: Good hardware, but expensive. I don’t own it, but it works good on postmarketOS according to the wiki.
    • Librem 5: Overpriced compared to the earlier members on this list, but you can guarantee the phosh interface will work well considering it was developed by Purism as well.
    • OnePlus 6 and 6T: I don’t know much about these, but they’re very popular with the mobile Linux crowd.

    As for the pixel, there’s work on it but it’s still broken at the moment. As for the hardware being too old, I haven’t used anything Android in a while, so I don’t know how much performance degrades each release, but a mobile Linux distribution should run just as good today as it will 20 years from now, assuming you use the same interface.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    Depends on your friends threat model, lineage will work on it.

    No security updates makes the Pixel 4a a bold choice for your main phone. I don’t recommend it

    I would follow the graphene OS recommended phone guide, that gives you maximum flexibility to put any operating system you want on the phone.

    • delirious_owl@discuss.online
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      6 months ago

      Phones are insecure devices, by design. Should be OK.

      Just don’t do anything on a phone that falls under “sensitive” on your threat model. Use a proper computer with a proper password for that.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            You can use two factor, fingerprint plus pin and have the pin layout randomize each time.

                • jet@hackertalks.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  6 months ago

                  I think phones are the MOST secure devices most people have. They are locked down, they run software in very restricted containers, they have more restrictive feature allowance. for 99% of the people the phone is the most secure device, full stop.

                  Can you do better on a computer? Sure, but it takes a bunch of work and isn’t the out of box experience

                • delirious_owl@discuss.online
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  2
                  ·
                  6 months ago

                  So you’re saying that, in order for me to steal everything on your phone, all I have to do is stand behind you in a supermarket and film you unlock your screen once. Then, on the way to your car, I quickly pull a knife on you and force you to tap your finger on your phone, then I hop on a motorbike and ride away.

                  Hope you didn’t have any banking apps or crypto on your phone, because now that’s gone.

                  QubesOS on a laptop is much much safer.

  • haui@lemmy.giftedmc.com
    link
    fedilink
    arrow-up
    1
    ·
    6 months ago

    tangential: I‘m using a oneplus 6 with postmarketOS but depending on your friend‘s it skills, it might not be ready for him yet.

    So far its very usable but I suggest someone must want to swim against the current and do things differently. One could say a „pioneer“ type would be ideal for this.

  • floofloof@lemmy.ca
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    6 months ago

    Used Pixel 6, 6 Pro, 7 and 7 Pro can be found for reasonable prices these days. One of those in good condition would be a better buy because you’ll still get security patches for a while. Last time I looked, the third party OSs for Pixel phones only supported them for as long as Google did.