Hi, I have a pixel 4a that I love and works great (with CalyxOS) I bought it when it came out and I really don’t want a new phone, but…
Security updates from google stopped for the 4a about a year and a bit ago, and for the last year I have been slowly getting more and more anxious while trying to ignore it. I’m still getting the android security updates (software) for another year or so (thanks calyx!) But I’m not getting the firmware security updates anymore.
I’m experienced in the field of cyber security and I feel like I’m in denial because I really really don’t want to buy a new phone.
Please tell me if I really should get a new phone or not…
My threat model would be just an average person but with the added paranoia of knowing too much about privacy and security, and my avoidance of getting a new phone is mostly rooted in zero-waste ideology and the pure hate towards google for forcing me to stop using a great phone that would otherwise probably be usable for another few years.
I think you’ll be fine as long as CalyxOS is supplying your device with Android security updates. As an average user, with no reason to be the subject of targeted attacks, firmware vulnerabilities are not a huge concern (assuming your OS and other software are up to date with security patches).
Of course, if someone hostile gets physical access to your device, firmware becomes more important. Remote exploitation of a firmware vulnerability typically requires first exploiting a software vulnerability (and CalyxOS is updating your OS software). With physical access, one might skip that step by connecting a cable to your phone and interacting with it directly.