Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what’s the actual risk of using an Android phone on a stock ROM without updates? What’s the attack surface?

It seems like most things that’d contact potentially malicious software are web and messaging software, but that’s all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it’d be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn’t just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I’m not at all an Android developer though, perhaps this is very naive and I’m missing something major?

  • @[email protected]
    link
    fedilink
    English
    16
    edit-2
    1 year ago

    They will soon pass a law in France where they can remotely enable GPS, audio, camera. That’s the kind of problem you will encounter if your phone has OS backdoor due to lack of updates and a shitty government.

    • @[email protected]
      link
      fedilink
      English
      251 year ago

      If your phone is old and obselete, then your OS likely lacks the backdoor that will now be required by the government to be installed in order to facilitate the Guantanamo-fication.

        • TWeaK
          link
          fedilink
          English
          81 year ago

          That’s not what you said though. You mentioned the government backdoors, which can only really apply to new phones (or updates to existing phones). Common Vulnerabilities and Exploits is a separate issue, where if you have an older phone there’s a greater chance it will have an unpatched vulnerability.

          • @[email protected]
            link
            fedilink
            English
            5
            edit-2
            1 year ago

            No i said 2 things: OS backdoor, and shitty government that passes laws to snoop on their citizen. But i agree that vulnerabilities makes more sense.