> I'm guessing you weren't accessing things like a banking app with highly sensitive financial data
For anyone who has done any serious threat modeling exercises would never ever do that from a 2023 phone (I'm fully aware many people do it regardless).w
Yet somehow millions of people do, and I'm not aware of a single banking app breach caused by a zero-day device flaw.
This advice to not use a 2023 phone is just plain silly. I'm not saying it's 100% locked down, but neither is going to a bank branch and talking to someone in person.
If security is a concern, getting a newer Pixel and installing GrapheneOS is your best bet. It's still not perfect and nothing beats just not having a cell phone, but that's a choice very few are okay with today.
The trick with GrapheneOS, or any privacy setup, is that it requires attention to stay reasonably secure. The OS won't matter if you enable Google services and install apps that track and sell all your data.
Ah yes, android is perfectly secure as long as you install an aftermarket os, and then don’t install google services or any android application which uses google services (all of them).
Or you could just use the brand that gives 6-7 years of OS updates and 10+ years of security updates out of the box…
I would 100% use iOS if I preferred to keep a stock OS and needed those apps.
I just don't need that in a phone and am totally fine with the limitations of a degoogled device.
I don't recommend that for most people. I was simply responding to a question of what device to consider with regards to privacy/security. I even tried to include caveats that it isn't right for everyone and had real tradeoffs.
> If security is a concern, getting a newer Pixel and installing GrapheneOS is your best bet. It's still not perfect and nothing beats just not having a cell phone, but that's a choice very few are okay with today.
> The trick with GrapheneOS, or any privacy setup, is that it requires attention to stay reasonably secure. The OS won't matter if you enable Google services and install apps that track and sell all your data.
Not sure how I could have been more clear here, I literally started by saying "if security is a concern". I stand by that, if security is a concern I would not use an iPhone or stock Android. I also stand by the assumption that for most people security isn't a concern.
So yes, I wouldn't recommend graphene for most people but I would recommend it to anyone both concerned about security and willing to sacrifice some functionality and convenience (both caveats in my original post).
You make it sound as though I changed my recommendation or story half way through. If that's your opinion, please do me a favor and point out specifically where I walked it back or contradicted myself.
What about the Exynos RCE bugs? Now that they are patched they are secure again or how is this supposed to work? What about the intentional backdoor unearthed in the pixel phone (the sim swap thingy)? Who was that for?
My problem is, as a user, whose expertise is not 100% security, how can a layman decide which device to trust? Trust the neighbor, trust the expert who thinks is an expert, but doesn't see his own limitations, trust the newspapers parroting whatever they find (or their security advisor), trust the marmots or trust the looks, because you don't know what the silicon does. You might know one domain, but not multiple ones, like you might know the IT domain, but doesn't know the underlying physics domain, so you might think the phone is secure in the IT domain, but since you don't know jackshit about the physics, you have to again rely on someone's advice.
The iPhone is locked down tight, even security experts have complained in the past because analysing the core internals is cumbersome. But that's a double edged sword, when you can't even get basic info about phone's status without resorting to some hacking shenanigans.
Any way to know your firmware has not changed? How come there are zero tools for the layman to verify the status of his device? You don't know whether your usb's firmware is intact, whether your motherboard is a-ok and the list goes on.
According to newspapers, it is/was the panacea of security (iPhone), yet sec bugs after sec bugs are coming out all the time. You don't even have complete control over the phone, since the software switches (like wifi) are not actually disabling the wifi circuitry.
How come banks are sitting on ancient systems and are seemingly fine?
Should you trust zerodium's bounty prices, should you trust exploit brokers? (they ought to see what's an emmentaler right?)
Encrypted secure phones? Look how many criminals got caught, by putting their trust blindly into something, that someone parroted about how secure that is.
GrapheneOS says they are secure, but where are tools that show you that yes we do this and that and that solves these kinds of attacks, thwarted these attacks in the past, demonstrated?
Should you consider Mikko's advice. Use a phone that is made by a country, whose intelligence agency is not a threat to you? But how do you know that a phone, which is made in X country is actually controlled by that country's IA? And how do you know which IA is not a threat to you? :DDDDD Do you even have to fear against a nation state's capabilities or since they have unimited budget you are fucked when somehow get in their crosshairs?
It's like flipping a coin, putting your trust into someone's solution blindly.
For anyone who has done any serious threat modeling exercises would never ever do that from a 2023 phone (I'm fully aware many people do it regardless).w