Too many perfectly usable phones are put into a questionable security situation
by lack of vendor support for keeping key software up to date. But what’s the
actual risk of using an Android phone on a stock ROM without updates? What’s the
attack surface? It seems like most things that’d contact potentially malicious
software are web and messaging software, but that’s all done by apps which
continue to receive updates (at least until the android version is entirely
unsupported) eg. Webview, Firefox, Signal, etc. So are the main avenues for
attack then sketchy apps and wifi points? If one is careful to use a minimal set
of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices
of questionable provenance is it really taking that much of a risk to continue
using a device past EOL? Or do browsers rely on system libraries that have
plausible attack vectors? Perhaps images, video, font etc. rendering could be
compromised? At this point though, that stack must be quite hardened and mature,
it’d be major news for libjpg/ffmpeg to have a code-execution vulnerability?
Plus it seems unlikely that they wouldn’t just include this in webview/Firefox
as there must surely be millions of devices in this situation so why not take
the easy step of distributing a bit more in the APK? I’m not at all an Android
developer though, perhaps this is very naive and I’m missing something major?
I believe the risk of running outdated software is super inflated and mediatic, 99% of people would be absolutely fine running a version of Android from 3 years ago or Windows 8.
That’s the same thing people running windows XP on internet were thinking in 2017.
Then WannaCry arrived and they got their data encrypted :)
WannaCry targeted hospitals, businesses and similar machines.
WannaCry targeted everything with SMB exposed, blindly.
Also, you should read more about security through obscurity, the fact that “no one will target you because you are a low-value target” is a false sense of security.
That’s the same thing people running windows XP on internet were thinking in 2017.
Then WannaCry arrived and they got their data encrypted :)
WannaCry targeted hospitals, businesses and similar machines.
Your grandma using Android 9 is safe, don’t worry.
WannaCry targeted everything with SMB exposed, blindly.
Also, you should read more about security through obscurity, the fact that “no one will target you because you are a low-value target” is a false sense of security.