The problem with long term support for my Android phones has actually not been the fact that Android devices have incredibly short security update windows. That issue has been somewhat mitigated with the newer Google Pixel phones which have five years of security updates.
The biggest issue for long term cell phone support is, even if we get an OS with a 10-year security update timeline like Rocky Linux, will the phone itself be able to make calls on whatever cellular networks exist 10 years from now? I have a number of 3G phones I bought as recently as 2018 which became paperweights in 2021 when all of the cellular telcos in the United States stopped supporting 3G, forcing me to update to a 5G phone. Is 5G going to still work in 10 years? Or are the telcos going to continue to convert perfectly good phones in to landfill?
As someone who has a 15-year-old laptop which is still a perfectly good Linux server (its screen went out two years ago, but it was a perfectly good desktop computer until then), it’s annoying seeing phones I bought less than six years ago be useless on today’s cellular networks.
There were a number of cheap Android devices that had LTE, but never had VoLTE enabled. Instead of allowing them to work as data only devices, most carriers just blacklisted them from their networks.
Yup, got burned by this. I had a POCO X3 (4G LTE but no VoLTE) which I'd still be using today had AT&T not labeled it as a 3G phone. Even just attempting to use it with my SIM card now automatically deactivates my plan.
Now they have a phone whitelist restricted to (mostly) mainstream brands...
The US telcos went back to whitelisting phone models for volte, so unless you bought phone that were sold by them they'll prevent your from making calls (and accessing 5G network too).
There were some burner flip phones that didn't have 4G up until around 2015, LG making a few of them. This guy was buying used pieces of crap and complaining how they weren't going to support a waste of spectrum.
Incorrect. It was a brand new Samsung Galaxy A5 Duos which I bought in early 2018 for well over $300. Yes, it was 4G, but not voice over 4G. It stopping being able to make voice calls on AT&T’s network only four years later. I think T-Mobile still supports 2G, so it would work there, but I’m not sure.
Anyway I got a Pixel 5 and now use T-Mobile’s instead of AT&T’s network (via Ting, since I use little mobile data and that gives me a phone with a low-bandwidth data plan for $15 a month + tax), since T-Mobile is better about supporting legacy phones and protocols.
In terms of the “waste of spectrum” argument, I think it’s better for the earth to “waste” some spectrum than waste millions of perfectly good phones. One takes up landfill, the other doesn’t. But, to each their own.
> The problem with long term support for my Android phones has actually not been the fact that Android devices have incredibly short security update windows. That issue has been somewhat mitigated with the newer Google Pixel phones which have five years of security updates.
The problem with long term support for Android devices is absolutely short security update windows, i.e. short term support for Android devices. Pixel comprises a tiny fraction of Android devices sold in the US, and a miniscule fraction worldwide.
Must be a US problem. Where I'm from we still have 2G and no plans to turn it off, but we also don't have any plans to introduce 5G it seems (though tbh 5G isn't much of an improvement over 4G for most people's use cases).
At least the Netherlands is phasing out 2G and 3G, although you can still use them until 2025 depending on your provider. I suppose this is the same in at least several other European countries.
This, exactly. I have two ancient Nokia N900s that came out in 2009, runs a Debian variant natively and there's the Maemo Leste project that brings mainline Linux to the device (amazing!). However, is already useless as a phone in the USA. I also hear rumors European carriers will shutter their 3G networks soon; which is a shame. The hardware, while old and slow due to memory constraints, still works. I guess I should relegate it to being a small multimedia server in my apartment.
The planned obsolescence of today's mobile phones makes me sad.
Not only mobiles, but also desktops and laptops. For example, there are lots of unibody MacBooks which are perfectly functional but no longer get updates from Apple.
However, in case of mobiles, things are particularly awful because it is often not trivial to install and maintain an OS other than the one supplied by the manfucturer.
It's incredible how much electronic waste and security issues are generated by lazy manufacturers who do not mainline drivers into the Linux kernel.
Lineage OS can often do WiFi only on old Androids.
But unless I'm mistaken, if a device only has 3G, and you want to travel with it away from WiFi, you can't even get 3G data on the device, as they shut off the 3G networks in the USA. Best you're gonna find in some rural areas may be 2G or 2.5G.
> The problem with long term support for my Android phones has actually not been the fact that Android devices have incredibly short security update windows. That issue has been somewhat mitigated with the newer Google Pixel phones which have five years of security updates
5 years of updates is still a short time. We only have one planet...
> The biggest issue for long term cell phone support is, even if we get an OS with a 10-year security update timeline like Rocky Linux, will the phone itself be able to make calls on whatever cellular networks exist 10 years from now?
I don't think this is the biggest issue : operators usually maintain a certain type of carrier for at least 20-30 years (in France, we are only talking about shutting down 2G - which still raises a lot of issue because of the many IoT devices using GSM...)
The biggest issues are IMO
- lack of parts to repair old phones
- no possibility to manage bootloader keys / relock the bootloader (not even mentioning devices with locked bootloaders)
- "stable-api-nonsense" ideology and no BIOS/UEFI/ACPI for smartphone => no way to have "one firmware to rule them all"
Not sure if smartphones will last 10 years. I have 2 early Google phones die on me with strange boot loops (different series), my trusted hardware guy says the flash died. They are just not made for 10 years usage.
Your laptop may be good, but it will probably only support some ancient insecure slow WiFi profiles.
Distributions start to drop old hardware. And there are always new CPU and other chip security bugs discovered, how do you get fixes for that into your system?
802.11g will be 20 years old in a few months - that's up to 54 Mbps, which is plenty for most things short of streaming video. Similarly, 802.11n (up to 600 Mbps) is almost 15 years old.
> Not sure if smartphones will last 10 years. ... They are just not made for 10 years usage.
I'm fairly certain that some phone models out there are probably better in this regard, especially if you can swap out the battery, the components are of decent quality and they're built in a rugged way. Also, somehow the idea of repairing your phone has gone out of the window, since you can just buy a new one.
> Your laptop may be good, but it will probably only support some ancient insecure slow WiFi profiles.
For many, slow Wi-Fi is acceptable. Same with a dated and slow CPU/RAM, which many will still consider better than their devices becoming e-waste. If the OS wasn't so locked down, many would enjoy having a stand-in for a Raspberry Pi for all I care, since the small form factor of a phone would lend itself nicely to DIY hacking, especially because of included camera and networking. Even if the hardware is lacking, that doesn't mean that we shouldn't or couldn't support the software for longer amounts of time.
Your point about the hardware itself and what it supports becoming insecure is a good one, but there's no guarantee that the amount of time for something like that to happen would be much shorter than any improved OS EOL period. Of course, if it's some non-critical functionality that's insecure, it might as well be turned off in software, like older versions of TLS in web servers.
> Distributions start to drop old hardware. And there are always new CPU and other chip security bugs discovered, how do you get fixes for that into your system?
We could cross that bridge when we actually get to it, and try to figure out the things that are easier to do first and foremost: notably software support. If something like Ubuntu LTS has an EOL of 5 years and AlmaLinux has security updates for 10, I don't see why Android versions should be any different, unless governed by a profit oriented corporation.
Aside from that, it's surprising that 3G can just be tossed away like that on a national level, since the amounts of e-waste this would generate is kind of staggering, even more odd is the fact that in many places 2G is still in operation. I guess at least that is a bit of a silver lining, if the claims were to be true (citation is needed, but it sounds like a sane argument): https://en.wikipedia.org/wiki/3G#Decline_and_decommissions
> Technology that depends on 3G for usage will soon become inoperable in many places. For example, the European Union plans to ensure that member countries maintain 2G networks as a fallback[citation needed], so 3G devices that are backwards compatible with 2G frequencies can continue to be used.
The tool https://gitlab.com/divested-mobile/cve_checker is fascinating; I've usually seen people attempting to bring needed drivers to a mainline kernel, but backporting security fixes to a vendor kernel does seem like a plausible way to get a lot of the benefit with less work.
I went to the site and failed to understand what’s different from other Android distros to make the general claim of “support for EOL Android devices”. Isn’t it the same as LineageOS or whatever other distros you can find for each device at XDA?
I thought I was going to find a site that found a way of running newer Android over the old one to not have to worry about drivers and such, but I found yet another distro with support for SOME devices. I also thought I’d find support for an oldish Kindle HD8 I’ve been wanting to repurpose.
This is not to say that it might be great and all, I just felt a bit mislead by the title and I would like to find out if I’m just not seeing something.
This is a massive difference from any other project like this with wide device support, assuming it works correctly:
> Bootloader relocking is restored and has been tested working on 23 devices and is available for 26 more. Verified boot is also restored on 36 of those devices and is enforcing once locked.
Edit: looks like almost all the devices with relocking support are Google / OnePlus / Fairphone, so it might not add anything in this regard to GrapheneOS. No workaround for the signing key issue, I guess.
They also seem to be doing some security hardening and blob removal, although I'm not sure how that would affect driver / device support.
Yeah I was checking what support they advertised for my old nexus 5 and the recently retired oneplus X of my girlfriend. The nexus 5 is on 9.0, mostly working, the oneplus X isn't supported at all. That's not long-term support.
Any chances to see something similar to install Linux images (native, no chroots) to old Android tablets over the original OS? Some hardware wouldn't be supported, but I wouldn't mind not having for example video acceleration, audio and/or modem, if I could use an old tablet as a IoT screen or to show graphs from sensor data, etc.
Having a full OS, hence the ability to use multiple programming languages, libraries, etc would change everything.
Unless these devices have the ability to update their binary OEM blobs then these cannot be considered secure. This is why alternative OSs like GrapheneOS end their support when the Google Pixel is EOL. If you want long term support buy an iPhone or an Android phone that guarantees at least 5 years of security updates.
Exactly! If security is your highest priority, buy a new Pixel and put GrapheneOS on it.
But if you have an EOL device, DivestOS seems to be an amazing alternative to just staying on the stock firmware that is not going to get any updates at all.
The title states "Long-term support for end-of-life Android devices". This "long term support" does not extend beyond cherry picked AOSP security patches and does not address the security issues in the drivers of these devices.
But it does what it can. It patches the system, the kernels, adds many hardening features, provides updated browser engines, and removes the proprietary unpatchable components that it can.
This is all well documented on the website, please read through it.
What would you suggest for using MicroG on a DOS-supported device? I see built-in support was removed in 18.1. Could just the DOS kernel be used with the official microg-lineageos on top?
That makes it even worse. They apparently do not even try to make it secure and willingly exclude some patches.
Reminds me of "security by management risk acceptance"
Two of the benefits of DivestOS, the kernel patching/hardening and the vendor blob removal, are not compatible with GSIs as a GSI includes neither the boot or vendor partition.
So now the answer to security is to trust one lone developer?
This is more of a statement to the shit show of modern Android. A company worth $1T+ can’t be bothered to figure out how to support devices more than a couple of years and it’s left up to a random developer.
"They" has been an acceptable default third-person singular pronoun since at least the 1400s. If there's something you'd prefer, it might be wise to list it on one of your user profile pages.
I don't think the maintainer has a problem with pronoun choice in the sense you're implying - rather it seems that they are trying to emphasize that they are just one person and have limited time/resources
Yeah, that's clear given the context of who replied to whom. I somehow missed that summm was replying to SubzeroCarnage; in light of the context, what was meant to be me being lightheartedly pedantic comes across as a weird and preachy derail. (Shame Hacker News doesn't let one delete things.)
Since the 1400s my arse. It's just an annoying trend among woke evangelists, and makes the english language uglier while conveying less information about the subject in question.
No, this is a matter of historical fact. If you disagree, bring it up with the editors of the Oxford English Dictionary.[0] Or, if you prefer, the editors of the First Folio, a 1623 compilation of Shakespeare's works;[1] not quite as early, but easier for us mere mortals to verify.
> For your sake (Iewell) // I am glad at soule, I haue no other Child; // For thy escape would teach me Tirranie // To hang clogges on them.
At least that required hardware access. If you had an exploitable bug in say some GPU firmware, then you'd realistically need to disable accelerated graphics everywhere no?
Could there be a chance for splitting android into two half? One for per device low level initialization and one for a shared image for all android devices?
So the idea is you be able to easily upgrade or even multiboot different android or linux images if you wish, without having to recompile for every device.
I thought mobian was distributing a GSI to do non-Android on the Android base, but I can't seem to find it if they do that.
Also, bear in mind that this almost intentionally doesn't solve some support problems - any bugs/vulnerabilities in the base layer won't get fixed by GSIs (which is why DivestOS says it explicitly doesn't ship a GSI).
Droidian is the GSI-based project from the Mobian folks. Note that GSI's are not totally unified; they'll still vary by CPU architecture, starting Android version shipped with the device, weird features like "A" or "A+B" boot, etc.
I have an old OnePlus and it's managed to last like 7 years. Sadly every other developer has abandoned it. Hope this project can bring it back from the dead!
There's this years long quest to keep old phones alive, which is amazing (i'm myself using lineageos). But what are the odds of doing the crazy stuff people at asahi are doing with mX macs? There are absolutely no drivers for that hardware, and they are building everything from the ground up.
Of course it's a huge amount of work given the considerable amount of different chipsets, cameras... but am I dumb to believe there would be a lot less work to upgrade no new generations of the same chipset? Aaand would it be less secure?
There are some people doing that, it takes a ton of work and the device will probably be dead by the time you are finished. Some links in the articles section here:
So for phone stuff there's a lot of things going on, but for repurposing CPUs for other stuff... my understanding is that none of these phones are actually really capable of running consistently and basically just burn up and break if you try to put serious consistent load on them.
I mean it makes sense in a way, but all of this stuff seems to be built for very bursty behavior
mX macs are the future - you are guaranteed that there will be future generations of laptops sold in the millions(?) using at least some of this hardware. So the huge amount of work is probably going to be worth it.
I understand that, however I'm still not very convinced (obviously not saying it's not a huge amount of work) for the reasons in my other reply in this thread. Thanks for your answer and sorry for my ignorance!
And they have similar limitations to what I do here with regards to firmware support, as they offer longer support than Qualcomm actually does for these chips used.
The only devices with proper aftermarket OS support and five years of updates are the Google Pixel 6 and 7 series.
Sorry for my ignorance, but take, for example, Qualcomm chipsets, which are used in millions and millions of devices. There are 5 main series (2,4,6,7,8), a maximum of 9 generations for a total of 33 variations. I understand that 33 variations are a lot, but don't they share a lot of code? Apple Silicon has, at the moment, 5 variations in 2 generations (M1, M1Pro, M1Max, M1 Ultra and M2), and this number is going to grow quickly.
Then we also have MESA drivers, which support, for example on NVIDIA, dozens of GPUs on a variety of architectures.
I am getting this totally wrong? Is the effort that much greater than, for example, those projects? Is a Snapdragon 429 that much different from a 630, 665, a 750g or a 845? Apologies for so much text and thanks a lot for your answers!
I am frustratingly blind to today's alternate OSes.
Where does a lay-consumers even start? Do I buy a used, but well supported (by alt OSes) phone? Which one would that be? Do I attempt to use my existing phone?
For a while, I was trying on old phones. I had LineageOS on my Samsung Galaxy S2, and it had a lot of problems (camera did not work, it would sometimes get hot and reboot, etc). Not the best experience but it was fun to try when my S2 got old.
Recently I feel like alt OSes have become really mature. I have been using a de-Googled /e/OS on a Fairphone 3+ for 1.5 years and I don't have anything to complain about the system. Even the store now works very well.
So I'd say, for your next phone, choose something that is well supported by those alternative OSes (typically Fairphone is), so that you can try, and fallback to stock Android if that's not working for you.
It's based in the Netherlands. Not sure how difficult it is for Fairphone to work in the US, my understanding is that the US carriers are trickier than others.
Edit: also of note: DivestOS currently provides monthly updates spanning seven versions of Android, I don't know of any other project doing that specifically.
To note, the monthly security updates DivestOS provides don't (can't?) include baseband and such "firmware" updates for legacy OEM-unsupported versions of Android.
Don't get me wrong, it's terrific that security patches are backported to such ancient versions of Android by those working on DivestOS and it's a great option for devices that aren't supported by GrapheneOS, LineageOS, et al.
Firmware is included for 45 devices, but no one but the vendor/manufacturer can actually provide security updates for them, so they are largely just the last release.
GrapheneOS looks interesting but DivestOS's focus seem to be aftermarket devices that Graphene is not targeting.
I recently got an unofficial build of LineageOS running on a Nexus 4 (mako) device and I was positively surprised with the speed it can run modern software. But this is an unofficial build that is also broken on some essential points, such as WiFi.
For these old devices, Graphene is not an option and if there are others targeting the same devices as DivestOS (which I will surely be checking out soon) I have yet to see them.
I own a Fairphone 4 and recently had to decide between DivestOS and CalyxOS decided to install Calyx. GrapheneOS is bettet than CalyxOS if you own a pixel, but CalyxOS has a few supported devices more.
I decided against DivestOS eventhough it had technically better security and privacy due to the lack of microG.
There's also /e/os which works on many devices and uses microG, but they're kinda building their own ecosystem and I didn't want to deal with that.
Have been using /e/OS for 1.5 years on my Fairphone 3+, I love it!
Not sure what you mean about their ecosystem, I personally don't have an eCloud account. They have a NextCloud integration that I don't use but could work with your self-hosted instance.
Also it appears to me that there is quite some drama between GrapheneOS and CalyxOS, and apparently the author of GrapheneOS already had some drama with their previous employer. So overall it did not help me trusting both of those projects.
With /e/OS I haven't seen such a thing, it just feels like a nice community.
Well, that is not enough to convince me. Regarding GrapheneOS, I have read extremely aggressive posts from the author against their previous company. I thought that maybe it was a toxic company, and the GrapheneOS was right (why not?).
Then I've seen exchanges between the GrapheneOS author and some Calyx people on some GitHub issue, and they were borderline insulting each other. At this point is difficult for me to believe that somehow the GrapheneOS author is always the victim. And if that's the case, then that's bad for the CalyxOS community anyway.
Maybe that's misinformation, and they all love each other. Maybe not. How could I tell? What I see is that I would not want to be part of such discussions.
Nice to have a list, though many points there are debatable.
It's always a question of threat model. The /e/OS experience is perfect for me, and I am convinced it is much more likely to reach my friends than e.g. GrapheneOS, which is much more into security (at the cost of UX).
In the end it's good to have the alternative, and to realise that they target different profiles.
I cannot fathom how a browser/WebView from 7 months ago with 244 known security issues including multiple zero-days and a PDF reader from 6 years ago with 55 known security issues is in anyone's threat model.
Do realize that combined with their Advanced Privacy app which routes users over Tor, it can very well result in HTTP only connections being MiTM'ed.
I've seen it with some of my own users recently and their RSS feeds being hijacked.
I ask /e/ team every month to do something about it and they don't, yet users keep trumpeting them and buying devices from them. It is downright negligent of them.
> I cannot fathom how a browser/WebView from 7 months ago with 244 known security issues including multiple zero-days and a PDF reader from 6 years ago with 55 known security issues is in anyone's threat model.
I use Firefox, not their chromium-based browser. I can't mention an app that I use that is using a WebView though... I remember there was one, but I could set it up to use my browser. I use their PDF reader, I'll have to check that.
> Do realize that combined with their Advanced Privacy app which routes users over Tor, it can very well result in HTTP only connections being MiTM'ed.
Looks like it only supports a few devices (Google Pixel, some OnePlus and Samsung).
As long as these OSs don't support a majority of the devices out there, they will not really be an "alternative" to Android.
The main dev has expressed that they don't intend to add any google play services compatibility, and probably forking Lineage because GrapheneOS is already pretty good but works just on pixels, as opposed to Lineage which works on maany many phone models.
The situation has got so bad that regulators should probably get involved.
Important software people depend on such as banking or electronic payment apps can't be used with relatively safe and maintained operating systems, forcing the use of unmaintained, insecure stock system just to get SafetyNet these apps wrongly require.
It's easier for Apple to do because they make both the hardware and the OS. Say you are Sony and make an Android phone. You take some version of Android and port it to your hardware (with patches for your hardware e.g. in Linux, etc). Your Android system is now effectively a fork.
Now say you want to get updates from upstream regularly. Every time, you may have conflicts with your patches, and you have to fix them. That's costly, so why would you do that for old phones people already paid years ago?
Long story short, I believe it's easier for Apple to not break compatibility with old iPhones than for an Android OEM to stay up-to-date with upstream.
PCs nearly-universally use standardized interfaces, phones go hard on cost cutting and everyone ships their own badly-done drivers that are never upstreamed running on custom hardware that wouldn't run a "standard" image if you had one.
Or more succinctly, because phones won the race to the bottom.
My guess would be that the OEMs don't mainline their patches. At least from what I understood looking at PostmarketOS, they spend a lot of energy mainlining those devices they support.
More like Qualcomm doesn't want to spend the money to do it. Google can't update the binary drivers and firmware that Qualcomm gives them. And Google only has so much leverage in order to get Qualcomm to provide updates to older hardware.
Sure, Google could release newer Android versions (assuming they'll run under whatever last kernel version Qualcomm provided support for, which isn't always the case), or at least release patches for flaws in Android itself, as long as they'd want to, but after the chipset support runs out, they can't update some drivers and firmware. I think it's not unreasonable to just declare those devices as insecure and move on.
Google has managed to get support up to five years, but only on newer Pixel devices. I'm sure that wasn't an easy negotiation.
Apple, in contrast, builds all the hardware and software in iPhones and iPads, so they can decide to support devices for as long as they wish.
Actually, it is Google’s fault. Had it insisted that all OEM vendors upstream the drivers it’d have happened long ago. Especially because of Google’s monopoly on Android. The thing is - it’s in Google’s interest to obsolete these devices so that people buy newer devices with more Google “features” (which in turn are designed to collect more and more data about the user, the whole Google Android being the 2nd largest advertising platform for Google, after the “search” engine)..
> I think it's not unreasonable to just declare those devices as insecure and move on.
1. The lockscreen bypass security flaw of last week is major compared to any flaw Qualcomm currently have.
2. Apple still updates devices hit with checkm8, so maybe security doesn't dictate everything for them. Not sure why it needs to for Google.
3. What does security has to do with getting Material You to my device? (to give just one example). Maybe the idea is that if a device is insecure, then it must get to the trash bin...? I hope not.
Android 12 requires Linux 4.4 for proper networking and cgroup handling, which the Pixel 1 doesn't support. Skipping those requirements isn't a good idea.
The biggest issue for long term cell phone support is, even if we get an OS with a 10-year security update timeline like Rocky Linux, will the phone itself be able to make calls on whatever cellular networks exist 10 years from now? I have a number of 3G phones I bought as recently as 2018 which became paperweights in 2021 when all of the cellular telcos in the United States stopped supporting 3G, forcing me to update to a 5G phone. Is 5G going to still work in 10 years? Or are the telcos going to continue to convert perfectly good phones in to landfill?
As someone who has a 15-year-old laptop which is still a perfectly good Linux server (its screen went out two years ago, but it was a perfectly good desktop computer until then), it’s annoying seeing phones I bought less than six years ago be useless on today’s cellular networks.