Is pixel 4a too old for a new phone?
from Dop@lemmy.world to privacy@lemmy.ml on 28 Jun 2024 11:46
https://lemmy.world/post/17009673
from Dop@lemmy.world to privacy@lemmy.ml on 28 Jun 2024 11:46
https://lemmy.world/post/17009673
Hi,
A friend wants to degoogle his phone, so I suggested the OS I’m currently using. The one we can’t talk about… He wants a small/compact phone, so I suggested pixel 4a (not buying second hand though), but I’m afraid that planned obsolescence may kill the phone rather soon. What’s your opinion?
Cheers and thank you for your help,
#privacy
threaded - newest
The Google Pixel 4a is officially end-of-life and doesn’t get any software and security updates anymore (https://endoflife.date/pixel).
CalyxOS still provides extended support for Pixel 4a until August 2024.
FYI: “Extended support” from a custom rom means the OS level software gets updated, not the device firmware. So you still end up with a not fully up to date phone.
Written from my Pxiel 4a. :)
It goes for like $80-120 in my country. For the price it’s an interesting deal but it’s extremely old so GrapheneOS won’t support it. I think you can still find something like LineageOS or crDroid but tbh it’s too old for a new daily driver. Lack of firmware updates will kill custom ROMs due to incompatibility with new Android versions eventually (and most likely very soon).
Compact phones are dead now and the last ones don’t even seem to support degoogled custom ROMs. You’re out of lack with that.
The XZ2 Compact still has LineageOS and DivestOS support and there are ongoing unofficial iodéOS builds for the XZ1 Compact (which I am using). The S10e has decent support too, although it’s a bit larger. But yes, modern compacts are dead in the traditional form factor - it’s now flips or a niche micro-brand phone like the Unihertz Jelly series.
These are older than Pixel 4A lol.
Sorry if I’ve misunderstood what you were trying to say. I interpreted that quote from you as suggesting the last true compact Android phones (the Xperia Compacts and, to a lesser extent, the S10e) don’t have custom ROM support. If you were instead saying the most recently released “compact” phones (which are really just medium-sized phones) don’t have custom ROM support, then that would also be partially incorrect since the Pixel A series is widely supported and the Xperia 5 III has official LineageOS support.
The only “new” compact phones I know are iPhone Mini and some Asus Zenphone. Neither have custom ROM support afaik and both don’t seem to be in production anymore. Medium size phones (6-6.4 inches) are not compacts.
The Jelly Star is even smaller and released last year. Not that I would recommend it to anyone concerned with updates or custom ROM support, because it probably won’t get any lol
Is that a Russian website?
Unihertz is a Chinese company.
Dude it’s less than four years old lol I get what you are saying but Q3 2020 is not that long ago.
It’s extremely old for a new daily driver phone you want to buy and for Android updates.
I know what you meant but unless you’re gaming there’s nothing you can do with a Pixel 8 that can’t be done with the 4a (though I usually reccomend the P5 because for a few dollars more you can get wireless charging and significantly better battery life).
Firmware updates.
a four year old phone should absolutely still be getting updates
Say that to capitalists.
if only they would listen
The new Pixel phones get 7 years now. Things are improving
What’s the OS we can’t talk about?
The OS-who-shall-not-be-named lest you summon it’s power.
The open-source one that’s so powerful it summons an online fight with at least 50 members if mentioned. It’s kinda anomalous so it is recommended not to mention it online until further research.
Hannah Montana Android.
We don’t talk about Hannah Montana Android.
We sing about Hannah Montana android
To be more helpful than the joke comments you’ve received so far, it’s graphene OS that’s causing a lot of controversy.
What’s the controversy?
I’m honestly not quite sure, I just know people are getting riled up when it’s mentioned.
It gets people going, (Daniel) 'Mkay?
I stole this from another lemmy comment, please don’t come after me
Who’s comment was that 😂
Can’t really remember right now. I think it was a thread on which phone to buy and people were talking about graphene os on pixels.
Someone commented something along the lines of “m’lady” but with Daniel Micay’s name as a pun
They claim their security measures are better then other custom ROMs.
Don’t they all make that claim?
Hence the controversy! 🙂
Also, Graphene tend to act superior about it and it pisses people off.
That doesnt sound like a controversy, its bascially “btw, I use arch”
www.privacyguides.org/en/android/
There is no controversy. There’s a lot of people memeing. I haven’t seen a single security analysis, or survey of options, that didn’t put GOS at the very top. Look at privacy guides, they say graphene is great, but if you can’t use that divest is okay.
People may not like the leader, and the developers are very opinionated which turns other people off, but I don’t think there’s any questioning the pedigree and the level of security provided
Yes I agree. The product itself seems to be very good indeed. The problem people have is not with the product, but with the personality of the project leader. Personally I have used GrapheneOS for the past 3 months on a Pixel 7 Pro and I love it. My reason for choosing GrapheneOS was that I need a phone with a top quality camera, and I want a phone that is less than 3 years old. That alone sets GrapheneOS apart from many other projects as many only support older phones with low to mid range cameras. Then you have the privacy, security, and setting customization that graphene offers and it’s a clear top choice for me. Even if the leader is arrogant as some say, his product is good, and exactly what I need at the moment. So with no other projects offering what is important to me, I choose graphene for 2024. It’s solid.
Do they all really? I know GrapheneOS does, and I think DivestOS even says “use my OS to stay as up to date as possible, but if you have a current/supported Pixel, use GrapheneOS instead for superior security.” But I don’t recall other OSes really going “we’re more secure than GrapheneOS and here’s why.”
Yes, that is too old for a new phone considering it’s already past its end-of-life for both official support and your OS. I’m not sure why you’d recommend them to buy new either - a phone like that is only going to be good value if you pick up a used one for cheap. A new model will be massively overpriced for what it is (and may not even be new, just refurbished and repackaged).
I guess they were talking about a refurbished or a used one.
They specifically said “not second hand” so I assumed not.
Sorry I am really blind recently. A new 4A is a terrible deal
Yes, it’s too old. Does not receive software updates anymore. The newer a-series of phones are still quite a bit larger than the 4a but also quite a bit smaller than the 8 or especially 8 “Pro” or whatever the fuck stupid name they’re giving phones these days.
The software updates are maybe not an argument when it comes to degoogling? Then it depends if the OS they plan to use still sends updates.
The hardware driver updates are absolutely critical if you want to have a secure phone. The phone has to be within the support window, to get any hardware driver updates. The risk surface of a phone’s hardware is huge, you’ve got the Bluetooth drivers, you’ve got the Wi-Fi drivers, you’ve got the modem drivers, and any other sensors I may have forgotten about.
I mean…you’re gonna have to run some operating system on it. And that operating system is going to need security updates.
Depends on your friends threat model, lineage will work on it.
No security updates makes the Pixel 4a a bold choice for your main phone. I don’t recommend it
I would follow the graphene OS recommended phone guide, that gives you maximum flexibility to put any operating system you want on the phone.
Phones are insecure devices, by design. Should be OK.
Just don’t do anything on a phone that falls under “sensitive” on your threat model. Use a proper computer with a proper password for that.
Could you explain how phones are insecure by design?
How long is your password? Do you ever type it in public?
You can use two factor, fingerprint plus pin and have the pin layout randomize each time.
That’s extremely insecure compared to a computer
How?
I think phones are the MOST secure devices most people have. They are locked down, they run software in very restricted containers, they have more restrictive feature allowance. for 99% of the people the phone is the most secure device, full stop.
Can you do better on a computer? Sure, but it takes a bunch of work and isn’t the out of box experience
Common misconception
Please help me understand your point of view. So far all you have said in this conversation is that other people are wrong. That may be, but your not helping us understand you
The key to encryption is to have your key encrypted with a strong passphrase.
Phones are literally designed to be convenient. Convenient is the antithesis of security.
You want a 20-100+ character passphrase to symmetrically encrypt your private keys, and you want to never type that in public.
Most people have 4 digit pins on their phones, and they constantly type them in public, in plain view of others. And its super easy to snatch out of their hands and run.
Phones are, by design, not secure devices. Marketing teams trying to sell you something say otherwise. Don’t be gullible.
TPM in the SOC to transform the “convenient” pin into more robust encryption keys is the gold standard for civilian devices.
“computers” (of which a phone very much is) also use a TPM for this very reason.
But even taking what you say as gospel, the device isn’t insecure, its how people are using it.
I will stand by my comments a phone is the MOST secure device a civilian will use. Even with a secured desktop computer where someone diligently types in a 64 bit random code to unencrypt the hard drive… if they use the computer as a general purpose device, the threat surface raises dramatically. Now information and programs are not compartmentalized, install one bad program and it can trivially take over everything.
TPMs protect the data on the drive if the drive is separated from the computer. If the drive is still in the computer, then it doesn’t protect the data. It doesn’t provide protection from physical attacks.
learn.microsoft.com/en-us/…/tpm-fundamentals
This is how cell phones and windows hello justify short pins, the pin goes into a rate limited TPM that then discloses a larger key to decrypt the actual secret.
Do you need me to link to the vulnerabilities of TPMs? They do not provide physical security.
Does this mean your also against yubikeys?
Hardware keys can be used well to increase your secuirty (U2F MFA) or used to increase convienence and reduce security (passwordless auth)
It depends how the tool is used.
So you’re saying that, in order for me to steal everything on your phone, all I have to do is stand behind you in a supermarket and film you unlock your screen once. Then, on the way to your car, I quickly pull a knife on you and force you to tap your finger on your phone, then I hop on a motorbike and ride away.
Hope you didn’t have any banking apps or crypto on your phone, because now that’s gone.
QubesOS on a laptop is much much safer.
Qubes is immune to the knife to the throat threat model?
They would need to kidnap you to type multiple different passwords. The point is that they can’t quickly unlock the device. Mobile phones are literally designed to be easy to unlock.
If you have GrapheneOS, I’m pretty sure you can randomize the numbers on the pin. You can also set a password instead of a pin and disable biometrics if you use stock Android. All the more difficult to obtain access.
For banking/crypto, I assume a wallet app would allow you to set an app password/pin.
What does randomizing the numbers do? I just film you tapping them, and it doesn’t provide any security.
I suppose you are correct there. Maybe try a privacy screen protector or use a password. It would be harder to catch each symbol with either of those.
I think this person is just permanently a contrarian.
Randomizing the numbers does provide good security, because there’s no longer an oil imprint on the most frequently used numbers on the phone, making guessing the pin code much harder before the TPM locks the phone.
Phones are full fledged computers nowadays, with Android you can have different profiles. For their level of paranoia, they could have a profile they never use in public, and only login with a full password, only when they’re in a secure location.
For the randomized pin, and biometric two-factor use of a phone, that covers most use cases, and is quite secure compared to most models of data security average civilians use.
You can have different scopes, if you’re in a crowded place, reading Lemmy isn’t really a big security risk. But logging into your banking would be. All of that is possible on Android, the fact that they’re so staunchly pro computer, is difficult for me to take their analysis seriously
Things like gapps are closed source, have full permissions, and cannot be installed only on some profiles.
Qubes is safer and better compartmentalization.
Except in stock AOSP or grapheneos.
Agree that qubes is the gold standard. But not to let perfect be the enemy of good, the vast majority of people, the vast majority of people, the VAST majority, are going to be unable to run qubes, either by technical ability, availability of appropriate hardware, or portability reasons.
Mobile phones for all of their faults, are the most secure piece of general computing hardware most people have in their lives
I might agree with you, with that stipulation. That is an important stipulation.
Used Pixel 6, 6 Pro, 7 and 7 Pro can be found for reasonable prices these days. One of those in good condition would be a better buy because you’ll still get security patches for a while. Last time I looked, the third party OSs for Pixel phones only supported them for as long as Google did.
You can install LineageOS or e/OS on it (instead of Graphene, if that’s too controversial), and then the 4a is a good phone to use.
After my 6 year old Redmi 4X’s screen touch decided to die, I got an opened-not-used Pixel 4a (in perfect condition) at the end of 2022, because it was one of the few small-ish phones that had good modding support (Pixel phones are ofc known to be very good to degoogle). I love it. Feels good, works well, has a great camera (got a GCam mod too), etc. Only downside is the smaller battery (3100 vs 4100 mAh), but honestly it isn’t that big of a deal, I can just carry a powerbank on my backpack or, you know, use my phone less.
Back then, it was the perfect choice for me. Now, I don’t know, haven’t been keeping up with current models.
I love the battery. I got a well used phone and I rarely have less than 70% at the end of the day.
But I leave my phone in airplane mode 24/7 (just use WiFi, no SIM)
Its comments like this that lead Google to make newer phones have stupid big batteries. I hate those big, heavy phones :(
Ah right, airplane mode makes a ton of difference. I also tend to have it enabled as much as I can, usually when I’m home (and thus reachable through VoIP services) or at work. And I (almsot) never turn it off, I just leave it in airplane mode. I limit the charge to 75/80%, with ACCA, so I get even less juice.
And I’m sorry, I also dislike big phones with huge screens and batteries, there’s no real need for that. But I know that you can fit better batteries in smaller phones as well. My previous device was smaller than the Pixel 4a, but had a bigger battery, while having almost identical weight.
I wish manufacturers would make smaller phones, really. I’m very unsure what other device I will get after this one dies or gets broken…
Hi, do you maybe know any similar apps like ACCA that do not require root?
Unfortunately, no. I believe you can’t really get this level of control without root access.
Thanks for sharing ACCA. Very neat
No problem, glad to have more people know about it, it’s very useful!
I’m using a 4a right now which I bought last year, refurbished. It’s a great phone and has a headphone jack. If you’re concerend about updates, install an alternative OS. If you want to degoogle that should be the path anyway.
tangential: I‘m using a oneplus 6 with postmarketOS but depending on your friend‘s it skills, it might not be ready for him yet.
So far its very usable but I suggest someone must want to swim against the current and do things differently. One could say a „pioneer“ type would be ideal for this.
I have a Pixel 3a, and I love it. I also have a Pixel 4a and love that one too
I bought a Pixel 5a, and hated it. I think the 4a is the best phone on the market right now. Great price, great support in Lineage, and its not too big and heavy.
Sadly agree, I’ve been looking for a proper successor with no luck.
don’t they have issues with randomly getting stuck in edl?
The Pixel 5 is not much more expensive and is still a great phone with good battery life and good camera, and the last Pixel small enough to used one-handed. It also has wireless charging which is missing on the 4a.
If your friend isn’t gaming or doing anything CPU-intensive the P5 is what I would reccommend today. Everything afterwords has been an incremental upgrade for significantly more money.
It is currently not being updated
Yes, it is. You should not recommend such a phone. And this only in terms oft update.
The arguments against the company behind this phone would Film books, but that’s another point
I am far from unbiased as I just switched back to my pixel 4a from my new Sony Xperia. I think the Pixel 4a is a flat out GREAT phone, full stop. It is perfectly sized IMO, has been very reliable, good battery life (though at this point I should look into replacing the battery), and it has a headphone jack. That being said, picking it as a new phone now essentially means going with a custom rom and hoping it stays supported. That’s fine and all, but it’s not something most people want. Just to be clear, the xperia isn’t a bad option per se, I only switched back because the phone came carrier locked when it was supposed to be unlocked and the carrier it was locked to was uncooperative so I refunded it.
I bought a used Pixel 5 in Feb for my daily driver. Replaced my Pixel 3 only because the power button was flaky. They both still run great. By my standards, getting two years out of a phone I paid $150 for is better than getting three years out of a $700 phone.
Writing from a 3 years old 4a running CalyxOs: the phone is a perfect choice if you want a small sized phone with a 3.5mm jack and that gets constant updates. The camera might be a little better but I don’t take many pictures so I don’t mind.
the camera is amazing, but you need to use the Google Camera app for it to take advantage of all the Pixel magic. 3rd party camera apps will yield lousy shots comparatively.
Pixel 5 is end-of-life and shouldn’t be used anymore due to lack of security patches for firmware and drivers.
I understand if your friend is on a budget and simply can’t afford a non EOL phone but, they should really consider a 6th gen Pixel or better if they care at all about their data security.
Has there been a successful exploit against a phone with old firmware but modern Android security patches?
I am not sure if there is an example of that specific situation as it would be pretty odd for a phone to be receiving security patches but not firmware updates.
Anyway its not super relevant as the Pixel 5 does not receive firmware or security patches anymore.
OP also seems to be inferring he suggested to his friend to use a very specific security / privacy OS that does not recommend using that model phone anymore for the exact reasons I mentioned. Plus the model is only receiving partial support as a stop gap for users to have time to get a newer model and won’t be supported much longer anyway.
Custom ROMs will receive upstream Android security patches but not patches from proprietary components (firmware). For instance, my Moto g7 power has Android security patches from May but the latest vendor security patch level is 2021. (I’m running Lineage OS) I’m curious to know if the older firmware is a problem. I don’t think it is easily exploitable outside of government backdoors. Not that it matters much as I plan on keeping my phone until it dies.
Not sure where your getting your information but the Pixel 5 has not gotten Android updates or security updates in over 7 months.
There are tons of examples of exploits being used to target EOL phones as its common for people to not care about these updates, or be misinformed, so they are easy targets.
If OP or anyone else wants to use an EOL phone that’s fine but, don’t pretend its a smart security practice. Although even if I were to use an EOL phone, LineageOS doesn’t have the greatest background and isn’t really degoogled
I think lineage is a good operating system for a limited exposure use cases. Like a project phone on a safe network, or as a webcam, or is like a embedded hardware controller. But not on the raw internet, not processing raw internet data, not with open Wi-Fi, not with open Bluetooth.
Even with all of that, it should still be segmented from the rest of the network
You are still missing my point. All phones actively supported by Lineage OS get Android security patches. Those aren’t vendor patches but they do patch the OS and sometimes the kernel.
For instance, the Pixel 5 was last updated June 28. wiki.lineageos.org/devices/panther/
Not to say that you should still buy it. However, if it cheap it might be worth it.
Also from the article you linked:
Those are partial security patches (its not in the same ballpark as a non EOL phone).
Even non EOL phones are usually updated dangerously slow when it comes to LineageOS.
Some more sources, not sure why I’m even adding them as you seem hell bent to believe LineageOS is secure regardless of the facts.
eylenburg.github.io/android_comparison.htm
kuketz-blog.de/lineageos-weder-sicher-noch-datens…
If my device is so insecure why haven’t I been compromised? Your “facts” are only important if it promotes Graphene OS.
Lmao putting facts in quotes does not makes them less true. Figures, that when confronted with reality you would immediately start relying on logical fallacies.
Just because you are more at risk of being compromised does not mean you will be compromised. This is obvious.
You don’t have to respond if your just going to be a child about it.
I don’t get it ? Why can’t we say it’s name ?
Because GrapheneOS is a debatable triggering subject for some people. Basically the OS itself is amazing and very good. But the project leader is apparently arrogant and offensive. And offended a load of big known online personalities. Apparently he says his OS is the best and better then everyone else etc etc. So the question is: do you use and support a project where the product itself is amazing and just what the world needs, but where the project leader is offensive? Some say yes, some say no. = Controversial subject.
Personally I use GrapheneOS because I need a good camera and I like having a flagship modern phone. Currently I’m using a Pixel 7 Pro. I also like the privacy and security features that graphene offer. I don’t see another project out there that can offer me the same. The product is good.
“apparently”
Well yes exactly. It’s all just big personalities online that say that these things happened. Who knows really what the guy is like. A few big names online say these things about him, but I personally have never had any Interaction with him. So it could all be true, or partly true, or not at all. I guess no smoke without fire… but there is always 2 sides to every story.
4a is end of life already, so no firmware updates from Google. GrapheneOS has legacy builds available for it but doesn’t recommend using them, and they might go away anytime soon
get a used device which is still properly supported, don’t buy brand new e-waste
I have a 4a running graphene and I love it but after 3+ years the battery life is shot. I really didn’t want to buy any of the new pixels because they are all too big and I hate big phones. I was thinking of just buying a new 4a and installing graphene again (because got forbid making a phone where you can just swap out the battery in this day and age) but are you saying this would be a bad idea at this point? Like even if they keep graphene up to date the phone will still be outdated (and therefore vulnerable) at the kernel/hardware level?
yes and P4a is already one major GOS/Android version behind, it’s only getting “extended legacy support” releases. i.e. security fixes are merged and backported where possible, but it’s overall not the best setup and they recommend to switch asap.
I’m pretty sure GOS will drop Android 13 (and therefore P4a) as soon as they release Android 15, since the team won’t be maintaining three major Android versions.
CalyxOS ported Android 14 to P4a, so you might squeeze an additional year or so out of it if you switch.
I’d either replace the battery in the old P4a, or get a newer model with 7y software support. But buying a new 4a is probably not your best possible move
You could just jot use Graphene OS. They create ewaste just as much as Android. Lineage OS will run on 8 year old phones.
I think it’s a bit too old, if you want to stay in the pixel ecosystem maybe try to grab a 6, 6a or 6 pro. They are around $250, and they are great!
I recently got a 6a to replace my iPhone SE for €160 and it’s been working great.
Great
Can someone explain to me under what circumstances would using an old phone be risky (under a common reasonable threat model)?
No security fixes once the device reaches end of life. For pixel 4a end of security updates was 10 months ago. That mostly is a problem with malicious apps - there were some privilege escalation bugs in those 10 months - but sometimes you get a banger that can get exploited by simply loading a page or opening an image.
Wouldn’t those be typically handled at an OS level? If you’re using an OS that actually gets updates, you’re only vulnerable to attacks at the kernel or driver level
If you are on stock software on EOL device you are not getting os updates either.
Also a bunch of recent vulns were in SoC specific stuff - outside os.
I get it about malicious apps but what about just using mainstream apps and surfing the web with adblockers?
Umm one question by the way , why use Google phone to degoogle? There are plenty of good Android phones out there right?
While it is ironic, the pixels are easy to unlock the bootloader and have good support across lineage, calyx, and graphene. Been using one to degoogle for awhile and would recommend them
Google makes the most open and customizable phones. Unlocked bootloaders, the ability to sign your own code. Rapid security updates for baseband drivers.
Nobody else comes close.
grapheneos.org/faq#future-devices
Actually pine phone is really open, but it’s not android and nowhere ready to be a daily driver.
Random hardware suggestions, using mobile Linux support as a litmus test
As for the pixel, there’s work on it but it’s still broken at the moment. As for the hardware being too old, I haven’t used anything Android in a while, so I don’t know how much performance degrades each release, but a mobile Linux distribution should run just as good today as it will 20 years from now, assuming you use the same interface.
Pixel 4a was one of the last in the Google lineup with a headphone jack (5a being last). The OEM lost its way after that. This enough to not recommend their devices as far as I am concerned.