Questions about updates for EOL devices

You get some updates. Most importantly, the entire browser engine gets updated. All webapps and Vanadium run in an up-to-date, extremely secure browser.

So yeah, I think it is important to know what exact threat you are fearing. And tbh I dont know statistics on "how do Android users get viruses" mainly as I never hear of a single case. And if it was, it was paid, police, states, ...

Size matters for the manufacturer as well, imagine having less people addicted to social media because of smaller screens , thats a big no no

Ghen Using an EOL device opens you up to generic malware mass targeting users of old devices. The threats you have to worry about are now just the average off the shelf malware.

Ghen so it is really serious or... Google is financing you ;-)

We're keeping it real over here, it's your choice at the end of the day but we won't downplay the risks associated with an out-of-date device.

Ghen once GrapheneOS stops supporting Pixel 5 as it did with previous Pixels, will we get annoying notifications or we can remain in grapheneOS?

It will be a bit like staying in a park after closing, you're not supposed to be there. Sandboxed google play for example relies on consistent updates, if the flow dries out, functionality will break down sooner or later.

Ghen The Pixel 5 should be relative secure for a couple of years since serious vulnerabilities take around 2 to popup

I don't think that's how it works.

Recently there was a pretty bad remote code execution bug in cellular modem firmware. It affected Pixel 6 and 7 devices and many other devices. It did not happen two years after the 6 and 7 went out of support, or two years after they were released. I don't think it happened on any schedule.

Meanwhile, less-publicized bugs in firmware and drivers are fixed routinely. That stops cold for EOL devices.

Ghen If a highly serious vulnerability comes along, Google is likely to address it for any phone post 2020 still

My understanding is that they in general can't. Once their support contract with Qualcomm or Samsung for some hardware is over, those teams disband and people start forgetting what they once knew about the chips. If something big went kablooie one month after EOL, that would be one thing. But I am unaware of a pattern of a secret extra two years of kablooie protection.

Note that bugs in EOL devices are not generally announced and may not even be tracked (since they won't be fixed). I think the right way to read a bug silence after EOL is that people keep finding bugs but that most of them end up in the hands of attackers, who have a larger portfolio every month or two.

Ghen It seems clear there is a constituency who would welcome a small phone, just as in iPhone land there are people who are sad that Apple hasn't issued a Mini in a while.

I'm in the same boat. In one-handed use, one top-corner is barely reachable on the pixel 5, and for some reason, top-corners are exactly where interfaces tend to place important interactive elements. 8mm up and 2mm further out, would be a massive reduction in usability for me. Those millimeters can also be the difference between catching on a seam in a front pocket, and sticking out and increasing the likelihood of slipping out. That would maybe shift a trade-off to use a protective case, making the device even bulkier.

Carrying a device is also one of my major modes of usage, far outweighing screen-time. For my use case, the biggest risk is probably radio firmware, and I'm willing to take it. When a vulnerability becomes public, I can still reconsider that position.

mixis When a vulnerability becomes public, I can still reconsider that position.

Manufacturers don't spend a lot of energy tracking vulnerabilities in EOL devices, let alone announcing them. If somebody with an EOL device is exploited, they may have no idea why, so there may not be any discovery or report.

The analysis and decision-making are obviously yours to do based on how you use the device, but I don't think "no news is good news" is a recognized security principle for EOL devices of any type.

[deleted] Make a choice and live with it, buy pants with bigger pockets, practice hand gymnastics or operate devices with two hands, whatever brings you desired effect.

It's very fair to advice people against using insecure devices. But I still find your tone to be quite unnecessary; Some people prefer smaller devices, and instead of lecturing them on hand gymnastics and clothing, why not just accept that people are different in that way?

fid02 yes I agree, people may be different in lots of ways, who is to say they are necessarily better ways (and in what respect)? Clearly you don't seem to respect my difference of opinion.

Let's stick to the topic of this post and not derail it because of a difference in opinion and how a user worded their response. 👍 Neither contribute to OP's question(s).