Lets pretend that all Pixels still gets security updates from GrapheneOS.

Could it be possible to rank them in terms of security- and privacy strength? If so, please explain why? Could it have something to do with the security security elements and hardware incompatibility with latest android version? Assume the password strength is overkill.

Second question: Would it be reasonable to assume that the newest model today would be just as secure now as in 20 years in the future if its completely offline? No security updates here.

    "Could it be possible to rank them in terms of security- and privacy strength?"

    Newer model = better chipset

    "Would it be reasonable to assume that the newest model today would be just as secure now as in 20 years in the future if its completely offline? No security updates here."

    No, update your phone

      Why do you want to use a 20 year old phone?
      Why do you want to let your phone offline for 20 years?
      What's your use case?

        Friedemann Lets pretend that all Pixels still gets security updates from GrapheneOS.

        Could it be possible to rank them in terms of security- and privacy strength? If so, please explain why? Could it have something to do with the security security elements and hardware incompatibility with latest android version? Assume the password strength is overkill.

        Newer devices get new hardware security features (e.g. MTE with 8th gen Pixels). GrapheneOS also can't do anything about firmware updates, which are also essential for a secure device. This is precisely the reason GrapheneOS only offers support as long as the OEM does.

        Friedemann Second question: Would it be reasonable to assume that the newest model today would be just as secure now as in 20 years in the future if its completely offline? No security updates here.

        In BFU, with an 8-word diceware passphrase, then the data on the device will theoretically be secure forever unless the encryption algorithm is broken.

              raccoondad

              Newer model = better chipset

              Yes, I would be surprised if this were not the case. However, newer chipsets and more advanced security features do not necessarily mean better security. A good example of this would be Meltdown and Spectre (along with miles long other examples), which remained undetectable for approximately 23 years (give or take a few years). I could just as easily argue that an old phone or laptop is far better studied and has had time to mature after years of scrutiny. In simple terms, one knows how to use it and how not to use it.

              Also, Android's source code grows over time, a major problem Google is trying to address. More code = more potential attack surfaces, no surprise there and as far as I understand, a major reason why GrapheneOS is so secure is because it removes unnecessary code thus mitigating zero-day attacks and more. However, introducing more and more code with additional features demands more work and more work. Correct me if I’m wrong.

              When it comes to the privacy aspect of it all, better privacy protection features were not really needed in years back, given the absence of today’s constant, imaginative new ways of collecting data. Now it's just a never ending cat and mouse chase.
              But all of this is beside the point—I just wanted to know how they are more secure.

              AlphaElwedritsch

              Why do you want to use a 20 year old phone?
              Why do you want to let your phone offline for 20 years?
              What's your use case?

              Well, I would certainly not use such an old phone, but it would still be nice to know that it can collect dust in the wind and be forgotten without worrying about it becoming a problem later on, like I dunno, cryptocontroller being broken and no auto erase, for lets face it. It's way more convenient with lengthy passwords with a keyboard.
              Or maybe agencies start keeping phones for 20 years, just waiting for an exploit.

              phnx

              Oh yeah, I forgot about rust, thanks! Rust really deserves more recognition!

              In BFU, with an 8-word diceware passphrase, then the data on the device will theoretically be secure forever unless the encryption algorithm is broken.

              This is what I wanted to hear.
              I think Androids hybrid file-based crypto system with hardware protection features is way to complicated to get a grip on than good old fashion LUKS.

              de0u

              I don't think anybody knows whether the flash storage would still be readable after 20 years. The trapped charge might leak away.

              This is actually a very good point. I remember when I read something about this and suddenly got in a hurry to backup some old microSDs and went back to CDs

                        Friedemann Well, I would certainly not use such an old phone, but it would still be nice to know that it can collect dust in the wind and be forgotten without worrying about it becoming a problem later on, like I dunno, cryptocontroller being broken and no auto erase, for lets face it. It's way more convenient with lengthy passwords with a keyboard.
                        Or maybe agencies start keeping phones for 20 years, just waiting for an exploit.

                        Ah, OK, I see, hypothetical philosophizing. Not my thing. I'm out of here....

                          If you had a Pixel 8 in twenty years , I would more worry about hardware failure then security. If the secure element or the mainboard is broken you are lost for sure.