Stay with Pixel 9a or go Pixel 10?

phone-company

I have been a long-time user of GrapheneOS. I like the Pixel A series because it is very robust with its plastic back. Now, in addition to the 9a, I also use the Pixel 10, which will probably soon be supported by GrapheneOS. To what extent will the Pixel 10 be more secure than the 9a? Does the 10 have a better modem than, for example, the Google Pixel 9 and 9Pro? Or can I safely stick with the Pixel 9a?

Murcielago

phone-company

If stingrays are part of your threat model an upgrade to the Pixel 10 series might be worth it:

When the “Network notifications” feature is enabled, Android will post a message in the notification panel and the Safety Center whenever your device switches from an encrypted to an unencrypted network, or vice versa. It will also post an alert in both places when the network accesses your phone’s unique identifiers, detailing the time and number of times they were requested.

source: https://www.androidauthority.com/android-16-mobile-network-security-3571497/

https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/android16-qpr1-release/radio/aidl/android/hardware/radio/network/IRadioNetworkIndication.aidl#236

spl4tt

I think you can safely stick to your 9a. But if you have a 10 anyway, well it's really a better device overall

phone-company

spl4tt thank you for your reply. I don't need the better camera or more ram... It's only about security

spl4tt

phone-company In that case, you'll be fine with your 9a, no worries

chance

The modem in the 10 is idenetical to the 9 and 9 pro, but a very big improvement to the one in the 9a which is already several years old at this point. Its honestly scandalous that Google had the nerve to use that modem again.

schweizer

chance The modem in the 10 is idenetical to the 9 and 9 pro, but a very big improvement to the one in the 9a

I disagree. I just switched from a pixel 6 to a pixel 9 and I do not feel a difference. The 9 could do satcom texting but it is not supported and probably never will be.

That said, the pixel 6 is a great phone.

23Sha-ger

Murcielago

This is another feature they "inspired" from GOS. Blocking of 2G towers was available for years.
If they market it as some novel A16 feature exclusive to P10, it's shame on them.

Murcielago

23Sha-ger

If I understand correctly, the feature includes three different aspects:

I was referring to the first two points, you seem to be talking about the third.

23Sha-ger

Murcielago
Yes I meant that the main point here is the 2G downgrade protection. The user facing notifications
that a downgrade is taking place seems almost useless to me. Kind of like those annoying Windows
and IE popups like "This site is using a secure connection". So if you block 2G/3G with weak ciphers,
it doesn't really matter if a stingray exists or not, the attacker can't force you to use weak ciphers.
In a funny way they introducted it in late 2025, where many developed countries already phased out
any obsolete generations, and the majority of threats are SIM swapping, not traditional eavsdropping :)

Murcielago

23Sha-ger

I agree with you in some aspects, but

In a funny way they introducted it in late 2025, where many developed countries already phased out any obsolete generations

I don't know where the OP (or anyone else seeking advice here) is from, but unfortunately not all countries in the world are developed countries + completed the 2G/3G phase-out. Disabling these technologies may therefore not work for everyone, but a notification that your device suddenly switched to 2G in an area, where it normally wouldn't, could still be helpful.

So if you block 2G/3G with weak ciphers, it doesn't really matter if a stingray exists or not, the attacker can't force you to use weak ciphers.

Eavesdropping is one, but not the only feature of IMSI catchers:

Classic “IMSI-catchers” simply record nearby IMSIs, and then don’t interact with their target phones in a significant way beyond that. They quite literally “catch” (i.e. record) IMSIs by pretending to be real base stations and then release the target phones

source: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks

For recording nearby IMSIs devices apparently don’t have to be downgraded to 2G/3G (so blocking 2G/3G doesn't help in that case):

In conclusion, our experiments have verified, independently of other works, that IMSI-catching indeed can be done for the 4G/LTE system too. We claim that (1) IMSIs can be collected by the eNodeB Collector, and (2) DoS (Denial-of-Service) is performed automatically after the UE receives an attach rejection message (with a specific cause). The 4G/LTE is vulnerable to active privacy attacks by IMSI Catcher, and we found that these attacks can be done quite easily and therefore can impact the confidence and reliability of commercial mobile networks. We showed that these attacks are not limited to clever programmers with special hardware. We hope that this report, and others, will make the 4G/LTE service providers aware of this threat, and lead to demands for improved privacy and security protocols in the mobile networks.

Source: https://arxiv.org/pdf/1702.04434

The mere recording of IMSIs and thus proof of presence maybe part of someone's threat model.

If someone cannot or does not want to use other tools such as EFF's Rayhunter, upgrading to a Pixel 10 might therefore make sense.