top | item 40892465

(no title)

I don't really get people's obsession with security updates for a smartphone. It's not a public webserver, bro. It's a phone. You're the one who decided it was etrash.

Not only is it not reachable by anyone except your mobile provider, but every app is sandboxed anyway. Unless you're downloading random apps every day, why would you care? What do you think is going to happen? Just stick to reputable apps.

You know what I do on my still-supported phone? Set it up, then disable automatic updates, for both Android and the Play store. I update the browser weekly, but that's it. I update the whole manually after a few months or year if I feel I have a good reason to.

discuss

lopkeny12ko|1 year ago

I learned > 10 years ago that every phone "security update" is just a patch to disable workarounds people use to root their phones. And every update unroots it. So yeah, disabling automatic updates is also the first thing I do.

mananaysiempre|1 year ago

A modern smartphone is a mishmash of proprietary, closed-source, burn-before-reading secret wireless stacks, and unsurprisingly they all suck.

I can’t really speak about the cellular parts. (Although the fact that your SIM—including your eSIM—is a standalone computer with over-the-air installable applications, arbitrary access to the cellular network, and zero end-user ways to inspect it fills me with dread simply on general grounds. Oh and on all networks pre 4G the base station is not authenticated. And the auth implementations on 4G are often completely broken, especially once roaming enters the picture.)

But the Wi-Fi and Bluetooth stacks are wide open to everybody within 10s to 100s of metres of you who wants to grope them, every minute of your life. And given there’ve been pretty spectacular exploits by (smart and knowledgeable) randos even with the difficulty of reverse-engineering them as a rando, I feel fairly confident in expecting them to be a horror show internally.

piva00|1 year ago

Exploits such as the ones who just needed you to receive a specially crafted message already happened, it's not that simple.