Yeah, I'm probably one of the most uniquely qualified people to plug LineageOS as an engineer who's launched multiple AOSP based hardware products.
Comparing LineageOS to actual first party support when the SoC manufacturer has long forgotten your device exists isn't really realistic: you're getting updates in name only. The blobs that run the most important things are frozen in time.
-
Not to mention, if you're willing to put up with that level of limitation, you can get a brand new iPhone SE for $150 too. It'll be locked to a carrier, but that's a lot less limiting than "literally never going to have a meaningful update again"
I'm not going to argue that "use LineageOS" is viable advice for most users (it's not), but what do you mean "The blobs that run the most important things are frozen in time"? I suppose they're "the most important things" in that they're required for a usable device, but I wouldn't call them the most important things when it comes to updates.
If I'm running an outdated Android version, my threat model basically can't include any internet or cell connectivity, since an outdated media parser means a bad web page or media message and my phone is the attacker's playground. But an outdated baseband firmware means what, I have to watch out for ne'er-do-wells dodging the FCC with high powered SDRs in my neighborhood who know what model of phone I'm using? In a better world, Lineage could feasibly ship updates for every component, but as far as I can see, one of these is a lot more important than the other, and it's the one LineageOS does take care of.
The SoC has a lot more binary blobs than a baseband firmware. It's one thing if the alternative was living like a hermit, but no, the alternative is not supporting an ecosystem predicated on SoC vendors abandoning your advice because it's in their best interest for you to buy a new one.
Android for personal use is a complete non-starter for me today, it's a terrible ecosystem driven on waste with fundamental flaws that will never get fixed because of a misalignment of interests.
Again, not defending the Android ecosystem, but what is the threat model here? Poking through those, they all seem only locally exploitable by malicious apps, which yeah not great, and under just the right circumstances maybe chainable from a sandbox, but hardly the most important thing to be concerned about for most users compared to "your device still has stagefright vulns".
At the point where you're writing off local arbitrary reads from unprivileged apps as "hardly the most important thing", I'm wondering what threat model you're pushing since to most people in security that's a pretty plain threat.
Even if you arbitrarily decide only RCEs matter, there's again a lot of binary blobs in a modern device and more importantly they do a lot more than you seem to think.
I'm not sure why Stagefright is your synecdoche for RCE when just a few months ago we got a set of CVEs that made it look like child's play. It turns out your device being exploited via baseband doesn't take SDRs, your baseband today is involved in MMS too:
Arbitrary local reads from unprivileged apps is a "pretty plain threat" in terms of recent developments in security as a result of improvements to what we can secure. In a typical desktop OS, it's just the norm, but for mobile OSs we've moved the goal posts because we can. If we were talking about deploying a new OS or shipping new devices, then yes, it would be absolutely unacceptable, but we're talking about keeping smartphones past their support alive, so I think it's fair to say at that point we expect the user to only install a small set of critical applications on the device. If what the user wants is a mobile game console to mess around with while also functioning as secure storage for sensitive documents, then yes, the user might need to rethink what's acceptable risk.
>they do a lot more than you seem to think.
I do mobile security research, I am well aware of what these devices do. The reason I cite stagefright vulnerabilities as an example is because stagefright is a library that has continued to have vulnerabilities well past the original set you're probably thinking I'm referring to, and vulnerabilities that we have seen exploited in practice. Are there any known worms exploiting the project zero bug you've linked? Because at least from what I've come across, an updated LineageOS install only running apps from F-Droid would not be vulnerable to any non-targeted attack in the wild I've heard of. (Not a rhetorical question, to be clear, it's entirely possible I missed something, and I would love to know more if my understanding it out of date.)
Comparing LineageOS to actual first party support when the SoC manufacturer has long forgotten your device exists isn't really realistic: you're getting updates in name only. The blobs that run the most important things are frozen in time.
-
Not to mention, if you're willing to put up with that level of limitation, you can get a brand new iPhone SE for $150 too. It'll be locked to a carrier, but that's a lot less limiting than "literally never going to have a meaningful update again"