[Cryptography] phone firmware ... to mod, or not to mod? That is the question.
Florian Weimer
fw at deneb.enyo.de
Mon Oct 3 12:39:18 EDT 2016
* John Denker:
> On 10/02/2016 12:16 PM, Ben Tasker wrote:
>
>> I'd much rather the relative freedom of Android, but the pathetic attitude
>> towards security updates periodically makes me consider switching.
>
> I agree, the Android update situation is underwhelming.
>
> Would anybody care to comment on the pros and cons of replacing
> Android with some aftermarket firmware, e.g. CyanogenMod?
>
> Is this likely to close more security holes than it opens?
I looked at this a few months ago.
If you want timely updates, you need to get a Google-branded device.
(But on the privacy front, Google might be considered slightly worse
than Apple, but that can change at each iOS update, obviously.)
With Priv, Blackberry aimed to be the OEL of Android (even publishing
similar statistics about patch delays). I didn't find this very
convincing. Priv is probably history by now anyway.
The update situation with CyanogenMod is a bit unclear. Patches for
security updates generally look like this:
<http://review.cyanogenmod.org/#/c/156109/>
I suspect that more information is in the CYNGNOS-3257 ticket, but
that's not publicly viewable. It's already a lot of work to map these
changes back to the Google fixes, and this lack of transparency makes
it even harder to see if they do the right thing.
(I still haven't bought a smartphone.)
More information about the cryptography
mailing list