Android phones, security, long-term support, and alternate firmware

I am, you could say, a Blue Team patch pusher: lock down your firewalls, update your software, use 2FA/MFA for account security, etc. I am data and privacy-conscious, which is where I run into issues with cell phones.

I don't want to spend $1,000 on a cell phone, or even $700 - I don't need the latest bezel-less model with facial recognition with three-day battery life. I expect that the manufacturer will support the phone for a reasonable amount of time - three years minimum though more is always better. My definition of "support" is that security updates are kept up and reasonably on-time. I'm not expecting to go from one major release to another during the life of the phone, though that would be nice, I am expecting that they'll keep up with security updates. The Android software project (https://source.android.com/) has monthly security updates - is it really too much to ask that manufacturers release security updates for the devices they sell?

One could argue the personnel cost of implementing the monthly patches, testing, the bandwidth cost of phone owners downloading the update, and the inevitable support calls when the update doesn't go right. However, Apple and Microsoft seem to provide regular updates without issue for their phone and desktop software - and they don't charge anything for those updates.

No, the answer is not to get a new cell phone every 16 months. I suppose that works if you're rough with your hardware and have dealt with a broken screen for the past year and can't wait to replace the phone, or maybe you have so much disposable income that constantly buying a new phone is just something you do. Bi-annual cell phone replacement shouldn't be the manufacturers' expectation.

When the android phone manufacturers themselves don't want to support what they sell, more technical users have gone to alternative firmware for their phones. Maybe some are driven to this point because they want more features, or maybe dumping the stock firmware that's bloated with extra software, but the security and privacy concerns, along with running up-to-date firmware, is likely a big factor in that decision.

I tried LineageOS for a while and loved it. It was fast, no extra software, daily patches with minor fixes if I wanted to update that often, and of course the monthly Android security updates. It was stable enough to use as my daily phone, and except for the phone warning on boot-up that I wasn't running verified and approved phone software.

Here's where I have an issue - there's a bit of love-hate cat-and-mouse game between users/developers and Google and it appears on the surface to be driven by perceived security on Google's part. I'm talking about SafetyNet and other system checks, which Google implemented to ensure that the phone and OS are "official" versions as provided by the original manufacturer. In other words, they're trusted.

Why does that matter? Without a pass from those mechanisms, some apps won't run or work correctly - mostly banking apps and others that are concerned about security. So if you have a rooted phone or run alternate firmware then you can't access your bank information through their app, can't use PayPal, or can't make Google Pay payments using NFC. Some crafty developers have found ways around these checks so those banking apps won't know that the phone is rooted or otherwise pristine. There begins the cat-and-mouse game as third-party developers find a way around the checks, and then sooner or later Google Play, which Google Pay depends on, implements new checks that block the workarounds.

Frustrating, to say the very least, when you're looking for a better way to use the hardware you've spent money on and then you can't use it how you expect because someone else is deciding what you're doing isn't right, approved, or secure. Yet if I was running a four-year-old phone that hasn't been patched since day one and has a laundry list of unpatched local and remotely exploitable vulnerabilities, I'd be able to run all of the banking apps however I please, because the phone is running verified vendor firmware.

Thus the million-dollar question is - what's the bigger risk? An out-of-date phone running vulnerable software, or a phone running up-to-date firmware that the hardware vendor (and Google) have no say in?

That leaves us with a conundrum: continue the cat-and-mouse game to get what we have our of the hardware we own, wait for (or push for) vendors to improve their firmware support, or move towards more open hardware (see: PinePhone and Librem 5) that allows the end-user to run whatever software they want, unencumbered (though that may not have the third-party app support that iOS and Android have).