It puts those Android phones among the more vulnerable devices. Don't use those Android phones. I recommend iPhones to anyone concerned about security, but you can substitute the Google phone of your choice; I don't want the argument today.
Thomas, I'm sure I'm speaking on behalf of many on HN - your ability to tirelessly battle through incorrect information on HN revolving around security related posts is commendable and always appreciated. As they say, patience is a virtue.
Tptacek is telling you that the most secure phone is iOS. If what's most important to you is price (and, therefore not security), yeah, you might find something else to be more compelling. That fact your different value system leads to a different choice has no relevance to the discussion.
If your assumption is that Android + yubikey is as good as iOS, you need to state that. Tptacek disagrees with that elsewhere in this thread, anyway.
My read is that tptachek claims that not all android phones are insecure. You should avoid those android phones whose vendors don't do serious security updates. Among the vendors that are well known to care about updating their phones there is Google. So, he seems to say that an android phone branded directly by Google (e.g. Nexuses, pixels) is a valid alternative to iPhones as far as this topic is concerned.
He did not say that, but it's natural to assume that. All android phones run android (naturally) so if for whatever reason you believe iOS to be more secure and you also know most android phones do not receive updates correctly then it's probably easier to avoid all android phones than try to accurately predict the development roadmaps for companies other than Google's flagship phones.
Personally, I think Android itself was not designed with as strong security as iOS because it was designed for openness and this has turned out to be a problem. One which iOS has to a much lesser extent.
> Personally, I think Android itself was not designed with as strong security as iOS because it was designed for openness and this has turned out to be a problem.
Openness and security are orthogonal - it is possible for a software to be both open and secure: see OpenBSD.
I completely agree, by "openness" I meant the lack of ACL/permissions for different data. This is improving on Android, but I don't keep up with it anymore so I'm not sure how much they've caught up or if what is released/planned is marketing hype.
Of course, Android has always sandboxed and prevented apps from talking to each other directly, but the restrictions on iOS have also always been much higher. iOS has never had the issues Android has had with SD cards. As someone who became an Android developer almost right after it came out, it was this freedom that attracted me.
Cost is not the only factor leading users to Android. And cost certainly isn't driving users to Google's Pixel phones - they are priced similarly to iPhones.
