As a current Pixel 3 user, I think this article is slightly hyperbolic. The phone still works great other than a worse battery, definitely not "garbage". The author is making it sound like the phone stops working. But then again I still use Windows 7 which also doesn't have security updates.
Did we read the same article? Without security updates, you really shouldn't rely on a phone for banking/payments/secure messaging. Google has effectively killed the Pixel 3 for real usage.
You should be able to throw LineageOS on there as long as you don't have a locked Verizon bootloader. But there are a lot of caveats to that, in terms of which apps will work when rooted, which won't etc. etc.
> Without security updates, you really shouldn't rely on a phone for banking/payments/secure messaging. Google has effectively killed the Pixel 3 for real usage.
There is a lot of real usage which is not "banking/payments/secure messaging". Besides, stopping security updates does not mean the phone suddenly becomes open to the whole world. Many vulnerabilities might be exploitable only when running code natively on the device, or only when within radio range, or only when plugged directly to the USB port.
> Unless maybe you count email as secure messaging in some way
I would say yes, considering email is often used as a primary means to reset account passwords. Most services support MFA (which could be somewhat of a mitigating security control), but a LOT of services still don't.
There's also the fact that LineageOS will fix only Android-related bugs, you're still stuck with the unpatched vendor firmware (which includes the kernel, unless I'm mistaken).
So just to clear up my understanding: using LineageOS up-to-date means you should be safe from kernel and Android bugs, but you're still vulnerable to firmware issues, which would just be... hardware level, like your WiFi chip, CPU, USB-C port, camera, microphone, etc?
Potentially. Google also stills updates AOSP too, so you're not 100% reliant on LineageOS et al for these updates.
There's nothing stopping you from grabbing those blobs out of Google's AOSP images and updating them, but there's no way to ensure the abstraction layers work correctly with them unless you test it.
How important are these security updates to your average user? If they're meant to prevent hypothetical targeted attacks, I honestly wouldn't be too worried about them. Plenty of people continue to use their Android phone despite not receiving security updates, yet I haven't heard anyone having a issue with this.
Losing control of your email/google/social media accounts and reputation (eg scams made in your name, blackmail, etc) is a comparable risk to most people. Banks are experienced at handling fraud and you're also legally shielded from bank fraud in many jurisdictions.
(though banks are also clueless in other respects, outlawing devices with lineageos but allowing devices with out of date vendor OS)
Yeah - and it's worth noting that you still get updates for your browser and messaging apps (because the android version isn't too old). Just don't install risky apps. If you're a minimalist, you're fine with a phone that stopped getting base system updates in the last year or two. I still use a Galaxy S8 that got its last security update 10 months ago.
If there's a vulnerability like stagefright in the base system that could make many up-to-date apps vulnerable, you'll hear about it on the news.
Its not hyperbolic. I wrote the policy for my company's phone policy. If an employee wants to access any company resources from their personal phone (optional) they must submit to a phone audit. The audit is a checklist of security best practices including verifying that the phone is receiving security updates for the OS. So if they need a phone for work, they either upgrade to a newer phone or carry a second phone with security updates for work purposes. Either way they have to get a new phone. What else would a company do? You can't just have employees storing credentials for company accounts on a device that is likely to get pwned.
Personally I don't see how anyone could justify having an out-of-date phone. Assuming you have it configured to read your email, it becomes a gateway to every account you own, which can have its password reset over email. MFA might help as long as that MFA isn't an app on your phone. But most websites don't support hardware security keys. If you care enough to have a dedicated TOTP device, then why would you want a phone with no security updates?
This use of "forcing" does not require bricking the phone. Creating a situation where the only reasonable choice is to upgrade the hardware qualifies as "forcing" in my opinion. The phone is no longer capable of performing the job for which it was designed in a safe way.
Google isn't holding a gun to anyone's head or intentionally bricking devices, but if you use your phone for work (or it's a work-issued phone) and your employer requires you update to the latest security patches (enforced via MDM), the Pixel 3 is now useless.
And you're probably thinking "oh but this is an old device, just get a newer one for work." True, but consider that Pixel 6/6 Pro users got screwed over when the December update was yanked [0] and the January update got delayed for them [1] - while it was good for most users not to take the buggy update, anyone whose device had those security requirements ended up getting work-related functionality disabled.
Of course, the companies that set these policies are generally ones who will not make exceptions, so even though you had the latest and greatest from Google, you couldn't use it for work for several weeks until they finally pushed out the January security update.
"People who have MDM-enforced security requirements" might not be a large part of the smartphone market these days, but every little bit counts when it comes to reducing the volume of e-waste that usually ends up being dumped in third-world countries.
What drove me off of Android was my bank stopped supporting my device because of security updates. When I bought the phone it was a just released LG flagship, I got a full 18 months worth of sporadic at best updates, followed by nothing.
My bank disabled the app on my phone some 4 months later, when some major vulnerability was still unpatched on my phone. They told me to get a new phone, so I picked up an 2016 iPhone SE and went on my way.
Frankly I don't get why you still use Windows 7. For the Pixel I understand that you make a choice between throwing perfectly good hardware and security but for 7, I'm not aware of any PC that can run 7 that can't run 10.
