It's one of the reasons I moved from Google to Apple. iPhones 5-6 yrs old still supported. I always thought iPhones were too expensive, but I didn't take into account the upgrade cost every 2 yrs on Android.

Same here, I bought my first iPhone almost 4 years ago. It still works like the first day. I used to like constant change (installing different roms, customizing my phone, waiting for the next cool Android UI refresh, switching phones every 2 years etc). But as I get older I started to like consistency and the feeling of using my phone for years without thinking too much about updates and whether I would get them or not.

same here. turns out an iphone 8 is a damn good phone today and I expect the new iphone se to be the TCO-wise budget choice.

This seems backwards to me. You can still run modern Android versions on old phones like the OnePlus One thanks to LineageOS. There is no custom ROM scene for iOS devices.

Except you cannot. The graphics driver of my Nexus 5 no longer receives updates. It is not compatible with newer Android versions.

And… that's it. Just like that, no more updates. Less than two years after I bought it.

There are numerous open source builds of AOSP forks for the Nexus 5, including LineageOS.

Yeah, you're not gonna get baseband / blob / firmware updates or security patches outside of platform, but the damn thing is 8 years old.

The Nexus 5 issue was just an example. Even phone makers are totally dependent on Qualcomm etc. providing drivers and maybe updates to those drivers.

It's not like you can just hack updates together yourself. Not always anyway.

You should not buy a cheap device from a manufacturer with bad SW update reputation.

Look at Samsung Galaxy S7 Edge - 5 years old device:

- Released with Android 6.0.1. - Received 7.0 and 8.0 major updates. - Has unofficial 11 support. - Received September 2020 security update.

Cheap device manufacturers unable or unwilling to support software updates should be banned by law. It should be a part of their job. Instead, they often seem to release one "proof-of-work" initial release and then don't care and work on the the next model to repeat the same. Pretty sad.

Show me one exploit in the wild that you would download from Google Play or be affected by using an updated Google Chrome from the Play Store.

Just because security updates stop doesn't mean your device is immediately insecure and cannot be safely used.

The majority of the phone's actual updates come through Google Play Services.

Meanwhile, I can show you an exploit in the wild that affects virtually all iOS devices even though they're regularly patched up: Jailbreak methods and iMessage zero clicks.

There was a six-part series on Google's Project Zero blog at the start of this year called the "In-the-Wild Series" which included Chrome and Android exploits. In May, Ars Technica had a post called "4 vulnerabilities under attack give hackers full control of Android devices" which detailed more exploits Project Zero had found -- there were actually 50 in the Android security bulletin that month, four of which were zero-day exploits explicitly described as "exploited in the wild" by a Google researcher.

I'm not going to argue that iOS is some super secure fortress of impenetrableness, or that Android is some kind of digital petri dish that becomes immediately infected with the 500 Viruses of Bartholomew Cubbins the moment it connects to wifi. But there are Android exploits documented routinely, some of them are serious, and some of them have been found in the wild.

What gives you the impression that Android security updates only involve Play Services and Chrome as opposed to the file system, bluetooth, wifi, CPU, and GPU stacks, or anything else? Do you have a reason for believing that any of the numerous drive-by Android remote code execution CVEs published since August 2019 can be mitigated without updating any of the vendor and kernel components that Google had to update to stop them?

Let's ask ourselves this basic question: If Play Services and Chrome could keep an Android Pie system secure, why does Google bother with a separate security patch date?

> Meanwhile there's a zero click iMessage exploit article still on the first page of HN.

Maybe because it's news and critical Android remote exploits are found often enough to not be news.

> Maybe because it's news and critical Android remote exploits are found often enough to not be news.

Then you should have no problem being able to find one that will exploit my phone. I even gave you the specific Android version AND security patch level to target.

Get at it instead of pointing to the sky and saying "look!"

> Then you should have no problem being able to find one

https://www.cvedetails.com/vulnerability-list.php?vendor_id=...

https://source.android.com/security/bulletin

Enjoy your phone. Or don't. None of us are your mom, so we can't tell you what to do.

> Get at it

Abrasive demands are unpleasantly childish. Not being your mom also means that I don't care if you suffer from your own negligence. You can either keep yourself abreast of Android platform security woes or not. As Captain Planet says, the power is yours.

So basically, you have no in the wild exploit that you can have me load up on my phone and have it become compromised. Got it.

Thanks for proving my point.

Dude, I literally mentioned articles with in-the-wild exploits that have been found for Android this year. "Yes, but those are from a few months ago, they are fixed now, and there is a CURRENT one for iOS" is not the "checkmate, iSheep!" move you apparently think it is.

Then you should be able to provide an actual link of an in the wild exploit.