That's true, though I kind of don't care. Many people of course do care. My risk tolerance is higher than most. I suspect companies like The Google hold security over people's heads in order to effectively inject code and encourage buying new phones. If I haven't installed new software in a very long time, and most of what I use is FOSS, and I rarely ever update my apps, and there's no reason to believe there's any vulnerability, then I'm pretty lukewarm on changing anything.

That said, I have been contemplating a migration to LineageOS, which would provide security updates beyond October 2023, and possibly make my Pixel 5 even better than it already is.

> That's true, though I kind of don't care. Many people of course do care. My risk tolerance is higher than most.

It shouldn't be - common smartphone malware attacks now steal banking info, personal info, and even look for sexting pics that are used as blackmail.

> I suspect companies like The Google hold security over people's heads in order to effectively inject code and encourage buying new phones

The former is nonsense but the latter is kinda true. Or rather, manufacturers bake the cost of updates into phones, which are already low margin devices. This encourages shorter lifespans, which is actually a problem for Google.

> there's no reason to believe there's any vulnerability

There's always going to be vulnerabilities. And, they'll likely come via web views, not through attacks directly on the app.

All it takes is a service you use that embeds a webview (tons of them), to get SCA'd or injection attacked, and you've got a huge problem.

> common smartphone malware attacks now steal banking info, personal info, and even look for sexting pics that are used as blackmail.

> All it takes is a service you use that embeds a webview (tons of them), to get SCA'd or injection attacked, and you've got a huge problem.

Can you provide some evidence of these attacks actually being used in the wild?

They're not so common anymore, largely in part due to focused attention on that attack surface and continual software updates (!) via the playstore - google decoupled the webview rendering libraries from the os. Malware such as SpyNote/CypherRat is commonly a sideload attack, but occasionally webview rces have been used to deliver it and others.

But as mentioned above, webview malware is rare today, largely in part due to fast patching and updates!

> [your risk tolerance] shouldn't be [higher than most]

In your opinion.

> The former is nonsense but the latter is kinda true.

What exactly do you think happens when a security update is performed? New code is installed on the host.

> There's always going to be vulnerabilities.

Yes. I should have said something like "exploit in-use" instead.

And why does that problem roll downhill to me? If Google can't convince me to upgrade they should be supporting devices longer.

Obviously I know they won't, because they want me to stay on the upgrade treadmill to generate profits. And realistically, even if it's only a small chance, any security issues could potentially cause unauthorized access to my banks accounts or whatever, so the short term pain of upgrading is probably worth it.

But on principal, this should not be allowed. We desperately need laws in place that any product that is not perishable needs security support for at least 10 years. We're digging ourselves a hole of e-waste for no reason other than shareholders demand it.

> And why does that problem roll downhill onto me?

You own the phone.

as a Pixel 4a owner myself, I was caught off-guard a bit that updates were EOL this fall "already"—the past three years have really flown by.

While I'd always previously driven either a pre-owned model or a new, on-production mid-grade, the announcement of the Pixel 8 road map with seven years of updates sealed the deal for me. I went the full monty for the Pixel 8 Pro with 1Tb storage.

It is a little big for most of my back pockets when I'm on the go, but since it's very close in dimensions to the Nokia 7.2 that I used prior to the 4a, it's already feeling quite natural in the hand.

And having the flagship optics package is pretty cool; something I'd always given up with the previous scheme.

But if the SLA had just been four or even five years I don't think I would have made the same choice.

(And don't even get me started on how the non-flagships have crap options for storage: 256Gb is not enough for active mobile users, but that's usually the cap unless you pop for the flagship. Grr.

The first Pixel is still getting updates if you install LineageOS https://wiki.lineageos.org/devices/sailfish/ and I'd expect the Pixel 5 to similarly live on past Google's official end of life.