> That's true, though I kind of don't care. Many people of course do care. My risk tolerance is higher than most.
It shouldn't be - common smartphone malware attacks now steal banking info, personal info, and even look for sexting pics that are used as blackmail.
> I suspect companies like The Google hold security over people's heads in order to effectively inject code and encourage buying new phones
The former is nonsense but the latter is kinda true. Or rather, manufacturers bake the cost of updates into phones, which are already low margin devices. This encourages shorter lifespans, which is actually a problem for Google.
> there's no reason to believe there's any vulnerability
There's always going to be vulnerabilities. And, they'll likely come via web views, not through attacks directly on the app.
All it takes is a service you use that embeds a webview (tons of them), to get SCA'd or injection attacked, and you've got a huge problem.
They're not so common anymore, largely in part due to focused attention on that attack surface and continual software updates (!) via the playstore - google decoupled the webview rendering libraries from the os. Malware such as SpyNote/CypherRat is commonly a sideload attack, but occasionally webview rces have been used to deliver it and others.
But as mentioned above, webview malware is rare today, largely in part due to fast patching and updates!
It shouldn't be - common smartphone malware attacks now steal banking info, personal info, and even look for sexting pics that are used as blackmail.
> I suspect companies like The Google hold security over people's heads in order to effectively inject code and encourage buying new phones
The former is nonsense but the latter is kinda true. Or rather, manufacturers bake the cost of updates into phones, which are already low margin devices. This encourages shorter lifespans, which is actually a problem for Google.
> there's no reason to believe there's any vulnerability
There's always going to be vulnerabilities. And, they'll likely come via web views, not through attacks directly on the app.
All it takes is a service you use that embeds a webview (tons of them), to get SCA'd or injection attacked, and you've got a huge problem.