Well done to everyone who worked to support the FP2 with firmware/OS updates for this long, it’s a great achievement.
I read again the blog post from January, because it was linked in the recent newsletter:
the device will become more insecure over time
I don’t think this is actually the case. It won’t receive any more OS-level security updates, however this actually means that it will stay with the same amount of security and security (at the OS-level) will not continue to increase over time. So it’s not as bad as the blog suggests.
Also, it’s even better than that, because the FP2 should continue to receive updates to Google Play System and most apps as well, for a few more years to come:
See that Android 6 devices are still receiving updates to Google Play Services!
So, I would have had a different and more positive spin on the blog post, I would have said “If it still works, and makes you happy, then it’s fine to continue using it”.
Well done to everyone who’s continuing to use their FP2, congratulations!
What is “security”? What is “an amount of security”?
Security, for me, is simply the extent to which the code running on the device is vulnerable to malicious practices. The whole problem is that, as soon as a vulnerability is discovered, the code must be corrected (this is called “patching”). If the code is no longer maintained, then new vulnerabilities won’t get “patched”, and the overall level of security therefore diminishes with time.
It’s like riding a bicycle (the device) against a headwind (more and more vulnerabilities): if you stop pedalling (correcting the software), the wind will push you backwards.
I knew this post would get some pushback, maybe I was overly flippant with my words.
You’ve all made good points, however I still believe that the blog post was overly negative.
I know that exploits are discovered over time, and now new ones (in the OS) won’t be patched. However, that’s only one part of the attack surface, which I suppose I could have included in my OP to make my point better. Still, even if part of the attack surface is still maintained you’re right that there is a part which will no longer be, so the boat analogy is helpful because it means that new holes will not be patched (although I don’t think oars are relevant ). In spite of that, having a newly discovered security vulnerability doesn’t mean that it will immediately be abused by an attacker, so a holey boat analogy falls down at this point - maybe it’s more correct to say that the hull of the boat is no longer maintained, so it becomes more likely that holes will develop (a hole appearing is the analogy of an attacker taking advantage of a vulnerability).
What about bikes?! Well, I had thought of using a car analogy but decided against it.
Anyway, if I personally knew anyone still using an FP2 I doubt they’d stop using it just because these security updates had stopped, though I would certainly mention it and make sure they knew about it.
No. 1 rule of thumb in security related topics:
OS vulberabilities have a much higher impact than app/program vulnerabilities.
If you gain access to the OS you can manipulate any apps running on it. The other way around it´s much more complicated to infiltrate an app to get system access.
Of course you can continue to use your device “almost safely” in case the OS is outdated but then you have to make sure to adjust your behavior on the device.
This means (for normal users) 100% offline. Never ever connected in any way to networks or other devices.
Recommending anything else is grossly negligent towards any other users that are less tech savvy and can´t really verify/falsify such a statement.
of course, if there are no patches, security level declines. But still there is the possibility to use custom ROMs.
A further aspect:
I assume hackers developing tools for attacks won’t concentrate nowadays on outdated CPUs and their firmware. They cannot expect to achieve a lot of success, because there are not many devices left outside, using such outdated systems. Conclusion could be, “no” new hardware vulnerabilities will be discovered.
And with understanding of risks and medium to good level of secure behaviour I would agree, that it is not that big danger, to continue using FP2 with a custom ROM like /e/ or LineageOS.