Please clarify for noob: Security long term

Hi

Thanks to everyone for your effort!
I am new to alternative ROMs and don’t quite understand a few things, would be great if someone knowledgeable could clarify (yes I’ve looked through FAQs and the forum )

• Lets say a device is past EOL, what security updates are still delivered from iode? Do I get it right, that hardware vulnerabilities would have left to be open, because they are manufacturer-dependent, while software security keeps up to date, because iodeOS is updated longer than stock-Android? If so, past EOL use via iode is basically a better gamble than past EOL use with stock-OS, but still a little gamble, because of potential hardware issues, correct?
  Also a little gamble, because of delayed updates, compared to Google or Graphene?
  Is this hardware problem the reason that Graphene is not offering support past EOL?
  Also: I am regular use and no government or cartel is after me, so how likely are such hacks anyway?
  (This topic should be more clearly answered in the FAQ, I think)

• apparently things changed recently with AOSP and Android 16
  (Will iodeOS be affected when AOSP will be closed source?). Sony is recommended there, maybe as a joke. Are there any manufacturers that open source their hardware code? I don’t want to make the switch to iode only to find out in six months, that my pixel 5 is no longer security-updated. In this case I would consider buying another phone where longterm support would be more likely. Recommendations?
  Generally my p5 does all i need and I would like to run it as long as possible.

Thank you

OK I attempted taking a stab at this about 4 times and deleted my half formed replies because it is tricky.

Let me try again. In short since iodéOS is LineageOS based, we benefit from all the security updates that Lineage provides. Lineage uses more of a hardware abstraction layer, meaning that their parts are somewhat interpolated / overlayed with the underlying Linux + AOSP base.

So when there are no new AOSP full source code releases for new Android versions by Google for Pixels, then ROMs directly based on AOSP such as GrapheneOS or CalyxOS will not be able to make new releases. This is also why they can’t support devices on versions beyond what Google releases (so a Pixel 5 is “EOL” by Google, it is also “EOL” according to them).

But this just means that Pixels are now in the same category as many other manufacturers that simply abandon their devices way before the hardware is ready to be recycled.

Lineage, as a “container” or “abstraction layer” on top, however, keeps chugging along. It takes any updates available from the upstream manufacturer’s release of the Linux and AOSP base, and puts their containerized system on top. For example, I am happily running iodéOS 6.x, which is Android 15 based, on a Pixel 3a XL, which only was supported by Google (and by Graphene and Calyx) up to an Android 12 base. So the underlying Linux kernel is crusty, but the user-facing system is bang-up-to-date (well OK there is a delay due to Lineage needing to prep their Android 16 base since it is again an abstraction it takes them some extra effort).

A great majority* of security threats come at the user-facing layer (the “Android layer”) from malicious apps or nefarious network interactions. As Lineage applies security patches monthly, you remain “updated” against many of these risks. But yes technically you will not get underlying updates so it is not as secure as a phone receiving full-stack security updates from the manufacturer.

For me I will stick to Pixels for now: they are bootloader unlockable, get longer vendor updates than most other vendors, and “used prices for performance / hardware quality” can’t be beat at least in the USA market (no I haven’t bought one new ever ).

OK let’s look for some with a more concise and clear understand to help make some corrections to my long diatribe. Thanks for asking the hard questions, keep them coming!

If the device is eol, you only get Android related security fixes but no hardware and firmware related

GrapheneOS only supports Google Pixel devices from Pixel 6 onwards. Not sure what they will do when Google stop shipping updates to the source code for Pixel devices. Also the GrapheneOS developer spreads (unjustified and unsubstantiated) FUD about other custom ROMs (including AOSP) : another reason to avoid GrapheneOS.

Not a joke. Sony make great hardware and they support custom ROM developers through their ‘Open Devices’ programme.

Thanks for all the replies.

These two infos combined make me think that security is good enough for regular (careful and conservative) use and extending lifetime of my phone:

Regarding update speed and the unprotected weeks between Google and lineage/iode updates, I will donate and maybe contribute my little bit to speedier updates. Also I trust the project to ship faster, should something gravely insecure come up.

I see. But they could change their mind anytime, just like Google did recently, right? Seems kind of voluntary, and no long term commitment.

They could, but there is no indication that they will. Their support and their commitment to their program is long-standing. Even if they did change their mind (which they won’t) it would only affect new devcies: the kernel and device sources for existing devices are already open and available.

You can also look to Brax, which is shipping their newest Brax3 with iodéOS preinstalled, or Fairphone, which can be purchased directly from the iodé shop, for hardware that has a bit better sustainability focus from the outset.

Not to forget Shiftphone. Sustainable technology from Germany | shift.eco
Now also available in the iodé shop.
I run iodeOS on the latest but one Shiftphone 6mq.

Thanks for the tips rik and bege.
I’ll extend life as long as I can on current phone and then check support and prices for all those models.
At the moment Shift 8 .1 leads by far: support till 2036 (according to Qualcomm) and fixable
Brax till 2030
FP: Software Support till 2033 (Though they have claimed support in the past, where the Hardware manufacturer already stopped support - so that would need a double check)