Not sure where your getting your information but the Pixel 5 has not gotten Android updates or security updates in over 7 months.

There are tons of examples of exploits being used to target EOL phones as its common for people to not care about these updates, or be misinformed, so they are easy targets.

If OP or anyone else wants to use an EOL phone that’s fine but, don’t pretend its a smart security practice. Although even if I were to use an EOL phone, LineageOS doesn’t have the greatest background and isn’t really degoogled

I am not sure if there is an example of that specific situation as it would be pretty odd for a phone to be receiving security patches but not firmware updates.

Anyway its not super relevant as the Pixel 5 does not receive firmware or security patches anymore.

OP also seems to be inferring he suggested to his friend to use a very specific security / privacy OS that does not recommend using that model phone anymore for the exact reasons I mentioned. Plus the model is only receiving partial support as a stop gap for users to have time to get a newer model and won’t be supported much longer anyway.

Its always better to try and get firsthand knowledge through the FAQ then rely on, possibly inaccurate, Lemmy users. I would also seek answers on their official forum over Lemmy as well.

Did you try reading through the FAQ?

Pixel 5 is end-of-life and shouldn’t be used anymore due to lack of security patches for firmware and drivers.

I understand if your friend is on a budget and simply can’t afford a non EOL phone but, they should really consider a 6th gen Pixel or better if they care at all about their data security.

That’s not how end to end encryption works.

Your scared of a slide to the right but already falling for their propaganda to undermine privacy by destroying encryption.

Here you go:

“Google makes the most secure phone. Including for securing your phone against Google.”

Its better then explaining you rather risk your data security then buy a phone from Google.

For the majority of connections you can. Some connections bypass your VPN and there is nothing you can do about it. Its been reported to Google by multiple groups, including Mullvad but Google refuses to fix this.

I like grapheneos the product.

The staff is super abrasive and they constantly attack other privacy projects. See the recent attacks on Jonah from privacy guides, or the attacks on calyx, or the bs with rossman that forced micay out of the spotlight.

They need to hire an outside professional to manage their PR. The way they communicate is their biggest flaw.

FYI- Its not a ROM.

EDIT: for the person down voting a fact - https://x.com/GrapheneOS/status/1588599635337445377

The app was bought out 9 months ago by some mystery company, isn’t actually open source, and you have not switched or made backups? I’m sorry, this is as much a user error as an issue with Raivo.

Let be honest, If your threat model is truly to escape the NSA you probably shouldn’t be risking being on social media.

I think part of the reason people dismiss the idea that someone could have that big of a threat model is in most cases it would be unbelievably bad opsec to risk talking about your threat model on social media or something like the privacy guides forum.

I really appreciate privacy articles that talk about threat modeling as it seems like its the biggest part of privacy people miss.

You shouldn’t be installing extensions on mullvad browser anyway. This completely ruins it’s anti fingerprinting measures, which is one of the biggest reasons to use the browser. If your going to install extensions use Firefox or Brave.

If someone can identify you through your lemmy username an admin isn’t going to save you from your terrible opsec practices.

Lemmy is a social media service. Act accordingly.

Why would “community vetted” imply FOSS?

Microsoft has a massive community of users and sysinternals is highly regarded amongst amateur and professional users alike. The term “community vetted” makes perfect sense in this context.

Another case of a user with terrible opsec that proton will end up being blamed for.

What don’t you like about IVPN? Audited, open source, great reputation. I don’t even use them but seems odd to count them out.

It doesn’t matter what is being discussed, if its about proton the email incident gets brought up.

Here is the deal. No major company is going to break the law for its users. Had the activist been using proton vpn to create and access their email, Proton would not have had the info they were forced to give up. The takeaway from the story is bad opsec is usually what gets people caught whether its activists or hackers.

Whether you use Proton or someone else you will need to trust that service. If you don’t trust them, don’t use them. Its that simple, no need for conjured up FUD excuses.

If all your eggs are encrypted, having those eggs in one basket or five doesn’t matter from a security perspective. Its the same reason you wouldn’t split up your passwords to multiple password managers.

That being said the much more likely scenario is that at some point in your lifetime Protons values change (either by being purchased or new leadership) and you have to move on. That’s why, regardless of how good a providers security is, its good to have backups elsewhere.