[BuuQu9hu]

The only solution seems to be reverse engineering the blobs and mainlining Linux kernel drivers, without both of those security updates get much much harder to impossible.

I've no idea how to achieve that on volunteer time, maybe a crowdfunded reverse engineering and mainlining org could work?

[kelnos]

One problem is that RE is time consuming (regardless of whether or not someone is paid to do it), and the useful life of phones tend to be much shorter than other kinds of devices, so digging apart a blob on one phone is likely to have a limited useful lifetime.

And for phones that the manufacturer actively supports, often a new version (especially if it's a new Android version) means new blobs to RE.

When you consider a lot of phones lose a ton of their user base after 2 or 3 years, it becomes much less attractive to even bother.

[BuuQu9hu]

The alternative; devices with no updates and no support outside their original OS, doesn't seem very attractive either.

Maybe we can create incentives for manufacturers to do this work themselves, but I doubt that will ever happen, unless maybe we start getting obnoxious viruses like there were on the PC at one point?

[kelnos]

Sure, that's not a particularly attractive outcome, either.

I just think it's unrealistic to think paid RE work is going to fill this need.

I think there are two realistic options: 1) the manufacturers suck it up and agree to support devices with timely updates over a longer lifespan, or 2) manufacturers open-source every bit of software that runs on the device.

#2 seems less likely, given that a lot of hardware is driven in part by loadable firmware these days. On the other hand, if that firmware is chipset-specific and not device-specific, and the chipset manufacturer can commit to releasing security updates for those, at least 3rd-party OS images could pull them in without help from the device manufacturer.

But really, it's all about demand: Apple tends to support hardware with new releases for 4-ish years as a matter of course, and i-device users are accustomed to expecting that. Android users just don't expect that, and your average user doesn't understand security enough to get why that's such a big problem. They likely mostly just think, "oh well, I won't get the new shiny Android version Jane has on her new phone, that's ok". If average users can be educated to the point where they will switch manufacturers if they're not getting security updates for the useful life of their phone, the manufacturers will listen to their declining sales. I just don't expect that to happen.

[gsnedders]

I wouldn't be surprised if it were easier to backport kernel security fixes to the version the blob depended on than reverse engineer the blob, given the relatively short life of devices in general.

That said, neither of those two options is easy!