[rfoo]

Except we don't live in the past decade anymore. Even though people are still sometimes reluctant to updates ("it only made my device slow!"), We made significant progress on patch distribution.

In the past a bug in the SMS stack could be mass exploited and still not getting fixed anytime soon. Not anymore. These bugs cost $10k~$100k now and once you mass-exploit it, they are gone.

[IncRnd]

> Except we don't live in the past decade anymore.

You do know that is a terible attitude for a real-world security posture meant to protect non-theoretical people's property and information against actual exploits?

> In the past a bug in the SMS stack could be mass exploited and still not getting fixed anytime soon. Not anymore.

While you may wish for patches to always take care of exploits before any phones are compromised, that's not much more than wishful thinking. You assume that all 0day exploits are both known and fixed immediately. That is 100% false.

[onion2k]

once you mass-exploit it, they are gone

That is only true of exploits that have obvious and visible impacts, right? If an attacker found an exploit and used it to put a rootkit on millions of phones, but did nothing with that rootkit and it had no outward markers, would anyone know?

[rvnx]

Yes, probably the backdoors that security companies implement on the phones to exfiltrate and sell data would reveal that.

[thfuran]

I wonder whether even as many as half of android phones are less than, say, six months behind on security updates. They're often quite slow in releasing for any given model, and that's while the phone even gets updates.