Write about MTE (Android)

MTE is an extremely important security feature. As of now, only the Pixel 8 series and GrapheneOS support it.

We should make people aware of how important MTE is and recommend the Pixel 8 series and up. We should also mention that, as of now, only GrapheneOS supports it, unless the DivestOS developer is working on it too.

It’s a no-brainer to recommend the Pixel 8 series and up just because of 7 years of software support, and MTE is just another massive improvement over previous generations.

MTE also became a hard requirement for devices that want to be supported by GrapheneOS.

1 Like

I’m not sure about the “extremely important” part of this. We don’t usually say people need security features beyond what stock AOSP provides by default without good reason. I don’t really see this as something that would make it worth upgrading to a Pixel 8 from a Pixel 4a (5G) or newer device.

We could certainly mention it as an advantage in the Android Devices section though. We already mention the 7 years of support on the 8 series there.

DivestOS doesn’t support the Pixel 8 at all AFAIK, so of course it wouldn’t support it.


When we talk about such big percentages, I think it’s extremely important.


1 Like

I don’t have much knowledge on the subject of Android vulnerabilities, but it would seem to me that the statistic on its own doesn’t say much about the actual risk to users. If it’s 70% of a very small number of vulnerabilities or a very remote chance of being compromised by said vulnerabilities, it wouldn’t seem to be too much of an issue.

Cyber risk assessment includes likelihood and impact on the systems along with the vulnerability. You have to multiply three for calculating the risk.

In the latest release of GrapheneOS, you can now enable hardware memory tagging for all user installed apps on the Pixel 8 and Pixel 8 Pro to make them substantially harder to exploit. This is particularly useful for apps like Signal and WhatsApp.


We mentioned Signal/WhatsApp because despite having end-to-end encryption, they both have a massive amount of remote attack surface, use tons of memory unsafe code for handling media, voice/video calls, etc. along with not using sandboxing. E2EE does no good if app is exploited.