Android update and security patch lifespans are increasing, but not across the board. Less popular brands like Motorola and Unihertz don’t match the leading seven-year plans, only providing a few years of security patches. If you take social media at its frenzied word, any phone without yesterday’s security patch deserves trashing, putting your bank account, identity, and possibly kidney at risk.
What are the real-world implications of OEM-level security updates ending? Will consumers suffer consequences, or does the worry stem mostly from fear, uncertainty, and doubt? Despite countless enthusiasts preaching their dangers, phones past their security patch prime aren’t as hazardous as many believe. There are other ways to keep your systems secure.
Related
Will 2024’s Android flagships actually last seven years?
As Android heavy-hitters promise longer software support, how gracefully can we expect our hardware to age?
Why security patches aren’t always so critical
Exploits fixed by today’s security patches rarely pose a significant threat as long as we don’t do something stupid. At the risk of angering the vocal contingent of smartphone fans who swear they’d never use a banking app on a four-year-old Motorola, I’ll outline why a lack of continued security patches won’t affect you.
For some industry insight, I reached out to Steven Athwal, CEO and founder of The Big Phone Store, one of the UK’s popular in-house refurbished phone outlets. His company relies on firsthand knowledge of how devices become vulnerable, what happens when they’re compromised, and how to avoid problems. Athwal was happy to share his firsthand takeaways while hearkening back to when up-to-date patches mattered more.
First, you probably aren’t very important
Some users need to stick to actively patched phones from manufacturers that provide timely support. For example, government contractors, health professionals, and workers with access to trade secrets can probably disregard most of what you’re about to read. However, their employers will make that fact clear, and most people aren’t at the same risk.
Related
I want to believe Motorola’s extended support promise, but I’ve been burned too many times
We never know what will happen
If you aren’t in a category like those described above, you won’t fall prey to the most fearsome security holes. The most destructive exploits can’t typically be directed at millions of users simultaneously. Instead, hackers target only individuals who are worth the time to defraud. That probably isn’t you. I have €27 in the fintech account linked to my phone right now, so it isn’t me either.
Many exploits require physical device access
Watch out for spies swapping your phone for an identical, compromised copy. Don’t let people plug it into strange machines. Don’t unlock it for Border Patrol agents when entering the US (turn off biometrics first, or they’ll force you to use them). Giving up physical access requires significant negligence.
Remote exploits exist. As CEO Athwal pointed out, “Windows had an issue called BlueKeep, which allowed remote code execution without any user interaction. But exploits like this are incredibly rare, especially in phones, and average users typically aren’t the primary targets.”
Related
4 tips to keep your smart home cameras from exposing sensitive data
Make sure no one will look in your living room but you
Patched exploits were often never even used
Google’s Project Zero encountered one of the most fearsome, widespread exploit sets in early 2018. It was so fearsome that they were never used, and everybody has forgotten about them. Athwal had to remind me (a guy who built a desktop PC and freaked out about when they were found) that Spectre and Meltdown exist.
They were patched posthaste, which slowed performance, but no one fell victim. Athwal also explained, “These could openly expose you to malicious activity, but only if the attacker has direct access to your device and convinces you to install software so intrusive it alters the way your CPU handles code.”
You should know to avoid phishing by now
Don’t get caught.
Banks, government offices, streaming services, and other organizations with your personal or payment info will never ask you to send login or payment details via email, text, or other types of message. If you get a message asking you to log in and fix something, don’t follow the provided link. Go there on your own via app or browser to enter details.
Similarly, if somebody calls you asking to confirm your personal information, hang up, then call the institution’s number to see if there’s a problem.
Fraudulent software is easily avoided
It is possible to download malware from the Google Play Store. With due diligence, it isn’t likely. Popular apps are tough to spoof, and software with next-to-zero downloads should raise a red flag.
Side-loading is a different story, but still not inherently disastrous. Sticking to reputable developer sources goes a long way. Many offer links to open source verification or code reviews that prove they are what they say they are. It’s important to pay special attention when side-loading apps. If you side-load apps, you’re likely more savvy than the average user and know to be on high alert.
You should avoid nefarious apps that give access to pirated content or otherwise break laws (something Android Police readers would never do). Those could land you in hot water.
Android is more secure than ever
I might not have issued this plea ten years ago. The platform has made significant strides in patching countless holes and systematically reducing the risk of newly found exploits. Some argue Android can be more secure than iOS (although that isn’t easy to quantify and prove).
Even if your device hasn’t seen a patch in two years, it’s protected from untold exploits. In potentially remote, zero-click hacks, like 2015’s Stagefright exploit, even old devices can be patched well past reaching end-of-life.
Protecting your devices, in all cases
Most hacks rely on you screwing up
Source: Samsung
It’s the first thing Athwal mentioned (and I immediately agreed), “Security threats often come from human error, like clicking on dodgy links or sharing personal info without thinking.”
Also, beware of trusting supposedly encrypted services. A seemingly secure messaging app’s client encryption, its server, its owner, or the message’s recipient can be points of attack. If you download unknown apps or access sketchy websites, your browsing habits can expose your identity, opening you up to malware, targeting, and data interception.
Related
Telegram was never ‘privacy-focused,’ but it had a lot of people fooled
Nobody’s watching you, anyway. Maybe
Keep Google Play Services and all your apps updated
Updating the framework controlling app operation won’t patch the same base-level holes as a full-on system security patch. Still, it often does enough to prevent malicious packages from elevating privileges and accessing other apps or data it shouldn’t. Athwal agrees, explaining, “Updating apps (not just your OS) is key as apps are a major security entry point.” Keeping every possible update fresh makes a huge difference in day-to-day security.
Patches help, but they aren’t everything
Finally, Athwal offered some real-world, philosophical advice. “Offering frequent updates is great, but can also give users a false sense of security. Brands that don’t offer many updates may force users to adopt better general security practices.”
This is where the terrifying internet discourse can come into play. Making a massive, world-ending deal out of two vs. four years of security patches doesn’t just miss the point, it can imply to bystanders that security patches make you completely safe. They don’t. You still need your own due diligence.
Related
8 essential Android 15 security features you should set up immediately
Stay safe in a digital world: Android 15’s got your back
Security patches be darned, everybody should stay diligent
The point is: don’t freak out
I’m in no way arguing that you should ignore the importance of security patches. Even when they break things, like an incomplete iOS 12.1.1 update temporarily turning off mobile data (another incident Athwal reminded me of), they’re fixed in short order. However, that makes an argument for possibly waiting a few days before updating your system security.
“My phone is nine years old, and I’ve never had a problem” is a terrible rationale for ignoring either the manufacturer’s or one’s own safe practices. Don’t take one person’s word for it. Go out there and search diligently for real-world examples of remote exploits that unavoidably compromised a regular Joe’s phone to steal their money, social security number, or martini-drinking monkey NFT.
You won’t find many, if any, at all, and your 2019 phone won’t lead to such a hack unless you fail to follow common-sense browsing and software guidelines. Even your banking app will work safely, with no rooting, LineageOS flashing, or Play Integrity API bypassing needed. You don’t need more worry and stress over something that isn’t an issue for most people.
