How long do Android smartphones and tablets continue to receive security updates after they’re purchased?
The slightly shocking answer is barely two years, and that’s assuming you bought the handset when it was first released. Even Google’s own Pixel devices max out at three years.
Many millions of users hang on to their Android devices for much longer, which raises questions about their ongoing security as the number of serious vulnerabilities continues to grow.
Add up all the Android handsets no longer being updated and you get big numbers – according to Google’s developer dashboard last May, almost 40% of Android users still use handsets running versions 5.0 to version 7.0, which haven’t been updated for between one and four years. One in ten run something even older than that, equivalent to one billion devices.
The point is brought home by new testing from consumer group Which?, discovering that it was possible to infect popular older handsets mainly running Android 7.0 – the Motorola X, Samsung Galaxy A5, Sony Xperia Z2, Google Nexus 5 (LG), and the Samsung Galaxy S6 – with mobile malware.
All of the above were vulnerable to a recently discovered Bluetooth flaw known as BlueFrag, and to the Joker strain of malware from 2017. The older the device, the more easily it could be infected – Sony’s Xperia Z2, running Android 4.4.2, was vulnerable to the StageFright flaw from 2015.
Google recently had to remove 1,700 apps containing Joker (aka Bread) from its Play Store, only the latest in an increasingly desperate rearguard action against malware being hosted under its nose.
It’s not simply that these devices aren’t getting security fixes but older models also miss out on a bundle of security and privacy enhancements that Google has added to versions 9 and 10.
Kate Bevan, Which? Computing editor (and formerly of Naked Security), said:
It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers.
Bevan raised the interesting point that the idea that a device might only get updates for two years will come as news to most Android users:
Google and phone manufacturers need to be upfront about security updates, with clear information about how long they will last and what customers should do when they run out.
Google has issued the same response to several media outlets in response to the report:
We’re dedicated to improving security for Android devices every day.
We provide security updates with bug fixes and other protections every month, and continually work with hardware and carrier partners to ensure that Android users have a fast, safe experience with their devices.
In truth, users are being squeezed between two forces. On the one hand, Google is determined to drive the evolution of Android for competitive reasons, releasing a new version every year.
On the other are manufacturers, eager to keep people upgrading to new models on the pretext that the older ones won’t run these updated versions (which is not always true).
Security sits somewhere between the two, and despite attempted reforms by Google in recent years to make security fixes happen on a monthly cycle, the reality is some way from that ideal.
Eventually, there comes a time to discard an old device, but for most users that will be longer than two years.
To ram home the point about flaws, the March 2020 Android security bulletin patched a MediaTek flaw, CVE-2020-0069, which has being actively exploited in the wild for several months.
And yet MediaTek thinks it had a fix for the flaw last May, but device makers didn’t apply it. Even now that it’s namechecked in Google’s update, it could take months to percolate through to devices because updates happen so slowly. And this is a flaw known to be exploited in the wild.
Android users can check their Android version and get security updates by following this advice from Google.
Note: The small number of Android models using the stock Android One platform (Nokia’s 7.2, Motorola’s One Vision and a few others) receive two years of feature updates but three years of security updates.
Latest podcast – special episode
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Cassandra
So if I use my “Smart” phone (running Android 2.3.6 and not accepting updates) just for making phone calls (the hint is in the device name), what security risks do I run?
Some miscreant grabbing the balance of the PAYG £10 top-up that I put on it some time last year?
The same or a different miscreant grabbing the contents of my phone-book and making spam calls?
Anything else? Bricking it?
To have the ability to make a phone call whilst on the move should not require purchasing a new (expensive) handset every couple of years. Imagine if our cars became unsafe due to not being updated after a couple of years! (And with all the tech on cars nowadays we may not be far from that situation!)
Kurt S
If there was ever a case of “cavet emptor” this is it. Being caught between the manufacturer’s need for innovation and selling new phones and the carrier’s reluctance to send out security updates OR OS updates for last years super-duper-deluxe wonder phone, the consumer is screwed. Why spend a thousand bucks on the new flagship phone that is flawed to begin with and won’t be supported for much more than a year or two? Ego and greed (of all parties) sets the stage for this debacle.
Steve S.
Another ugly side effect of this debacle is that consumers have almost no choice if they want to remain reasonably secure AND not contribute to the environmental nightmares of e-waste and pollution from manufacturing new units before the old ones are truly physically broken. About the only way to accomplish both goals is to not buy smart phones in the first place which for most people is untenable in today’s connected world. Seems the situation is set up for both the consumer and the environment to lose… sigh.
rrogers31
The obvious question here (which I sincerely hope is answered in the positive) is, does Sophos mobile software protect these old phones? (Sorry if this is a personal question :) ). I am quite happy with my old equipment; one of which has its screen patched with glue :))
Paul Ducklin
AFAIK – and this is what our Play Store page says – you can use Sophos Intercept X for Mobile (or Sophos Mobile Security as it was previously known) on Android 5.0 and later.
Cassandra
Sophos claims that it is protecting my Android 2.3.6.
Sophos Security 3.0.1154; Sophos Security Guard 3.5.1324
Paul Ducklin
Hmmm. The current version of our product is 9.5.x so that sounds very old :-(
Cassandra
Looking further at this, Sophos Security 3.0.1154 has a pretty “alarming” set of “Permissions”
– Your Personal Information; read & write browser history, bookmarks; contact data; read log data
– Services that cost you money: directly call numbers, send SMS messages
– Your messages: edit/read/receive SMS/MMS
– Your location; course and fine (GPS)
– Network Communications: control near field comms, full internet access
– Storage: modify/delete SD card contents
– Phone Calls: read phone state and identity
– System Tools: Prevent phone from sleeping; retrieve running apps
– Network Comms: view network/wi-fi status
– System Tools: start at boot; kill background processes
Some of these are clearly necessary for an “anti-virus” app; has to receive new definitions and be able to act to “kill” viruses (if only human bodies could be subject to similar antivirus processes). Am I falsely reassured (with regards to my phone)?
But this list still looks over-permissive – or are these a natural consequence of an app that can remotely “brick” a stolen phone?
Paul Ducklin
Old versions of Android were pretty weird and clunky about permissions – you basically had to claim (and the user to grant) everything you might need up front – there was no way to add/remove/tweak individual permissions for an app later on.
So your assumption about the permissions being a sort of “cumulative consequence” of the features we wanted to include is correct.
These days, permissions on Android have sort of caught up to how they work on the iPhone, and they can be tweaked individually after an app is installed, too.
rrogers31
Thanks :)
Larry Marks
Does the Sophos product compensate for security flaws that were only fixed in, e.g., Android 8 and beyond if I am running an Android 7 phone? Or can I presume that once a vulnerability is fixed in the OS, the Sophos product no longer checks for it? If the latter, how does Sophos prevent the product from growing without bound?
Paul Ducklin
We’re not specifically looking for vulnerabilities but for malware, bad web links and do on. We avoid having to increase the size of the detection database for each new threat in a variety of ways, such as: using generic and proactive methods of detecting whole threat families (so that when a new sample appears we mop it up already without needing any new code or data); by using cloud lookups (so that data such as known-bad websites doesn’t have to live on the device); and by using machine learning detection (where the size of the data used to model threats doesn’t grow linearly with the number of threats).
Larry Marks
“How long do Android smartphones and tablets continue to receive security updates after they’re purchased?
“The slightly shocking answer is barely two years, and that’s assuming you bought the handset when it was first released.”
Two years for the Smartphones? What about the cookie-cutter tablets. I’ve had three or four of them and NONE have EVER had a single update provided! Not for Heartbleed. Not for StageFright. Not for anything.
I am not generally in favor of more government enforcement. The EC regulations horrify me. But years ago in the US, lawmakers had to begin requiring automobile manufacturers to make all repair pairs available for at least ten years. Maybe it is time to require security updates available for ten years.
Keith
Right on, Larry! My view is that software security updates are applied to repair a “manufacturing” (or operational) defect that the smartphone was shipped with, or that the vendor inadvertently created in previous updates.
Mahhn
I’m thinking it’s time for a supported android OS, like Redhat supports Linux.
Get a decent group of devs, a fun marketing team. Start a subscription OS, (yearly fee) and you get real security updates and regular fixes. Zero marketing/data harvesting. Sandbox those data thieving apps like goog (everthing) and FB. Offer a real user configurable firewall. And maybe a app store with very few, very mature responsible apps. And absolutely a way to back up and restore everything, for when that play store app infects everything.
Larry Marks
Mahhn, that’s exactly what the Essential PH-1 was. It was developed by Andy Rubin, the creator of Android. He promised continuing updates, for both functional and security purposes. And he delivered. There were several camera updates to more fully utilize its exotic features. Security updates came regularly. There was an update from Android 9 to Android 10, and bug fixes that followed–until last month when they shut down Essential with no notice. Apparently there’s no business case for a phone that comes with lifetime updates.
Mahhn
I looked at their page, still in business it looks like. But they are a device company primarily. I mean more like a strictly software company, supporting an OS on multiple hardware. (Redhat, Ubuntu) and to some degree early MS. Something goog, Samsung, nokia, and such would subscribe to. Because clearly goog has dropped the ball to force hardware purchases.
Larry Marks
Huh? Did you look at the first blog article? That’s the only thing that’s up-to-date on the site.
Paul Ducklin
The main page looks business-ish but if you scroll down you will see that the phone biz has reached the stage of Game Over: “As part of the company wind down, the security update for PH-1 released on February 3 is the last update from the Essential software team. Your PH-1 will continue to work but we will not be providing any additional updates or customer support.”:
If you don’t scroll down but click in hope on the “Shop” page [20200311T16:30Z], you’ll end up with a sketch of a rather tired and sad looking dog and a link that says “Read an update from Essential.” If you click that link, you’ll loop back to the Game Over page mentioned above.
The code is staying on GitHub, however, so you are not preventing from producing updates. You just aren’t getting them produced for you.
Pingu
Well isn’t Android based on the Linux kernel, so shouldn’t we look for a more obvious alternative?