Ask HN: My phone has stopped receiving updates. Should I be worried?

3 points by kartongsaft 5 years ago

Should I be worried about my phone isn't receiving any kind of updates from the manufacturer anymore?

I have myself an Google Nexus 6P that recently was declared end-of-life. I know that I will miss out new features that future Android versions will provide, but for me that's okay, but why should my device be excluded from security or nasty bug fixes. I still have weird bug that randomly make my phones completely silent. No alarms, no notification sound, no ringtone; I have been late for work a few times (and yes, I have tried to factory reset my phone couples of times).

Nowadays it seems that average lifespan for a phone is about 2-3 years, which have negative effects on environment, as people are forced to change phones.

Why not let people use their phones longer, let say 5 years (or even longer)? The manufacturer can still sell new models, but should provide and updated operating system much like what's is done on a computer. And if I'm not wrong, doesn't Apple provide longer lifetime for their iOS devices?

Why are we forced to this commercial behavior and what can the average user do to minimize environmental impact?

wtracy 5 years ago

First, the reasons for this situation:

Microsoft does not allow PC makers to modify Windows. This is why Microsoft is able to push software updates directly to all Windows PCs. Phone makers are allowed to change Android willy-nilly. This means that the OEM has to check each update and manually integrate it with their version of Android before it can be released. There's no way to keep getting system updates to an Android phone without the manufacturer paying someone to integrate those changes.

Why can't the manufacturers just open source their changes and let the community produce updates? Two reasons:

One, the manufacturers like to add "improvements" to Android, and live under the delusion that people base their phone purchasing decisions on these extra features. If they opened them up, a competitor could copy them, and the original manufacturer would lose their "competitive advantage".

Two, the carriers are obsessive about controlling everything. They don't want phones running custom firmware on their networks, and they pressure the manufacturers to prevent that from happening.

What can you do? Not a whole lot.

If you want regular updates on exactly how big of a risk you are taking, you can follow Google's security bulletins here: https://source.android.com/security/bulletin

Otherwise, my procedure would be to treat the phone like it's the bad old days of Internet Explorer 4.x all over again. Assume that any website you visit or attachment that you open can infect you with a virus. Assume that any financial information and any passwords can be intercepted by malware installed on the phone.

Specifically: Limit web browsing on the phone to a handful of sites that you trust. Avoid opening attachments to emails or texts. Do not do any online shopping or online banking on the phone. Avoid logging into any online account you can't afford to have broken into.

This is probably overkill, but back in the day the Stagefright vulnerability made it possible for any website to install software on an unpatched device. Unless you're willing to invest time into confirming that a similar vulnerability does not exist in your current system, the best option is to just assume that there is one.

  • kartongsaft 5 years ago

    > Microsoft does not allow PC makers to modify Windows. This is why Microsoft is able to push software updates directly to all Windows PCs. Phone makers are allowed to change Android willy-nilly. This means that the OEM has to check each update and manually integrate it with their version of Android before it can be released. There's no way to keep getting system updates to an Android phone without the manufacturer paying someone to integrate those changes.

    Yeah, pushing proprietary software make sense, as this enables Microsoft to have total control over their OS. But wasn't the goal with Project Treble to make it easier for manufactures to update their software? But on the other hand they want to sell devices, not maintaining old ones.

    > Two, the carriers are obsessive about controlling everything. They don't want phones running custom firmware on their networks, and they pressure the manufacturers to prevent that from happening.

    But, why? What are their gains?

    > If you want regular updates on exactly how big of a risk you are taking, you can follow Google's security bulletins here: https://source.android.com/security/bulletin

    It's kind of scary to look at this when handling a abandoned device and even more scarier when you realize that they are things that isn't listed here, like 0-day exploits.

    > This is probably overkill, but back in the day the Stagefright vulnerability made it possible for any website to install software on an unpatched device. Unless you're willing to invest time into confirming that a similar vulnerability does not exist in your current system, the best option is to just assume that there is one.

    Yep, and this is the reason why you shouldn't use outdated device as daily driver.

hourislate 5 years ago

Eventually you will probably want to root it and install LineageOS (or some other ROM).

https://www.androidpit.com/best-custom-roms-for-android

I have it installed on an old Nexus 5.

  • fosco 5 years ago

    +1 I installed lineages on my HTC one m8, felt like I got a new phone and I am happy enough to continue using my phone which I purchased in 2014.

    I am interested in the librem 5 by purism but am still hesitating spending $600 on what I think is a risky investment...

  • kartongsaft 5 years ago

    LineageOS seems nice. Can I still encrypt the phone? Is SafetyNet available?

DrScump 5 years ago

Is it rooted? That would stop OTA updates.