back to article More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research

File this one under "well, duh." Consumer mag Which? today published research estimating that over a billion Android devices are vulnerable to hackers and malware as they are not receiving security updates. Data obtained from Google by the publication found that 42.1 per cent of active Android users are languishing on version …

  1. Christopher Reeve's Horse

    And in comparison...

    My >10 year old Core i3 laptop has Windows 10 and all the latest updates. Admittedly it's a bit shit, but it works, and it's reliable and secure. How many Android handsets are usefully operable at the age of 3, never mind 10+ years. If the likes of Samsung et al think I'd splurge laptop prices (and decent laptops at that) on a phone that become obsolete irrespective of how well I care for it, then they've got another thing coming.

    1. big_D Silver badge

      Re: And in comparison...

      My brother-in-law and his wife replaced their 2013 Samsung Galaxy S4 mini smartphones last summer... Given how bad security updates were back then, that means at least 6 years of being vulnerable.

      1. Morten Bjoernsvik

        Re: And in comparison...

        > that means at least 6 years of being vulnerable.

        Commodo Usertrust expires in may2020, it means that any android older and equal to 5.1 will not work on sites using ssl certs issued by this root CA. You can install it manually, but that will be outside the knowledge of 90% of the userbase. Usually google updates androids cert trust when root CAs expire. Luckily most root Cas have a validation of 10 years.

        https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT

        My Employer had a root CA that expired in 2015 and it meant all androids less of 4.2 would have to install it manually to use our apps and our webpages.

        If you can get an updated firefox it may work because they maintain their own root cert store.

        You can look up the source for the cert store here:

        https://android.googlesource.com/platform/system/ca-certificates/+/master/files/

    2. Anonymous Coward
      Anonymous Coward

      Re: And in comparison...

      Calling BS on your nice little rant, first, because the i3 were introduced in 2010, so you can't have one older than 10 years.

      I wish I could introduce you to my nice little Sony Android phone, doing very well at 3, although there's no more OTA update for more than one year. My older Xiaomi also was fine when I sadly had to replace it, not for lack of updates, but there simply wasn't any genuine replacements for the user-replaceable battery when it died.

      1. Timmy B Silver badge

        Re: And in comparison...

        "doing very well at 3, although there's no more OTA update for more than one year"

        That's the whole point of the article. You are not patched for any issues for at least the last year. That's not great, really.

        1. BillG
          IT Angle

          Re: And in comparison...

          A smart privacy-aware user using a KitKat phone, is more secure than a dumb user that will install any cool app on the latest and greatest version of Android.

          My phone is running KitKat, it's rooted with a firewall & privacy manager. The only game is chess. It's a utility phone for work and communications. I don't walk the streets with my head deep inside the screen. I install a new app maybe twice a year & only after checking the permissions. It can run for three or more days without needing a charge. I'm more secure than any "user" that cheerfully installs an 8MB flashlight app with full phone permissions,

          1. rcxb Silver badge

            Re: And in comparison...

            My phone is running KitKat, it's rooted with a firewall & privacy manager.

            How's that going to help when you get an MMS message with Stagefright exploit blasted at you?

            Your smug sense of superiority isn't any protection.

          2. Timmy B Silver badge

            Re: And in comparison...

            "My phone is running KitKat, it's rooted with a firewall & privacy manager. The only game is chess. It's a utility phone for work and communications"

            You're not really a typical user, though, are you? Most people with smart phones couldn't get away with just having a feature phone like it sounds like you could. They want to have a device that's partly, or if not wholly, for "fun" things. For them a phone is a lifestyle gizmo. You may look down on their frivolity but I think that if they have a fully patched and up to date phone they at least have some chance of being a little safer.

            There are a whole slew of safety features and such in the newer versions of Android that perhaps you don't know about, too.

      2. Christopher Reeve's Horse

        Re: And in comparison...

        According to 'WikiChip' the i3 was released on the 4th January 2010, so it's entirely feasible to have an i3 laptop that's >10 years old. Would have it made much difference to the context if I'd said around 10 years old? I'll answer that - no, it wouldn't.

      3. TonyJ Silver badge

        Re: And in comparison...

        Core i3 first generation - January 2010. Given it is March, 2020, that is more than 10 years.

        Edit: Hadn't got to Mr Reeve's Horse's comment before I posted that.

    3. ComputerSays_noAbsolutelyNo

      Re: And in comparison...

      Smartphones are nothing more or less than shitty computers.

      Connected to the internet, yet inherently less secure and securable than a full fledged computer/laptop.

      They can run basically any application, yet we are more or less restricted to what a handful of app stores have on offer. There is no large software eco-system with plenty of opensource choice, than with regular computers.

      They are pretty much general purpose hardware, yet if the manufacturer feels like it, functionality is pretty limited. How long were iPhones incapable of wireless hot-spotting compared to Android phones?

      While, they are pretty much general purpose hardware, you're basically caught in an OS duopoly.

      list goes on ... feel free to add

      1. rcxb Silver badge

        Re: And in comparison...

        There is no large software eco-system with plenty of opensource choice

        So you've never heard of F-Droid?

        https://f-droid.org/

      2. Anonymous Coward
        Anonymous Coward

        Re: And in comparison...

        I don't agree with the "less secure" part.

        In particular iOS apps are very well sandboxed and have a strict review process with a trust chain. Feature access has to be approved indivudually. This is a strong contrast to Windows PCs where an application with admin rights can do pretty much anything it wants. Same with Linux desktops. Sure, there's SELinux and AppArmor but they're rarely used and complex to configure. Android has this much more worked out with its SELinux by default.

        Of course a mobile phone *should* be more secure than a PC. It's usually carried around everywhere and a compromise could lead to the ultimate snooping device. But it does feel like the 'root/admin can do all' model needs to go. Especially because too many apps require these rights for basically no reason.

        macOS is already heading in this direction though hasn't found a great compromise in terms of usability. Too many approval boxes: it'd be better have an option to deny by default or have a bulk permission approval like what is seen on Android.

    4. dave 81

      Re: And in comparison...

      Yes, that is not because of any manufacture support.

      And it is possible to do the same thing for your phone if there is a linageOS* version available, you can keep it up to date yourself.

      *or other OS if you really want. Don't know of any, and haven't bothered to look.

    5. Roland6 Silver badge

      Re: And in comparison...

      >Admittedly it's a bit shit, but it works,

      Just updated a set of identical HP desktop systems with mid-range generation 2 i3's from Win7, performance is definitely better if you do a clean install, letting the installer repartition the HDD and find relevant drivers from the web.

    6. Anonymous Coward
      Anonymous Coward

      Google could help

      By requiring anyone selling phones with Android on them to have the last OTA update be to generic Android, and set to allow generic Andriod updates thereafter (as long as the hardware can take it).

      1. jsa

        Re: Google could help

        Would be lovely were it that simple— they are making some headway towards this dream with the whole Treble initiative but one of the main issues is the fact that every Android build includes all sorts of blobs and patches from chipset vendors (Qualcomm, et al) who ditch support for old chipsets fairly quickly.

        One of the biggest issues (which also hurts folks like postmarketOS) is that the Linux kernels used in Android mobes almost always require tons of chipset vendor patches that are hard to extract and port to newer kernel trees— some hackers have gotten devices booting on mainline kernels but they’re few and far between for now.

        1. MrDamage

          Re: Google could help

          You could always go after the manufacturers of chipsets, and phones, under the "Right to Repair" legislation should it ever get passed.

          If the increased support costs leads to increased parts and thus increased phone prices, that too, will be a good thing, as it will slow down the upgrade cycle, and lead to less in the landfill.

    7. MrDamage
      Headmaster

      Re: And in comparison...

      > Admittedly it's a bit shit, but it works, and it's reliable and secure.

      Well, it was secure....

      https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/

      But apart from my pedantry over information less than 24 hours old on this publication, your point stands.

    8. darlingimp

      Re: And in comparison...

      >>How many Android handsets are usefully operable at the age of 3, never mind 10+ years.

      Still using my Samsung Galaxy S2. Still doing what I need it to do. It hasn't received any updates almost as long as my Windows 7 machines and decommissioned WSUS server.

      1. Screwed

        Re: And in comparison...

        Finally traded in my Galaxy S2 a few weeks ago. Mind, had sat in a drawer for years since I got an iPhone 6S.

        I was quite impressed that it still worked just fine within the limits of its extremely out-of-date Android. Even the battery retained decent charge.

        Immediately flogged the phone I traded it in for on ebay which helped my bank account to the best part of a hundred pounds.

    9. Cynic_999 Silver badge

      Re: And in comparison...

      And all you have to do to get the "security" of Windows 10 is sell your soul to Microsoft. Oh - and upgrade to the next Windows version as soon as you are told.

  2. alain williams Silver badge

    This is what the vendors want ...

    something to fall out of support so that the user feels pushed to have to buy a new one.

    They should be forced to support them for a least 5 years after the last one is sold - not from when it is first released.

    They hate people like me: my 'phone runs Android 4.3 (released July 2013). It would be nice to have an update, but I don't really care as I use it as a 'phone, so: voice, text, address book is what I use most. I do sometimes use it as a modem (tether my Linux laptop) and maybe once a month use the web browser. No apps other than what it came with, no Google account.

    I don't use its email client (I don't trust the 'phone enough), I don't do facebook or twitter.

    Most of the time: Internet, GPS, ... switched off so the battery can last a week.

    1. big_D Silver badge

      Re: This is what the vendors want ...

      The problem is, most people don't even know they are vulnerable.

      "Hey, its a phone."

      As long as their app du jour works, they don't know or care about anything else on their phone.

      My brother-in-law and wife replaced their 2013 Galaxy S4 mini smartphones last summer. I'm guessing they probably haven't had a security update since 2014.

    2. ComputerSays_noAbsolutelyNo

      Re: This is what the vendors want ...

      This sounds like the opening of an "would-like-to-be-millennial-internet-publication"; a style which tragically seeps more and more into general media.

      "I run an acient Android smart-phone, and mobe makers hate it!"

    3. Jason Bloomberg Silver badge

      Re: This is what the vendors want ...

      my 'phone runs Android 4.3 (released July 2013).

      Most of mine are 4.2 (Jellybean), plus 4.4 (KitKat), and a couple of 5.1 (Lollipop). But I don't generally use them as smart phones, mostly application platforms for in-house side-loaded apps. All but a couple have expired SIMs.

      They were all EOL cheapies when I bought them and have never had updates available. Probably a good thing because I imagine it would be like wading through treacle trying to run the latest version. Had to disable Google Play on most to get standby battery life back from a day to a week.

      But I expect most consumers have been upgrading to be able to run latest apps and games and have access to BLE and NFC and the like, are land-filling regularly. Or that 'one million vulnerable' would be a gross under estimate.

      1. BebopWeBop Silver badge
        Holmes

        Re: This is what the vendors want ...

        Are you a collector?

      2. ThatOne Silver badge

        Re: This is what the vendors want ...

        > that 'one million vulnerable' would be a gross under estimate

        Definitely. I made a little survey among my friends, family and colleagues (non IT, middle class, higher education): Only 1 in 10 has a phone which received any kind of update in the last 3 months. Their phones are indeed mostly old to very old (KitKat), since they all abide by the "why waste money since it still works". The quaint "it's a tool, replace it only if it breaks" mentality.

        If those numbers are any kind of indication, one can consider that 90% of the devices out there are and will remain insecure! And the number will obviously increase constantly since more and more phones become unsupported every day, some of them with still many years of effective life in front of them. Most people won't throw away they almost new $1000 gadget because it hasn't received any update for 6 months or even a year; At best they will sell it on Ebay, give it to some younger sibling or use it as a second phone.

        1. Cave-Homme
          FAIL

          The quaint "it's a tool, replace it only if it breaks" mentality

          Nothing wrong with the mentality at all, and it ain't quaint, it's actually an essential mentality we all need to adopt in order to stop the needless destruction of our planet - until at least phone manufacurers use recycled materials and renewable energy for production

      3. Jason Bloomberg Silver badge
        Coat

        Re: This is what the vendors want ...

        Or that 'one million vulnerable' would be a gross under estimate.

        Belatedly realised the article did say "Billion" - Oops.

        The one with the SpecSaver's ad in the pocket.

    4. fidodogbreath Silver badge

      Re: This is what the vendors want ...

      They should be forced to support them for a least 5 years after the last one is sold - not from when it is first released.

      Apple is actually pretty good about long-term device support. iOS 13 fully supports phones back to the 6s (released 9/2015, discontinued 9/2018). Rumor online is that the 6s/6s+/SE will be supported by iOS 14 as well. That's not quite five years from last sale, but it's longer than you get with even a Pixel.

      Premium Android phones tend to have a longer support life than the landfill variety, but they also cost just as much as iPhones these days. If you prefer to keep a device for a long time but also care about security, the longer support lifespan for iOS means you get more value from the iPhone.

      1. parperback parper

        Re: This is what the vendors want ...

        Apple certainly offer upgrades, but that doesn't mean they get accepted.

        My iPod Touch is still being offered upgrades, but as soon as I agree to one in a moment of inattention all the mobile games I actually like will disappear in a puff of 32 bits.

  3. TVU Silver badge

    In part, the problem lies with the phone manufacturers (here's looking at you in particular, Samsung) who refuse to release OS upgrades and subsequent standard updates to phones and tablets even though they're capable of receiving those upgrades. It's decidedly environment unfriendly because those same manufacturers want you to buy a shiny new phone from them even if there's a negative environmental cost.

    1. Anonymous Coward
      Anonymous Coward

      Isn't the problem that almost all of them are dependent on Qualcomm and it's Qualcomm that doesn't release the updates need to move to the next Android? Even the Exynos processors are dependent on some Qualcomm hardware, I think.

      Perhaps it's time to buy Huawei....oo err...

      1. doublelayer Silver badge

        Sometimes, but not really. Just look at the top three manufacturers for having devices on the latest update mentioned in the article. Nokia (TCL) and Xiaomi are mostly using Qualcomm processors and modems. Samsung makes more of that themselves, but also uses Qualcomm. If these three can do it, then most of the other manufacturers using identical chips can also do it. That doesn't make Qualcomm perfect, and I'm sure there are many places where they deny access to important updates, but the manufacturers can't just blame somebody else for their laziness.

        Unfortunately, Huawei has not proven itself to be great at releasing updates. While not worse than other manufacturers, they are by no means the best. Even worse, they don't have a great record of allowing users to unlock the bootloader and perform an upgrade manually. For that reason, I'm afraid we'll need to either look elsewhere or keep the pressure on if we would like something more lasting.

        1. Cave-Homme

          Xiaomi put Huawei to shame, and they also have placed a security layer on top of Android. Very good phones, very good price and specs, not shiny shiny fashion-victim phones. I got one for a family member a couple of years ago and when Apple stop supporting my 6s I'll be switching to Xiaomi myself.

        2. xanda
          Mushroom

          If only...

          "...we'll need to either look elsewhere...

          This assumes there is indeed somewhere else to go. After years of errant behaviour from the likes of Nokia et al, Android was touted as this 'elsewhere' due to it's mostly open source nature. For a while the CyanogenMod experiment gave a glimmer of hope as a credible option until, amongst other reasons, the wide uptake of closed-off MediaTek hardware proved yet another a barrier.

          "...or keep the pressure on..."

          In the absence of a serious marketplace contender there is really only one other avenue: regulation. It seems there is something to be said for obliging manufacturers to open up some of their code and other processes to prevent what is a flagrant abuse of the marketplace - maybe there are some racketeering laws being broken here? ;-)

          1. doublelayer Silver badge

            Re: If only...

            Unfortunately, I have to agree with you. We've had many alternatives, some of them good, and all have now died. The closest thing to an OS we can rely on on mobile devices is Lineage OS, which is great as long as your device is supported, which it probably isn't. It's disheartening to have to look at the pile of corpses of Ubuntu Touch, Tizen, Firefox OS, a few old Android mods, and if you just want updates and don't need open, Windows Phone and Blackberry's OS. However, I'm most afraid of what will happen in the future. Over the horizon I see the slow and unsteady but nonetheless present march of Fuchsia and Harmony OS, and I really would prefer that they not make it here. At least with Android we have some chance of breaking through. With things like these, that chance will be lost.

  4. jason 7 Silver badge

    Shrugs...

    But really...what's changed?

    Same story as before...just a year older.

    1. Pascal Monett Silver badge
      Meh

      Re: Shrugs...

      So we should all just forget about it then ?

      1. jason 7 Silver badge

        Re: Shrugs...

        Well what difference are we going to make? What difference did we make last year? The year before that?

        None. So..yeah carry on.

  5. fnusnu

    The real problem here is that obsolete devices report that "You have the latest updates" What's needed is a message which says this phone will no longer receive updates after dd/mm/yyyy and after that date the message should change to "Your phone is no longer supported".

    This would also make people think about which model they want to buy when they can see for themselves its eol date.

    1. Alan J. Wylie

      +1

      My Blackview BV9600Pro hasn't had an update since I bought it. Still on version 20190430 and telling me "Your device's software is currenly up to date".

      Naming and shaming is the only way.

      1. big_D Silver badge

        The same with my Android TV (Sony). It hasn't had an update since last August. It is now permanently offline.

        1. BebopWeBop Silver badge

          Mine has never been online.

  6. mark l 2 Silver badge

    I agree with other comments on here that manufacturers are probably more to blame than Google, as they are the ones that are responsible for pushing updates to the end users. The 3rd party ROM community often shows that older handsets are quite capable of running the newer versions of Android but the manufacturers have no incentive to spend the time making the OS updates for older devices as they aren’t making money from doing that, and would rather you spend money on a new phone instead.

    Google could do more though by making the Android one scheme mandatory for all manufactures who want to get their devices Google certified and use the Gapps suite on their devices. This would ensure that every Android device was guaranteed to get 3 years worth of security updates before it went out of support. And at that point I think the boot loaders for the phone should be able to be unlocked so the community can carry on supporting it past EOL.

    1. Christopher Reeve's Horse

      Both manufacturers and Google are to blame really. Google's design of the update process put the manufacturers in control, who then have no incentive to apply updates to older hardware. I agree that the Android One system should improve things, but how many consumers even know what that is? And why only 3 years? I get that handsets are more likely to suffer greater wear and tear, but why should there be any limit? Google don't exactly have a good track record here, remember that they are now imposing limited lifespans and expiration dates on Chromebooks.

      1. Psmo Silver badge

        they are now imposing explicit limited lifespans and expiration dates on Chromebooks.

        FTFY.

        I imagine that after a bunch of complaints and lost accounts they've discovered that enterprise admins dislike "you need to buy a new one" as an answer to roadmap queries.

      2. guyr

        Both manufacturers and Google are to blame really.

        In my experience, the responsibility goes further than that, to the carrier. In my experience, for an Android update to appear on my phone requires the cooperation of all 3: Google, the phone manufacturer, and the carrier (T-Mobile in my case.) Unless all 3 are on board, the update will not show up on the phone.

    2. Anonymous Coward
      Anonymous Coward

      Google has not done enough to segment the base OS from the cruft that handset vendors and operators put on them.

      If it could truly segment the OS, sort out the resulting driver issue, then there'd be no reason (casting aside performance) for devices not to continually get OS updates.

      I'd posit that 90% of devices get their components (camera, displays, etc) from a very small subset of OEMs, so there shouldn't be any reasons to keep drivers up to date too.

      And who suggested "backing up an android?" Wash your mouth out! What an abysmal shit show that is...

      1. ThatOne Silver badge

        > Google has not done enough

        That's from a user's perspective, which unfortunately is irrelevant to anybody but the users themselves.

        From Google's perspective everything is perfect: They have a quasi-monopoly on smartphone OS (and thus smartphone user data), while being protected from monopoly accusations by the existence of the Apple enclave. That's the best they can ever hope for. No need to change anything.

        As for the phone manufacturers, they are still regretting the glorious times of the smartphone boom, when their phones sold like hot cakes. To keep the same volume of sales, they need people to change phone often, very often, ideally twice a year, and they won't hesitate to do everything they can legally afford to achieve this.

        1. BebopWeBop Silver badge

          Let's see what happens with Chinese equivalents. I suspect Google really hate Trump's actions.

    3. Throatwarbler Mangrove Silver badge
      Unhappy

      I respectfully disagree. I bought a Google Pixel shortly before the Pixel 2 came out, with the expectation that I would receive Apple-like long-term updates. Nope. Google stopped pushing Android security updates for the Pixel in October 2019. I bought the phone three years ago, and it was, I think, not even a year old at that point! I can conceive of no reason that a company of Google's size could not maintain a build stream for Android on the original Pixel, so it can only be for profiteering reasons that they've chosen to discontinue updates, i.e. they want me to buy the latest model. What they've done instead is push me in the direction of another manufacturer, possibly Motorola.

      1. Version 1.0 Silver badge
        Unhappy

        A company Googles size makes money buy forcing consumers to keep buying their products - that's why security is an issue, security issues help sell gear, stopping updates helps sell gear, writing bad code that needs updating regularly helps sell more gear when you stop the updates.

  7. Valeyard

    lineageOS

    My pre-ordered oneplus one is doing great at 5 or 6 years old and with lineageOS it's getting updates every day, whereas my previous phone was a samsung I had for 3 years that received the grand total of one update in its life

    1. Anonymous Coward
      Anonymous Coward

      Re: lineageOS

      I agree lineageOS is great, but there are not that many officially supported phones. And it's not clear how to tell in advance of a purchase whether or not a given phone will be supported, or -- if it is currently supported -- whether (or how long) it might remain supported. I understand that there are good reasons for this, and the fact that any phones at all are supported is great, but lineageOS is not a panacea for all "no-update" problems.

      I recently installed an unofficial lineage rom for a J1, to be used as a handy cheap/semi-disposable second phone, but the locate/download/install experience was a bit unsettling, given the not especially well established provenance of the build [1]. Almost certainly better than the old official OS, given the advanced age of *that*, but, well, hmm.

      [1] I.e. Here's a link in a forum, to a mystery download site!

      NB: I didn't downvote, by the way.

      1. ThatOne Silver badge

        Re: lineageOS

        > lineageOS is not a panacea for all "no-update" problems

        Also because (something people here tend to forget) not every smartphone user is an IT wizard.

        In this case, changing OS is not just booting on a CD and answering some configuration questions. Even people who wouldn't hesitate to partition a HD and install complicated OS setups with multiple boots might get intimidated by the convoluted and risky process required to install a different ROM on a phone.

        (Now obviously some Android dev will pop up and claim it's very easy. Well yes, heart surgery is very easy too - if you're a heart surgeon.)

  8. Tom 35

    Random Moto

    My G7 went 6 months with no updates, then get 3 updates in one day (they seem to do updates every two months) and received the Nov update in reasonable time. But it's going to be a race to see if I get Android 10 before 11 is released.

  9. Anonymous Coward
    Anonymous Coward

    In other news...

    Yes, been in the news before from the dept. of the bleedin' obvious.

    Criminal that the manufacturers won't allocate resource to maintain devices only a few years old. Shareholder value and all that.

    Next thing, they'll be warning about older 'smart' TVx being a risk ;-)

    One solution for techs is to re-flash with newer Android custom ROM, but that has its own risks too.

    1. Christopher Reeve's Horse

      Re: In other news...

      Yes, it's old news, and yes, it's bleeding obvious - but it's still a problem, and the problem is getting worse not better. And yes, why not Smart TV's too? It if helps the wider public actually understand there's an issue then there's an improved chance that consumer pressure might influence a change in manufacturer (or regulator) behaviour. The environmental damage of wasteful smartphone production is too much of an issue - you're stealing my future, how dare you! ;-)

      1. Lorribot

        Re: In other news...

        And it is tablets, especially the cheaper end that are still shipping with 6 even though it is unsupported and will never get any updates.

        These are the devices the great unwashed public use for banking and all sorts of financial transactions so it is a sh^t fest waiting to happen.

        Techies may think they are sensible and it is all OK but it is the other 99% of the population that have no idea and need protecting from themselves.

  10. John Lilburne

    Par for the course ...

    ... what the tech industry wants you to do is to continue to punt out money to them every year. Software companies switch to subscription models, hardware manufacturers fail to update the firmware. Then you get industry shills whining about copyright media.

  11. Anonymous Coward
    Anonymous Coward

    Android One

    is the way to go. Hoping or asking for the OEMs to compile updates for their kit 3 months after said kit was released has already failed for good.

    And no legislation will ever change this. Legislation is pointless vs. the bottom line ...

    That said, my Nokia is one year old and I got the march 2020 update already. Google, unlike the OEMs, is quite serious for Android and security updates.

    1. I ain't Spartacus Gold badge

      Re: Android One

      Legislation can easily fix this. And a combination of consumer protection and environmental law can be the excuse for doing so.

      Simply give consumers the right of return, on the gounds that online goods without security updates are not fit for purpose. Then retailers will only sell phones that get updates. It's not like the manufacturers can't do it, it's just that they don't see it as in their financial interests. Make it so, and the problem should go away quite quickly.

      Even a market the UK's size should be able to force this, as it's not that expensive to update models - given that Google do most of the legwork. Some vendors might pull out of the market, but there's enough profit here for the likes of Samsung to still want to sell a phone or two.

  12. BebopWeBop Silver badge
    Facepalm

    Nice to see Which as up to date and on the ball as always

    1. Anonymous Coward
      Anonymous Coward

      I began to have doubts about Which when they did a piece on learner motorbikes back in the 1970s and selected as the best bet a Kawasaki 250 which was notorious for its dislike of corners and the way its front brake turned into an ice skate in the wet.

      When I was doing the research for the new car I eventually bought recently (I have OCD when it comes to these things) I checked the English, German, French and Italian reviews. The only bad one in the lot was...Which. As I believe they are quite litigious I won't comment further except to agree with your implication that lateness to the party is a thing here.

  13. James O'Shea

    I used to have an Android phone

    One of the reasons why I no longer do is precisely that there was a serious bug in its system, one which was addressed by a software update... which did not appear in the just short of a year I had the phone. The iPhone which replaced the Android got OS updates up until iOS 13 arrived, in Sept/Oct of 2019. It still gets security updates. I'll be replacing it, with another iPhone, later this year. Note that the Android did not get _any_ updates despite being less than a year old, while the iPhone has got updates for _five going on six years_. Yes, the iPhone cost appreciably more than the Android... but it's lasted five or six times as long as the Android, making the iPhone _substantially_ cheaper on a usage basis.

    1. rcxb Silver badge

      Re: I used to have an Android phone

      If you'd spent the same amount of money on a flagship Android phone you are spending on an iPhone, you'd get updates for years, as well.

      But yes, Android has many low-end options, where Apple does not. Some people absolutely HATE having choices and flexibility, and for them, there's Apple.

      1. Anonymous Coward
        Anonymous Coward

        Re: I used to have an Android phone

        If you'd spent the same amount of money on a flagship Android phone you are spending on an iPhone, you'd get updates for years, as well.

        Not necessarily. YMMV, but I had an unlocked Samsung flagship phone which got only updates for one year (3 updates at all). No carrier can be blamed, since it wasn't bought through any carrier, it was clearly Samsung's decision to EOL it one year later, when the new model was released. It was the last time I bought anything Samsung.

  14. insanehound

    the mobile operators don't care

    "Compounding the problem is the proliferation of older devices on sites like Amazon, where they're sold by third parties. The mag bought a handful of phones – including the Motorola X, Sony Xperia Z2, and Samsung Galaxy A5 2017"

    it worse people like giffgaff pushing recycling old devices heavily at the moment currently sell refurbished phones, eg

    https://www.giffgaff.com/mobile-phones/samsung/samsung-galaxy-s6/refurbished

    Samsung Galaxy S6 at a glance

    5.1" Quad HD 577ppi, Super AMOLED screen

    Octa-core processor (quad 2.1GHz & quad 1.5GHz)

    2,550 mAh battery

    Android 5.0 Lollipop

    16MP back camera and 5MP front camera

    Samsung Pay

    Wireless charging

    4G-ready

  15. jmch Silver badge

    Differentiation

    "Google's approach has allowed a broad sense of differentiation in the smartphone market"

    There are billions of Android devices on the planet. I bet that there isn't 1 single user anywhere in the world who chose their particular android device because they just HAD to have the specific flavour of bastardised Android provided by the device manufacturer.

    1. nagyeger
      Angel

      Re: Differentiation

      I chose my moto because my last moto ran lineage and unlike certain other mfrs motorola still have an unlock-code server. Hopefully they will in a few years when I need to swap... Does that count??

      1. Anonymous Coward
        Anonymous Coward

        Re: Differentiation

        We bought Motos because up until now they've been pretty generic Android without the kind of badly designed, badly executed "differentiation" that Samsung and others force on their users. Not sure if Moto under Lenovo still follows AndroidOne guidlines, but we continue to get updates on our now 2 year-old phones. A previous model got them for just over 3 years, but no more.

        I'm not a big fan of "transparency" or "notice" type consumer regulations, because they're mostly ineffective, especially in a duopoly market like smartphones. Real choice is a dangerous myth in these situations. But I do think that forcing manufacturers to replace the "your phone is up to date" message with "your phone is no longer supported" is the bare minimum any responsible government should require. Even if they can't push out a security update for technical reasons, they can swap out the text the update screen shows.

      2. Randall Shimizu

        Re: Differentiation

        The differentiation argument is irrelevant. The interface llike Samsng's touch wiz makes little difference. The only big difference is that the device companies and phone companies load their own apps. That is reasonable. But the differentiation argument is just part of device companies effort to get people to buy the latest phone.

  16. Lorribot

    Surprise

    An operating system not optimised for updates but to allow the supplier to gather as much information as possible on the user and let OEMs customise it, OEMs with no financial interest in supporting for more than 1 year. Some even selling old kit beyond the support of the version of OS they installed on it.

    Why is anyone even slightly surprised.

  17. Anonymous Coward
    Anonymous Coward

    my whine

    My big issues with the phone update mess are:

    1) 3 year old flagship phone model Q5 gets updates (small print: but only model AZ123 and cq533, those of you running the unlocked dr442 model of the Q5 are screwed, LG, I'm looking at you here).

    2) ok, fine, my three year old phone doesn't get to run Android Laffy Taffy (or whatever the latest name is). At least provide security updates! I'll live without having the cool looking new icons, or support for 12x1847352 ludicrous mode widescreen ratios.

  18. JohnFen Silver badge

    On the other hand

    The very notion of updating any software fills me with fear these days, so I'm in the camp of those who are happy not to be getting OTA updates. Not to mention that I would prefer not to use the more recent versions of Android anyway.

    I really, really wish that software makers would go back to doing separate security and feature updates, so those of us who don't want feature updates don't have to forgo the security patches. But I guess that's just not the world we live in anymore, and we're all poorer for it.

    1. Anonymous Coward
      Anonymous Coward

      Re: On the other hand

      You sound old.

  19. J27 Bronze badge

    I believe that all phones should be supported with software updates for 5 years from the time the last phone ships out of the factory. With phones getting better there is much less reason to upgrade, maybe the sheep will get tired of paying $1000 every 2 years and they'll demand better treatment. But until then, it's just us "enthusiasts" and we're not a big market.

    1. ThatOne Silver badge

      > they'll demand better treatment

      They won't, because they never heard about updates, security patches and all that boring insider stuff. They consider they bought a tool and thus are perfectly happy with a ancient, unsecure phone as long as it does whatever they want it to do (run Facebook and Candy Crush, send/receive texts and calls).

      If you start telling them about missing patches and security holes and all that, they retort they definitely won't spend several hundred for a new phone given their old one still works, and I can't really blame them: Money doesn't grow on trees, most people have to earn it and rarely have too much of it...

      1. xanda
        Unhappy

        Gotta luv them Softies...

        "They consider they bought a tool ... as long as it does whatever they want it to..."

        Functional stability is a big problem across the board with updates often doing enough harm to make users think twice. In Androidland, capabilities such as USB mode, call recording, Bluetooth compatibility and even 'Do not disturb' (to name but a handful) get arbitrarily deprecated - sorry, broken - thus diminishing the value of the 'tool' in critical ways.

        It is often the case that even the developers/manufacturers are unaware of the impact of changes and are subsequently unwilling to rectify them afterwards.

        This is not a phenomenon unique or new to Android but in this case, it's promise of openness ought to have mitigated such inertia and afforded the makers & customers with viable & accessible alternatives. Instead there's a fragmented, disjointed and ineffectual support landscape.

        No wonder Mr Torvalds swears so much.

        1. ThatOne Silver badge
          Unhappy

          Re: Gotta luv them Softies...

          > unaware of the impact of changes and are subsequently unwilling to rectify them afterwards

          Even if they were aware, they don't really care, because fixes are a pure waste of money: Manufacturers make their profit from selling hardware, not software, and throwing additional money after kit already sold is economically stupid. Since beancounters rule, they try to limit such careless effusions of altruism, or at least try having them done as cheaply as possible (which explains the fact most updates break as many things as they fix).

          And to crown it all there is the programmed obsolescence ("All right, we'll fix this - in our next phone"), which explains why no manufacturer is keen on maintaining his products in working order for longer than their initial shelf life.

        2. Barry Rueger

          Re: Gotta luv them Softies...

          In Androidland, capabilities such as USB mode, call recording, Bluetooth compatibility and even 'Do not disturb' (to name but a handful) get arbitrarily deprecated.

          On my laptop and desktop I happily run Linux because it's stable, reliable, and because the application that I installed a year or two back still works fine.

          I don't think I've ever gone a year without Google disabling some part of Android that I actually rely on.

          1. ThatOne Silver badge
            Unhappy

            Re: Gotta luv them Softies...

            > On my laptop and desktop I happily run

            Because it was equipment sold under the quaint old system of yesteryear. Nowadays your laptop and desktop would be boot locked and brick themselves after 2-3 years to force you to buy new stuff.

            You're not really "buying" hardware anymore, you only rent a conditional and limited right to use it for a short period as the manufacturer sees fit. Phones are the most obvious examples of this new system, but you find it on other devices and household appliances. Given it makes marketing feel all warm and fuzzy, this new system will quickly spread to everything else too (furniture which falls apart after a couple years, anyone?).

    2. Anonymous Coward
      Anonymous Coward

      Apple devices are supported for 5 years and in some cases longer

      The current software on Apple devices supports back to the 5S, so that is more than 5 years with iOS 12.

      You may not get all the bells and whistles but it at least it works and has security updates (main reason was any device with less than 1GB ram)

      For iOS 13 that supports back to the iPhone 6S (currently about 4 years old) and rumours will be supported in iOS 14 (again may not support all features but will have latest security updates)

  20. KorndogDev
    Linux

    My 1Gbit home wireless router is 11 yo

    yet it runs the most recent version of DD-WRT. It cans been done!

  21. Anonymous Coward
    Anonymous Coward

    A fix is not an upgrade.

    A "security fix" is not an upgrade, it's fixing a bug that existed at time of purchase, so as soon as a company stops providing security updates, you should be able to get a full refund, as the device is (and has never been) "fot for purpose"

  22. Conundrum1885 Bronze badge

    4.1.1

    Its older than Clinton's Presidency!

    In fact you could say it sucks like a collapsed star. Only keeping it because both my S3s are down due to screen problems.

    Think I have a dead S6 somewhere but £89 for a panel is.. EXTORTIONATE (DALEK voice)

    If someone happens to have one with the bootloop please let me know!

    My N4 is also a bit on the frelled side, has about the same battery life as a decade old Prius.

  23. Randall Shimizu

    Google needs to act more responsibly and require companies to issue updates & upgrades. Some of the Obama are actually still using Android 4.4..So the users are stuck with a old insecure version of Android. the other issue is that users stuck with old version does not work well. Google also needs to stop letting the carriers and device manufacturers control if a device will be patched or upgraded.

  24. Charlie Clark Silver badge
    Headmaster

    "Android has always been utterly fragmented."

    As opposed to only partially fragmented?

  25. Mike 137 Silver badge

    "... calls for manufacturers to be open about how long they will support devices"

    How about instead calling for them to get the damned code right in the first place so the phones don't need constant "support"?

    We have been suckered into a mentality about IT that wouldn't pass muster in any other field of technology - imagine owning a house that needed the builders to come in several times a month to fix the plumbing, the electrics, the gas pipes, the windows, the roof tiles. Would you be happy with that?

    Or would you be happy getting on an airplane that might suddenly decide to dive into the sea? (Ooops, sorry, that one's been done already).

    1. 's water music Silver badge

      Re: "... calls for manufacturers to be open about how long they will support devices"

      imagine owning a house that needed the builders to come in several times a month to fix the plumbing, the electrics, the gas pipes, the windows, the roof tiles. Would you be happy with that?

      I take it that you need to imagine this scenario because it sounds like you have never bought a new-build house from a volume builder in the UK.

  26. Anonymous Coward
    Anonymous Coward

    Apple

    Meanwhile how many Apple devices are in the wild, not on the latest iOS? (You can install it but it'll make it dog slow)

    Android particularly annoys me. My latest phone is very updated - every month with security updates. I have an Android 2.2 device sitting in a drawer at home. It's usable but there won't be any updates. That obsolescence isn't down to Android IMO but the vendors and their pushing of their next devices.

    At some point, you do need to stop supporting older devices.

    1. Anonymous Coward
      Anonymous Coward

      Probally not that many, given people upgrade Apple device quite often

      They do support updates still on the older iOS 12 and iOS 13 is the fully supported version.

      So unless you have an iPhone 5 or older you will not be getting updates but then this is an 8 year old device.

      Pretty sure most Apple users have upgraded from iPhone 5.

      And iOS 13 does run very well on all devices that support it.

      Google should simply change their business it that they will not provide the software to OEM unless they provide updates.

    2. Charlie Clark Silver badge

      Re: Apple

      Earlier versions of Android did often bring changes that required hardware support. But this, apart from hardware encryption, was largely finished by Android 4.

  27. razorfishsl Silver badge

    It needs to be centralized.

  28. Version 1.0 Silver badge
    Happy

    This is how you make money

    Manufacturers are busy selling products that "die" after a while so you have to upgrade and buy a new one. It's like smoking cigarettes - you use it, enjoy it, then buy another one. You make a lot more money buy selling shitty stuff than good stuff.

  29. Lazlo Woodbine Bronze badge

    Embedded devices

    Where I work we have a gym with half a dozen treadmills, they have a nice colour display for health apps and the like.

    When you dig below the surface you find out these devices are simply big Android tablet running KitKat, so long out of support, but still being used to connect to the internet,with users browsing, watching You Tube, doing their Facebook (really, in a gym?) and even phoning home with telemetry data, all without a single security update since they were installed, brand new, 18 months ago...

  30. chivo243 Silver badge
    Coat

    Dipped...

    my toe in the Droid pond one time! I bought a burner phone, as any phone shop I visited couldn't get a sim card to work in my iPhone 5. To this day I have funky issues with google calendar three years on. I will avoid the Droid at all costs... kinda like the dominoes noid!

  31. IJD

    OnePlus 3, bought June 2016, last update was to Android 9, security patch level 1 Oct 2019. Seems just fine to me...

  32. bofh1961

    I wish I'd been aware of this when I bought my first smartphone...

    I've still got it and I'll be going back to a dumbphone rather than be forced into upgrading perfectly good hardware. I've never been too keen on Google/Sony/EE having more control over the device than I do either. What Google have done with Linux is way beyond the pale as far as I'm concerned.

    1. Anonymous Coward
      Anonymous Coward

      Re: I wish I'd been aware of this when I bought my first smartphone...

      I'm still using an old feature phone.

      I dipped a toe in Smart phones, didn't like the frequent battery recharge requirements, among other things.

      The only way to get the Manufacturers, Carriers and Google to clean up their act, is to not buy their shit.

      But as the population is firmly on the teat at this point (or hopelessly addicted to Smartphone crack) there's little hope of that.

  33. Anonymous Coward
    Anonymous Coward

    All these exploits...

    All these exploits, and I still can't get root on a Moto Z Force running 6.0.1 by any means I've tried. (It's still on 6 because that's the last release before they made tether $10 a month...)

    Verizon, they locked the damn thing down so hard it can't even squeak...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020