How long do Android smartphones and tablets continue to receive security updates after they’re purchased? The answer: two years. And that’s assuming the device was purchased when it was first released. Even security updates for Google’s own Pixel devices max out at three years. Since many users hang on to their Android devices for much longer, they should be very concerned about ongoing security, especially as the number of serious vulnerabilities continues to grow.
One Billion Devices Outdated
According to Google, almost 40% of Android handsets still run versions 5.0 to 7.0, which haven’t been updated for between one and four years. One in ten devices worldwide use operating systems older than that, bringing the total number of outdated devices to one billion. At this writing, the latest version of Android is 10.0.
It’s not simply that the older devices aren’t getting security fixes, but they also miss out on all the security and privacy enhancements that Google keeps adding to newer versions of Android. This leaves millions of users at risk of serious consequences if they fall victim to hackers.
No smartphone suddenly warns users that the device is no longer safe. Security updates just quietly stop, leaving users oblivious to the mounting risk. Google says that it is dedicated to improving security for Android devices and that it provides security updates with bug fixes and other protections every month. Further, the company says it continually works with hardware and carrier partners to ensure that Android users have a fast, safe experience with their devices.
But other device makers may not have the same commitment to security…
The Security Squeeze
The cybersecurity firm Sophos notes that users are being squeezed between two forces. On the one hand, Google is determined to drive the evolution of Android for competitive reasons, releasing a new version every year. On the other hand, manufacturers want to keep people upgrading to new models and are eager to point out that the older ones will not always run these updated versions of Android. According to Sophos, security sits somewhere between the two.
Despite attempted reforms by Google in recent years to make security fixes happen on a monthly cycle, the reality doesn’t quite match that ideal. Even Google is slow to respond with fixes to newly discovered vulnerabilities, often allowing months to go by before taking action.
Complicating matters is that device makers are slow to apply bug fixes. Even urgent fixes could take months to percolate through to all their devices, which leaves users exposed to known flaws that are being exploited in the wild.
The Security Awareness Gap
Users’ lack of awareness is another problem – many simply do not understand the importance of implementing upgrades promptly. Normally, users will get a notification, open it and tap the update action. But they may clear the notification, or disable or postpone these “annoying” upgrades. Many users intentionally delay downloading updates so they can see what issues early adopters are experiencing.
Whatever the case, upgrades can lapse until they are forgotten entirely. Fortunately, some device makers like Samsung have put a limit on the number of times updates can be postponed.
When in Doubt
If uncertain about the status of your Android devices, you can check the latest Android version and security updates by following this advice from Google. Be aware, though, even Google warns that older devices can’t always run newer versions of Android. In that case, the solution is simple: buy a new phone.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.