
Ask HN: My phone has stopped receiving updates. Should I be worried? - kartongsaft
Should I be worried about my phone isn&#x27;t receiving any kind of updates from the manufacturer anymore?<p>I have myself an Google Nexus 6P that recently was declared end-of-life. I know that I will miss out new features that future Android versions will provide, but for me that&#x27;s okay, but why should my device be excluded from security or nasty bug fixes. I still have weird bug that randomly make my phones completely silent. No alarms, no notification sound, no ringtone; I have been late for work a few times (and yes, I have tried to factory reset my phone couples of times).<p>Nowadays it seems that average lifespan for a phone is about 2-3 years, which have negative effects on environment, as people are forced to change phones.<p>Why not let people use their phones longer, let say 5 years (or even longer)? The manufacturer can still sell new models, but should provide and updated operating system much like what&#x27;s is done on a computer. And if I&#x27;m not wrong, doesn&#x27;t Apple provide longer lifetime for their iOS devices?<p>Why are we forced to this commercial behavior and what can the average user do to minimize environmental impact?
======
wtracy
First, the reasons for this situation:

Microsoft does not allow PC makers to modify Windows. This is why Microsoft is
able to push software updates directly to all Windows PCs. Phone makers are
allowed to change Android willy-nilly. This means that the OEM has to check
each update and manually integrate it with their version of Android before it
can be released. There's no way to keep getting system updates to an Android
phone without the manufacturer paying someone to integrate those changes.

Why can't the manufacturers just open source their changes and let the
community produce updates? Two reasons:

One, the manufacturers like to add "improvements" to Android, and live under
the delusion that people base their phone purchasing decisions on these extra
features. If they opened them up, a competitor could copy them, and the
original manufacturer would lose their "competitive advantage".

Two, the carriers are obsessive about controlling everything. They don't want
phones running custom firmware on their networks, and they pressure the
manufacturers to prevent that from happening.

What can you do? Not a whole lot.

If you want regular updates on exactly how big of a risk you are taking, you
can follow Google's security bulletins here:
[https://source.android.com/security/bulletin](https://source.android.com/security/bulletin)

Otherwise, my procedure would be to treat the phone like it's the bad old days
of Internet Explorer 4.x all over again. Assume that any website you visit or
attachment that you open can infect you with a virus. Assume that any
financial information and any passwords can be intercepted by malware
installed on the phone.

Specifically: Limit web browsing on the phone to a handful of sites that you
trust. Avoid opening attachments to emails or texts. Do not do any online
shopping or online banking on the phone. Avoid logging into any online account
you can't afford to have broken into.

This is probably overkill, but back in the day the Stagefright vulnerability
made it possible for any website to install software on an unpatched device.
Unless you're willing to invest time into confirming that a similar
vulnerability does not exist in your current system, the best option is to
just assume that there is one.

~~~
kartongsaft
> Microsoft does not allow PC makers to modify Windows. This is why Microsoft
> is able to push software updates directly to all Windows PCs. Phone makers
> are allowed to change Android willy-nilly. This means that the OEM has to
> check each update and manually integrate it with their version of Android
> before it can be released. There's no way to keep getting system updates to
> an Android phone without the manufacturer paying someone to integrate those
> changes.

Yeah, pushing proprietary software make sense, as this enables Microsoft to
have total control over their OS. But wasn't the goal with Project Treble to
make it easier for manufactures to update their software? But on the other
hand they want to sell devices, not maintaining old ones.

> Two, the carriers are obsessive about controlling everything. They don't
> want phones running custom firmware on their networks, and they pressure the
> manufacturers to prevent that from happening.

But, why? What are their gains?

> If you want regular updates on exactly how big of a risk you are taking, you
> can follow Google's security bulletins here:
> [https://source.android.com/security/bulletin](https://source.android.com/security/bulletin)

It's kind of scary to look at this when handling a abandoned device and even
more scarier when you realize that they are things that isn't listed here,
like 0-day exploits.

> This is probably overkill, but back in the day the Stagefright vulnerability
> made it possible for any website to install software on an unpatched device.
> Unless you're willing to invest time into confirming that a similar
> vulnerability does not exist in your current system, the best option is to
> just assume that there is one.

Yep, and this is the reason why you shouldn't use outdated device as daily
driver.

------
hourislate
Eventually you will probably want to root it and install LineageOS (or some
other ROM).

[https://www.androidpit.com/best-custom-roms-for-
android](https://www.androidpit.com/best-custom-roms-for-android)

I have it installed on an old Nexus 5.

~~~
fosco
+1 I installed lineages on my HTC one m8, felt like I got a new phone and I am
happy enough to continue using my phone which I purchased in 2014.

I am interested in the librem 5 by purism but am still hesitating spending
$600 on what I think is a risky investment...

------
DrScump
Is it rooted? That would stop OTA updates.

~~~
kartongsaft
No, factory image.

