Hacker News new | comments | show | ask | jobs | submit login
There are over a billion outdated Android devices in use (danluu.com)
530 points by josephscott 3 months ago | hide | past | web | favorite | 465 comments

With current and older devices working perfectly well, and new devices being even less serviceable and more user-hostile with greater efforts towards planned obolescence, is it any wonder that people just aren't "upgrading" any more? I don't consider this a problem, but a sign of an ecosystem that is gaining stability. In fact I'd say it's even better, from an e-waste perspective, that the amount of churn has decreased.

Even in the low-end/unbranded devices, I'm seeing a gradual removal of hardware features and general lack of parts (screens, cases, etc.) availability, while replacement parts for models several years old are still plentiful.

I had an older phone with 4 GB space. I could keep about 15 apps running on it. A lot of these apps were important - Waze, WhatsApp, Slack, Uber, camera, etc.

So that left me switching between a budget of about 60 MB for games and unnecessary apps, though I can squeeze in a little more by clearing all the caches.

Now suddenly Samsung bugs me to update to the latest version of Android. The new update would take up hundreds of megabytes. My space was already highly limited.

I eventually gave in to curiosity and updated to Lollipop. The phone became unusable because I didn't have the space to install the apps I needed.

I ended up in a situation like that too, except the update auto-downloaded taking up most of my free space, but not leaving enough to install it. I didn't figure out how to reclaim the space so I spent months stuck without being able to install apps or updates before I gave in and bought a higher end phone.

Back up or sync important contacts and data, and then do a factory reset to restore the original OS. Make sure to turn off auto-updates as it will keep downloading them after the restore. It's a shame that phones keep losing features like micro SD.

> It's a shame that phones keep losing features like micro SD.

Phones keep losing features like micro SD (and like end-user replaceable batteries) because too many purchasers do not value those items highly enough to refuse to buy any phone that lacks an SD card slot or a user-replaceable battery.

Start refusing to buy any phone which lacks a micro SD slot, and the manufacturers will bring back the micro SD slots (granted, purchasers need to send the makers feedback that they refused to buy phone X due to lack of a microSD (and lack of a user replaceable battery)).

But buying a phone (any phone) which lacks one or the other simply signals to the makers that it is ok to drop those features, because the phone still sells.

I bought a brand new Android phone about 4-5 months ago. It has both a microSD slot (now holding a 128G SD card) and a user replaceable battery. I picked it because it had those features and I valued their presence. If enough others would get fed up with the lack of one or both, and start refusing to buy any phone without one or both, things would turn around.

I don't think that's so clear cut. I'm looking for a new phone now and I refuse to look at anything without a headphone jack. I've been repeatedly told online and by my friends that I'm weird - the headphone jack is dead, the ship has sailed, it's too late now etc etc. But how else can I vote on this if not with my wallet? I want a phone with a headphone jack but the choices are becoming narrower and narrower - and it seems that even picking up something with a jack does not necessarily send a right signal. Look at the original Pixel - it was Google's pride and joy that it still has a headphone jack while the iphone doesn't. Fast forward to today - Pixel 2 doesn't have a jack and no one cares.

> Pixel 2 doesn't have a jack and no one cares.

And this is exactly the problem. That no one cares. If enough cared, the first phone without a jack (iPhone, right?) would have been a sales flop, and maybe the message would have gotten back to leave the jack in the phone.

Instead, it sold, which tells the makers that dropping the jack was no big deal, people still bought it anyway.

Why would people value an SD card if the apps all refuse to use it?

The entire thing is a shit storm, every player seems to be against the end user (that is paying for everything, go figure). There's a protection racket on the form of patent rights enabling the shit to go on, but it can not reasonably survive on this shape for very long.

> Why would people value an SD card if the apps all refuse to use it?

Valid point, but the apps may just be refusing because most phones don't have an SD card anymore, and the authors are either being lazy or don't care (I don't know which) and simply failing to code in support for something they think seldom exists anywhere.

Although in my case, all my apps that I care about using the SD card are using the SD card. But then again I have 98% FDroid apps installed, so those may just be better behaved apps.

Curious, what phone was it?

Motorola Moto E4 (unlocked version).

Both of Samsung's flagships have microsd. I just wish they had a swappable battery and a flat screen.

Well even the existence of a Micro SD slot isn't enough. My girlfriend's phone had a Micro SD slot ... yet most apps refused to install there or write data there so everything was crammed into the 4GB built-in storage.

Ahhh Android - I only use iOS because I hate it slightly less

Samsung deserves a special shout-out for making their impossible-to-remove apps also impossible to move to remote storage, so their useless garbage takes up a solid amount of device storage even while disabled. It's frustrating how often smartphone customization/upgrading feels like an actively hostile process.

I recently switched from iOS to a Galaxy Note 8, and the sheer amount of garbage on the phone at setup is astounding.

I try to comfort myself by believing that sponsored app deals help keep device costs down, but it doesn't really work. I get that a few core apps (e.g. device-maker registration) are going to be permanent, but the deals for random unremovable crap like the NFL app are just insulting.

This is where Google should have a little foresight and mandate that new Android devices will need to have at least 32GB of on-board storage, for instance. I remember hating HTC for making phones with only 200 MB of free storage in the early days, while giving you an additional 2GB microSD card on which you couldn't install apps anyway. That hatred could have been avoided if either Google mandated a reasonable amount of on-board storage at the time (like 2GB).

If that happened, I wonder how soon apps will fill to expand the space. "Well, the user has at least 32GB on their phone, so we can take 30 of those, right?"

As someone who goes as long as possible without performing updates, this is exactly the reason why.

Example: Last time I updated my iPhone, the music app got an update and now they are trying to shove iCloud down my throat. Not to mention needless UI changes when I was more than satisfied with how it was before.

I understand this entirely, but there are some pretty bad iOS vulnerabilities out in the wild now (e.g. KRACK wpa2). It’s pretty dangerous to avoid updates nowadays.

I think what needs to happen across the industry is a complete decoupling of “feature” from security patching. Too many people are exposed because of exactly the kind of unwanted UI upgrades you describe.

Better have a bricked phone but secured phone? That is basically your argument?

Security is used to euthanize perfectly working systems and harass users for money. Security has become dangerous for the user in that aspect.

> Security is used to euthanize perfectly working systems and harass users for money

That's a cynical and paranoid mindset. Bloat is a lazy tendency not a malicious evil and developers tend to optimise for the latest and greatest if left unchecked and forced to consider backwards compatibility.

> Better have a bricked phone but secured phone?

lets just say don't do any financial transactions on the device or appreciate the general openness of your phone to malicious actors who might use it for nefarious purposes.

That's a cynical and paranoid mindset. Bloat is a lazy tendency not a malicious evil and developers tend to optimise for the latest and greatest if left unchecked and forced to consider backwards compatibility.

As a user, do I care whether my phone is unusable because the developers wanted specifically to render older hardware unusable or whether it was just through their negligence in failing to consider older devices? Stupidity or malice, the result is the same.

lets just say don't do any financial transactions on the device or appreciate the general openness of your phone to malicious actors who might use it for nefarious purposes.

I keep hearing this, but what's the actual presence of malware on Android? If you're not installing shady apps from the Play Store, what's your actual level of risk? Android, even old versions of Android, are far harder to reliably exploit than say, unpatched Windows. As long as you're not installing free-to-play flashlight apps that require every permission under the sun, I'd say your exposure to malware on Android is far less than it is on PC. For the average user, they're still probably better off conducting financial transactions on their phone than conducting those same transactions on their malware ridden laptops.

> Stupidity or malice, the result is the same

Yes but whether we attribute the intent to stupidity or malice is important as per the general health of our thought process. Its likely laziness combined with malice when its noted. I imagine a dev getting up in arms about package size and then when the issue is raised its not given high priority because someone twigs the convenient side effect. That's the worst case. Either way the mindset of paranoia is warped and self centred. Its not because they're thinking of forcing you to upgrade its more because they're _not_ thinking of you and instead the wide-eyed new sales opportunities that ship with greater disc space.

> I keep hearing this, but what's the actual presence of malware on Android?

oh wow, you're gonna play this game? I could tell you that its perfectly safe to trace the outline of a cliff with your feet and in many, many cases its going to be absolutely fine until the one case where the earth gives way and its not.

Let me put it this way; when I see the tagline:

> there are over a billion outdated Android devices

my first thought is:

> what's the most effective exploit to tap into that market?

the existence of security flaws encourages action and the hubris of not updating is the clarion call to those that exercise the exploits.

> I'd say your exposure to malware on Android is far less than it is on PC

This. What is this? This is complete conjecture. Get out of here.

> my first thought is:

> > what's the most effective exploit to tap into that market?

So??? What is it? Do let us know.

I'd venture to say that the fragmentation of that market makes it reasonably secure. Just like how the average router is incredibly insecure, and yet you don't advise people to avoid e-banking and just deal with their money in paper form and through face-to-face contacts.

Yes, you are technically right. But @quanticle is right, in practice: unless those users do some very stupid shit, they're pretty safe doing ebanking on their phones. (and those who do the "very stupid shit" are likely to do it on their computers, too)

Where are the Android LSASS worms? Or Android SQL Slammer? Or Android ILoveYou? Or Android NotPetya? Or any one of the literally hundreds of well-known malware strains that make the news every time they infect a few million PCs? Malware on Android certainly does exist, but the fact that Android has been out for this long, with this many outdated devices, and we haven't seen a single mass infection yet means that Android isn't as easy to exploit on a mass scale as people make it out to be.

I'm not claiming that Android is safe. Nothing is safe. But it does security professionals no good to be alarmists. If we cry wolf about literally every technology that ordinary people use, the result is not people giving up technology. The result is people ignoring security professionals.

If an ordinary user came to you and asked, "Where should I do my banking? On my phone or on my PC?" what would your answer be?

> I keep hearing this, but what's the actual presence of malware on Android? If you're not installing shady apps from the Play Store, what's your actual level of risk?

I wish I could quantify that. It's a hard task. But the store is not the only possible vector. On an old Android you're running a very outdated version of Chrome when looking at any pages / ads. That would be the most exposed/insecure element in the system.

Chrome on Android is updated separately from the OS release. Even old Androids have new Chrome. This is not the Safari-on-iOS situation.

The same is valid for the system WebView, but "only" since Android 4.4. It is updated via Play Store, independently from the base system.

I was responding in the context of:

> As someone who goes as long as possible without performing updates

I take that to mean without updating the apps either, not just the os. I've seen people reject any kind of upgrades.

there are bluetooth exploits and network adapter exploits which are for more localised fun.

That's one reason I'm still hoping for a Linux/Firefox phone.

> That's one reason I'm still hoping for a Linux/Firefox phone.

You should rather hope for GNU/Linux phones. Linux devices (without the GNU part) is most of the time, just another locked device (see your Android phone, router, TV, etc).

The presence of GNU software pieces (or any software licensed under GNU [LA]GPL v3+) ensures the device is free of locks (or with user breakable locks).

> The presence of GNU software pieces (or any software licensed under GNU [LA]GPL v3+) ensures the device is free of locks (or with user breakable locks).

That's not true, as the Linux kernel is still GPLv2. So while you could swap out the userspace GNU utils, the device manufacturer can still lock the bootloader which is perfectly fine with the GPLv2.

Even if the bootloader is unlockable (e.g. LG allows this btw), you will most likely be stuck to a specific kernel version due to proprietary binary blobs which nearly every phone uses.

So instead of a GNU/Linux phone, you should rather hope for a phone with complete open source drivers (or a GPLv3 kernel).

> That's not true, as the Linux kernel is still GPLv2. So while you could swap out the userspace GNU utils, the device manufacturer can still lock the bootloader which is perfectly fine with the GPLv2.

Yeah, probably. But the presence of packages like GNU libc can make it harder for the manufacturer to lock the device.

> ... kernel version due to proprietary binary blobs which nearly every phone uses.

Sadly, binary blobs are always an issue. In the case of Linux, this happened because many Linux developers don't care about binary blobs. If they did, you won't see any binary blobs (as it is a violation of GNU GPL).

> ... with complete open source drivers

My main point was to quote that 'open source' doesn't solve these issues. We should take software freedom more seriously.

> ... (or a GPLv3 kernel).

I wish we will not have to wait until the human civilization end in fire to see this.

> this happened because many Linux developers don't care about binary blobs.

It is mostly users, not developers, who don't care about binary blobs. The users then take the "pragmatic" approach of using binary blobs, but hey, stuff works for them.

See also the Nvidia binary driver. Who is the advocate for that? Users (hey, never had a problem and it runs my apps very well) or developers (whoa, we cannot develop Wayland/etc with this)?

> It is mostly users, not developers, who don't care about binary blobs.

Partly yes, but mostly No.

You are right that most people don't care about binary blobs. But the people who can enforce this are the developers. If all developers agree and enforce this, no on can include binary blobs in Linux kernel.

Also it would be wrong for a mere user to try to enforce it by law, because it might piss off the developers, which is really bad. Also, it might not withstand in court because the developers don't care.

> The users then take the "pragmatic" approach of using binary blobs, but hey, stuff works for them.

"pragmatic"? Most of us are concerned about our immediate problems, and thus we end up with temporary solutions (most of the time), sometimes because we don't have choice, sometimes because that's easier.

I recently got an ASUS eeepc which doesn't have graphics support, because when it was first released, the only support was a binary blob, which is now abandoned.

We will eventually face issues with these binary blobs, for sure. As we know, each day, new vulnerabilities are being surfaced.

But yeah, most of us won't care, until and unless something happen. But by then, it will be too late. Just like how many of us consider the importance of time only when we know we don't have enough.

So I don't think it is "pragmatic" in long term.

> Also it would be wrong for a mere user to try to enforce it by law, because it might piss off the developers, which is really bad. Also, it might not withstand in court because the developers don't care.

And yet, it is the users who have the ultimate power over developers of such hw/sw. No, not courts, that's the entirely wrong solution.

Their wallets.

Such solutions are being developed only because there's money in it. It is only up to the users, whether this factor is true or not. If they care about sources, they would not purchase hardware that requires blobs. If they don't care, and reward the developers with their money for the blobs, whose fault it is?

> Yeah, probably. But the presence of packages like GNU libc can make it harder for the manufacturer to lock the device.

glibc is LGPL, so I don't see how that should change anything?

> (as it is a violation of GNU GPL).

IIRC it's a gray area.

> glibc is LGPL, so I don't see how that should change anything?

glibc requires libgcc[0], which is GPLv3 (with runtime exception). The same for libstdc++[1].

[0] https://gcc.gnu.org/onlinedocs/gccint/Libgcc.html [1] https://gcc.gnu.org/onlinedocs/libstdc++/manual/license.html

The runtime exception makes it possible that everything else is proprietary, locked and unchangeable. Which actually is okay for apps IMHO, because I would want to run proprietary software like games (sandboxed of course).

The kernel really is the problem here and where there's no GPLv3 code used at all.

There's not much left to hope for as every platform that attempted one has fizzled out.

You can already have a Linux phone.

But it doesn't run my banking app.

Your bank doesn't have a website?

Yes, but it requires the use of a dongle/calculator to access it, whereas the app just requires a personal code.

Go ask your bank an app for Linux.

Most banking apps are available for Android, which uses the Linux kernel.

Yeah, it uses the Linux kernel, but I wouldn't call it a "Linux phone".

I'll grant you that GP was being pedantic but he is also correct. The only part in Debian/RHEL/Arch/whatever that is Linux is the kernel. "Linux" only refers to the kernel. So technically Android is also a distribution of Linux.

I think what you're arguing is that Android isn't GNU/Linux or that Android isn't libre like what we've come to expect from desktop distributions of Linux.

How about Purism's Librem 5? https://puri.sm/shop/librem-5/

Librem 5, the phone that focuses on security by design and privacy protection by default. Running Free/Libre and Open Source software and a GNU+Linux Operating System designed to create an open development utopia, rather than the walled gardens from all other phone providers.

Isn't out yet and from what I can tell they haven't released much info about it yet. Maybe will be worth revisiting the idea when it's actually released.

If they release it with the slow outdated i.MX 6 CPU it will be terrible. Let's hope it will be the i.MX 8.

It’s not “perfectly working” if it is wulnerable to many hacks.

Google kind of does that but OEM does not seem to implement them into their phones.


What's the worse that could happen?

Do you mean the worst that could happen to you personally or the worst for everyone?

When your device is compromised by hostile actors I guess it depends on what your nightmares are, but getting framed for child pornography and/or blackmailed for it is a popular one. Or getting your cloud accounts hijacked and all your stuff compromised. Or getting the bad guys access to your employer's network. Etc.

Collectively a widespread Android device botnet could take down a lot of infrastructure, or start a war, or ruin everyone's days with ransomware. I'm sure more imaginative people have thought about it.

1. Ability to passively decrypt network activity (KRACK).

2. Ability to throw a fully persistent implant onto the device (via Wi-Fi exploit + pivot to AP kernel exploit)

Most phones already come with two persistent implants - the user-antagonistic OS, and the baseband processor!

I'm all for trusting computing devices to act as one's agents, but attempting to do so with anything resembling a modern mobile phone is barking up the wrong tree.

Even though just having one means taking the location-tracking hit from negligently designed cellular protocols, further exposure can be mitigated by using these little snitches for as little personal activity as possible.

At some point, reckless behavior affects people beyond the individual. I am irritated that people allow their systems, networks, devices etc to become compromised, thus becoming the assets of malicious actors. Most of the people in this category have are not particularly savvy, which doesn’t give them an out so much as it explains the predicament. However, you are demonstrating that you choose to be in this category, despite understanding the problem. You are letting your personal convictions get in the way of good judgement. You now shoulder responsibility for knowingly making the world a little less safe for the population at large.

It's very fucking weird that by pointing out the larger non-corporate context of digital security, it's being inferred that I deliberately do not secure my devices. I guess by not toeing the AppGoogAzon "Security (TM)" marketing lines, I just end up in that "other - outsider" category, and must be wrong.

I already explained a mechanic of causality whereby assorted end nodes being owned up actually increases our security, as it helps keep at bay the simplistic/totalitarian philosophy of tracking/controlling communication. But don't let that get in the way of the malunderstanding that is ultimately driving this nebulous desire for promised "security".

Your phone will probably turn up in a botnet soon enough, but atleast you had the moral high ground.

Do you have an actual number for "probably" - assuming normal browsing habits (i.e. not to the sort of porn site with a higher likelihood of installing malware), and an outdated version of iOS or Android?

How is that number changed by not using public wifi?

>i.e. not to the sort of porn site with a higher likelihood of installing malware

Porn sites are not where most malware comes from. Ad networks are. I've had more attempts at virus and malware installs from 'legitimate' sites that have had poor control of their banner ads.


>How is that number changed by not using public wifi?

You are, quite falsely, assuming that non-public wifi, say your friends house, is any more protected.


I'm not assuming anything: I asked a question, rather than stating a fact.

"Not significantly" would be a valid answer to the second question. However, you seem to be answering "are home routers entirely secure?", which wasn't my question: my question was about real-world risk levels (i.e. "_are_ public wifi points significantly more likely to deliver threatening payloads", not "_could_ they be").

I'd still be interested in an answer to the main question.

Oh no, not a month's allocation of mobile data down the drain!

An impersonal passive botnet would likely do less damage than status quo "apps" that are built to siphon as much personal data as possible.

Never mind these few Mifi devices that I have - default configs that listen on wan telnet with static passwords! Well known domestic manufacturer, not worth attempting to report - the manufacturer obviously did not care, has long moved on, and there's countless other models with the same problem.

The panacea of every node being secure with an identifiable owner fell apart long ago. You can either cling to that belief in a fundamentalist manner (and prop up the totalitarians who wish to track communication ever more). Or you can work on understanding how non-technical people actually attempt to moderate their own exposure to these insecure-by-design surveillance devices.

You should install security updates. Period.

You don't help anyone by feeling better because instead of having the vendor maybe sniff on you, a hacker can do it instead.

I also haven't found any apps yet that intentionally waste my monthly datacap.

Sure, and I didn't advocate doing otherwise. My point is the larger context - there is no "secure" on mobile.

Likewise, my point about losing a datacap was that it was preferable to having more personal info backhauled into commercial surveillance databases. It's not an either-or and I'm not desiring either one - just calling attention to the larger context of user-security versus the myopia of marketing/corporate security.

There is secure on mobile. Secure is not a binary property, it's a spectrum of options and possibilities which heavily depend on your environment and your threat model.

You either get security updates at the possible downside of sending more data to some database of a known vendor or you get the very possible risk of being part of a slide on DEFCON Fail Panel by some unknown blackhat.

I choose a known advesary over an unknown any day.

At its core, digital security is a binary property equivalent to mathematical proof. Since universal security is neigh impossible (two people can keep a secret if both are dead), we then predicate it on various trust relationships / threat models - what one is secure against.

The modern non-technical but security-conscious person concedes that their devices are pwnt by (ie they are forced to trust) AppGoogAzon anyway, and simply shies away from trusting technology. The phenomenon is what it is - I'm not advocating for it, but advocating for understanding it.

Furthermore, are you saying that you actually know all the players in the commercial surveillance industry?!

I'd appeal to your same argument of known versus unknown, but point out that at least the motives of the rando blackhat are known. Whereas the surveillance industry will be innovating new ways of monetizing their malicious databases for the next century!

That's a rather narrow mindset. As previously explained, security is not binary, even in the circumstances you mentioned.

I don't know all the players in the. Surveillance industry but I'm not as paranoid to believe they are worse the. Black hats.

You probably also have little probability of knowing the actual intentions or motives, which actually helps little in threat mitigations.

It's not a "narrow mindset", but a formal basis that fosters analysis.

It's true that drive by black hats could be looking to snarf up all the personal information they can, and selling it into the corporate surveillance databases. I just think it's less likely than they're looking for a quick hit to defraud some banks.

It's not a matter of "paranoia" (there we go again with the handwavey maligning subjectivity!), but of looking at the outcomes. It's paradoxical - the things we think of as "bad" really are not that worrisome, because the shared goal is to correct them. Meanwhile the things we think are "just the way it is" form an insidious creeping trend.

I have very little fear of say my bank account being drained, because if that actually were to happen, then we're in general agreement that it will be made right - from bank policy on up to common law. Whereas if my de-facto mandatory insurance rates mysteriously double, there is both little immediate recourse and many people will even argue in support based on the just world fallacy!

I'm honestly quite surprised people went to the trouble of downvoting all of your comments on this thread; I think people are talking past each other and missing the bigger point that some threats are being ignored because of their insidious subtlety.

As another comment mentions; security is not binary.

Binary Security is a sign you failed at security. You can be not secure at all, somewhat secure, etc, against a set of threat models or anywhere in between those steps.

Whether or not you have properly prepared against a threat model and you are confident in defending against it is a binary property (or rather, two binary properties) but the underlying security is not.

> Most phones already come with two persistent implants - the user-antagonistic OS, and the baseband processor!

I don't trust Apple or Google to have my best interests at heart at all, but I am quite confident that neither of them will literally try to extort me with ransomware or kiddie porn. It's weird that you're equating the two.

Most people are willing to accept the risk that the NSA is listening in on them. Most people are not willing to accept the risk of an arbitrary person being able to steal their identity.

That already happened as a result of Equifax. Your SSN is no longer secret...so rejoice, you are free to choose whatever phone you like!

Sadly, the world is not America and most people on this planet are unaffected by the latest problems of America.


Naturally. For some reason my brain treats those two phrases as equivalent.

Like 95% of the world, I don’t have an SSN.

Even if every American owns one of those outdated Android phones, 2/3rds of the phones would still have to be owned by people who don’t have SSNs.

If one's "identity" is so bland that it can be trivially "stolen", then perhaps it's not much of an identity after all.

For people living in America an identity is a name, date of birth, mother's maiden name and SSN. If you lose these, you could be the victim of fraud.

But you already knew that didn't you? You deliberately misinterpreted what he meant by identity theft.

Mexico and Brazil use SSNs?

I am a USian. The nonsensical concept of "identity theft" has been promulgated by the surveillance industry to avoid responsibility for their own negligence. A person cannot become a "victim of fraud" in the way you describe. The banks are the only parties that stand to be defrauded, and they could avoid this by stopping to pretend that a few bits of semi-public information is enough to identify a person. So far it has been more profitable to keep the gravy train of easy credit rolling, which is fine. But that doesn't mean we should bear the burden for them!

When someone earnest talks about their "identity being stolen", I prefer to think of them as complaining that one of their friends bought the same pair of red Nikes or whatever.

This all might be true, but as a reason to not install patches, it still makes no sense. If you don’t trust the baseband or the OS, why did you buy the phone to begin with? You trust iOS n, but not iOS n+1?

One is forced to buy a phone, as an expectation/requirement of modern society. This does not imply they wish to spend even more money in support of the broken ecosystem every year/six months/etc.

You're not forced, particularly not to get a smartphone.

You're trading off convenience.

Similar questions were likely asked by owners of insecure routers/cameras before they got hit with Mirai

If only security updates were unbundled from feature updates one could update with fewer worries.

Multiple release breaches are a pain for many reasons. It's very unlikely that companies would spend time doing that, even if they were given a chance to do so.

I can certainly see why multiple branches aren't popular - device fragmentation is bad enough without trying to identify which update branches are affected by some new security bug.

That said, I think companies that require up-to-date devices for security fixes deserve less leeway about the contents of their non-security releases. I've gotten multiple smartphone updates which I considered entirely harmful - they traded cosmetic or vendor-friendly changes against worse battery/performance/usability - and I think "let us break your device or you can't have security" is an unacceptable proposition.

Exactly. Apple needs to separate UI and security releases until they can work out the bugs. So many issues with new updates and UI glitches.

It's more than UI changes: the update from iOS10 to 11 removed support for 32bit applications, rendering dozens of applications that I use daily (and have paid for a lot of money) unusable. So now I have to decide between two bad options - not being secure or losing all that invested money.

With the incentive structure of updates with certain popular software not supported by other revenue, you're always going to get a worse version (more ads, less features), to such an extent that I turn off all updates and only whitelist a few. Permissions are the ways to lock down phones, and security patches, not the permanent beta that is updates.

Security, basically. If you care about your privacy, you should care about security (can't have one with the other). You need updated phone for that.

That shouldn't be the trade-off, though.

I think your average smartphone owner doesn't understand all this anyway. They look at their 3-year-old phone and say "it works fine and does what I need it to do", look at the new ones on the market and say "I don't see anything compelling there to justify that price tag", and so they don't buy a new phone. Most people don't realize that their phone has gaping security holes in it that will never be addressed.

> That shouldn't be the trade-off

Right, but it is the tradeoff.

Of course it shouldn't be, but unfortunately it is.

On the other hand, if you care about privacy, then not updating your apps often helps too.

Damned if you do, damned if you don't.

I think if you update often enough (at least when some vulnerabilities found), you're more safe than if you don't.

Except many times the update will ask to expand its access to information in your phone it shouldn't need. So you choose between explicitly granting permission for unnecessary data access or don't update and hope you don't get owned via a vulnerability in that app.

Those are the apps that I remove from my phone. Holding my security hostage to get at more data? Deleted.

So instead of finding someway to block or spoof a developer telling you they need different permissions, you'll wait around until some hacker breaks into your shit feeling like you beat the system?

In an imperfect system, you end up with imperfect solutions.

This is a tradeoff. Do I accept the developer demanding access they do not truly need, or do I accept the risk of a hacker gaining access to my phone through the developer's application?

If a hacker gains access to my phone through the developer's application, what do they gain access to? At the maximum (hopefully! unless they springboard to another hack and pwn your whole phone or other applications) they have what the application has access to.

Attack surface management is a lot more complex than just "always stay on the most latest shitware that the developer can shove down your throat"

Not having a smart phone is probably up there with being serious about security.

Fully agreed. Running a smartphone and worrying about its security seems at odds. Rather, we should treat our "phablets" like public, insecure terminals, with "spy" sensors anyone can access given sufficient effort.

I think you mean not using mobile internet through cellular or Wi-Fi networks is being serious about security.

Security isn't as big of an issue with many of these devices as you might think. Unless it is years out of date, Play Services still gets updates, the system web view still gets updated, Chrome still gets updates, and in many cases the vendor will still roll out an emergency patch if there is something serious.

That's a huge guessing game, though - remember StageFright? You could have a phone with an up to date Chrome, up to date Play Services, and still be trivially exploited simply by viewing a standard video file. (Not to mention wondering which of your apps uses an out of date embedded web view)

I would submit that the number of people qualified to safely make (and update) that risk assessment is extremely small, and all of them would recommend updating to a version which patches problems rather than hoping you can dance around them.

StageFright was patched on a LOT of devices that "no longer received updates". The concern with embedded web views is overrated, as Android actually updates those via Play Services now.

For all of the talk of how awful this is, actual exploits are almost unheard of.

- Bluetooth driver does not get an update - SSL is not updated - kernel is not updated

Whether or not security is important depends on what you do with your phone.

I don't use my phone for banking or payments and there are no compromising pictures or dangerous files on it. I don't have a pressing need for Android's latest security update.

Well, that's not a real issue, is it? It's purely a decision from the manufacturers to be assholes to their customers. There is no technical need that'd prevent them from creating updates. Especially Samsung (which also produces the SoC in-house for all relevant markets).

Hmm. It's all Google's fault. I don't have to wait for the manufacturer to update my Windows PC. Heck I was able to install Windows 7 on a Mac Mini without any support from Apple. Not to mention I updated a 9 year old Dell Core 2 Duo to Windows 10.

Windows has mostly kept a stable driver API.

And whenever they broke that API, that actually happened — suddenly updates stopped being usable by your system.

Also, be aware that ARM has nothing to enumerate devices, has no BISO or UEFI. An OS image will only ever work on a single device.

As I detailed in another comment in this thread, the issue is this collision of the Linux concept of mainlining everything, short support windows, manufacturers that can't update drivers for every microchip they sell all the time, and Google and OEMs somewhere in there.

It's always been a clusterfuck, Google didn't create it, but they sure made it worse.

Windows driver API has been far from stable from Windows Vista. One of my computers came with Windows Vista (a 2009 Dell Pentium Dual Core - not the Core 2 Duo I referenced) and it still runs Windows 10.

Microsoft provided drivers for the standard PC hardware that was in my 2006 Core Duo Mac Mini and Windows 7 recognized all of my hardware - usb, sound, graphics, Bluetooth, Ethernet etc.

Microsoft goes out of its way to provide drivers for the most popular PC hardware. Mac OS is Unix (i.e certified by the Open Grouo) and doesn't have that problem.

Edit Rant:

But why are printer drivers still a thing? Apple introduced AirPrint for iOS 4 back in 2010 and for MacOS a few years later. I never have to worry about printer drivers when I update my OS. New printers bought in 2017 work perfectly with my 7 year old iPad without having to worry about drivers.

> But why are printer drivers still a thing? Apple introduced AirPrint for iOS 4 back in 2010 and for MacOS a few years later.

Have you looked at the unimaginable amount of crap a typical Windows printer driver forces upon you? It's not just the driver, it's usually also a stripped down license of some image editor, an "update agent" (because Windows 7 does not have an "app store" or a centralized driver distribution that does not phone home like Windows Update does and often enough carries fossilized drivers only), a toolbar for multifunction printers, a watcher that nags you to buy new original cartridges, a scanner agent because there is still no standard for scanning without drivers, much less so over network or cross platform, a selection of adware... and God help you if you have printers or MFDs from different vendors.

The only way to not have this ridiculous mess is buying enterprise printers - for example, the Z2100 plotter drivers are 4MB for Windows, and 16MB for the manager app, while the Photosmart printer driver can only be had as a part of a 145MB download, there is no such thing as a "driver only" package in the consumer space. In enterprise environments (or small offices) the situation sucks even more because you can't really deploy them via GPO, you have to extract the drivers by hand.

Your problem may be more your choice of vendors than anything else. HP's big printers (e.g. M600 family) are still pretty nice, but I've started to avoid them for anything smaller, and god help you if you look at the truly low print volume stuff from them.

HP printers are excellent in terms of hardware build quality: the Z2100 plotter in my company is a decade old, of which it stood 6 years around unused - gave it a full cleaning, new cartridges and heads a new carriage belt and it was back to mint condition. Oh, and there are still new cartridges and ink tanks made, and there are still recent drivers.

And for most of the consumer gear from HP it's the same: even for really old stuff you can find new tanks/cartridges, drivers for new and old OSes and I've yet to see a HP printer fail in a way I could not fix myself with a service manual.

The problem I always ran into was customers getting the consumer gear and wanting me to make it print from their server, with drivers only from HP and no support for server operating systems.

My response to anything HP that wasn't good-sized obviously-business-targeted printers became "I can probably make that work, but it's going to cost you more in my time fiddling around with it than just getting a more appropriate printer."

One area in which MS was lackluster upon drivers was some of their own products - for example the force feedback joysticks, still on sale at the time, never got a Vista driver out of MS and became a glorious paper weight overnight.

That and apart from an initial few months of unstable GFX drivers, was utterly solid.

On a side-note, I believe Core Duo2's was the last Intel chips to not include any form of inbuilt `management` silicon and as such,still favoured by some paranoid/security prudent types.

Have you looked at the unimaginable amount of crap a typical Windows printer driver forces upon you?

Yes. I go out of my way to run a clean crap free Windows PC. Even going as far as either buying from the business line of laptops or buying from the Microsoft store. But the minute I install a printer driver....

It's even worse for people like my parents, they search online for printer driver and usually end up downloading crapware from a third party site unaffiliated with the printer manufacture.

Check printer specs first and select something with built in PCL or (better) Postscript support. With native Postscript you may even be able to just get a PPD file as the "driver."

Won't help as much if you want color though, particularly inkjet color.

And for your parents, see if they're putting the current year on searches - on Bing and DDG that ends (or did end recently) in much worse results because the original sites often don't include dates but malicious ones have all the same keywords plus the year. In my recent experience adding the year meant > 90% malware results on the first page.

Google was much better about this a month or two back.

Still, Google could impose update requirements for Play Store access, for example.

Regardless of stable driver API or not, it is up to the OEMs to make it happen, if they actually cared about it.

I am pretty negative about Project Treble, it won't change anything, because only Oreo devices have it (0.3% currently) and OEMs are still expected to be the ones pushing the updates.

Why does the kernel and driver ABI matter for upgrading userland? On desktop Linux I can by and large use a new kernel and chroot into an old install, or vice versa, and things still work. It would seem that Android userland is unnecessarily coupled to a specific kernel version. It should be able to upgrade independently.

Agreed in principle, but a decent amount of the new security features present in more recent Android phones are due to new kernel features. It's just a sign of the relative immaturity of the platform that this is the case.

Can you provide some detailed examples of that being the case? Genuinely curious to know.

Usually I hear that sort of thing and think somebody isn't being creative enough with fallback behaviors for when the feature isn't there, but I guess it would depend heavily on what the feature is.

I guess I probably misspoke. I was thinking about https://android-developers.googleblog.com/2017/08/hardening-... ... but those certainly don't require userspace changes (probably). And even the case where you'd want the new kernel features (but can't upgrade due to driver ABI incompatibilities), they've backported to several old kernels that are in wide use in Android... though I note that my 2-year-old phone is on an older kernel than most of those features were backported to.

> Also, be aware that ARM has nothing to enumerate devices, ...

Isn’t that the purpose of a device tree?

Your kernel brings in the device tree with itself.

It is primarily to allow the drivers linked in the kernel to detect whether they should load and try to talk to hardware. It doesn't replace bus enumeration when running on totally unknown hardware.

Basically yes, but that's often not good enough either. Lots of third party code OEMs end up with in their kernels, unmaintainable, and often incompatible with anything.

Well, it's not true that "ARM has no method to enumerate devices". It does have that; it's just that hardware manufacturers are bad at using it properly. (That's not to say it's not a huge problem; it's just that it's an economic/business/social one, not a technical one.)

I mean, it sort of does and sort of doesn't, but the hardware manufacturers just aren't used to thinking about things in the proper way. Just like the hardware is a black box with no user serviceable parts inside, as far as they're concerned the firmware (because that's still how they think of the OS and everything on it) is a single binary blob with no user serviceable parts inside, even if it's actually just linux and Android. And just like all the hardware parts are designed and qualified for a particular design, the same goes for the software: when you buy your hardware you get a software with it and that's that. As far as they're concerned it's just another component like a screen that gets customized to work with everything else and goes in the box, then is never touched again.

Now waitasec...

I own Crappy unupdated Android one of. And the drivers use the Linux kernel. Last I checked, they need to release source for their drivers.

So where is it? And why can't we upstream those patches and "fix" android?

Maybe they pull the stuff Nvidia does: write an interface kernel module, then have the driver itself in a library that the module loads. Since the actual driver is never part of the kernel tree...

It's much simpler.

The OEM never releases the source.

And courts have decided that it's not enough if you have some contributions to the kernel yourself or are a user to force them to release it, you have to have made significant contributions to force them to release it via the courts.

And Torvalds and the major kernel maintainers all refuse to enforce the GPL, and actively campaign against doing so.

> And Torvalds and the major kernel maintainers all refuse to enforce the GPL, and actively campaign against doing so.

Two questions: why? and why use the GPL if you’re not going to enforce it?

Are kernel drivers subject to the GPL just because they use the Linux ABI?

It'd be a long legal discussion to properly answer your question, but luckily OEMs make it easy for us:

On most phones, there are zero external kernel modules loaded. The SoC vendor bakes it all into the ketnel, and the OEM gets the kernel as a blob. Which means all of it is subject to the GPL.

Yep, I had to go sleep (yeah, that dreadful thing!).

But this was my main area of attack. You compiled the drivers directly into the kernel. Making it all GPL. Now, as a strict reading, I have to have the device to make the request. That's not difficult. Ive phones from a lot of US named companies.

I just want the rights enumerated in the GPL as granted to end users. I'm no kernel maintainer. Just a cranky person who wants the GPL enforced as any license.

> I just want the rights enumerated in the GPL as granted to end users. I'm no kernel maintainer. Just a cranky person who wants the GPL enforced as any license.

Yeah, it turns out it’s not that easily enforcable. There are still court cases going on, but the current legal situation seems to be that unless you’ve contributed significant code to the kernel, you have no legal leg to stand on.

Because the OEM is simply saying "yes, we violated the GPL, and infringed the copyright of the developers", but the only ones who could sue against that would be devs that contributed significant amounts of code.

> And why can't we upstream those patches and "fix" android?

It's a lot of work, who is supposed to do that?

Some bits of the N900 kernel are still in the process of being upstreamed afaik.

It doesn’t help that not every manufacturer (especially ones from China) don’t release the source code. And when they do, they sometimes contain opaque binary blobs that don’t tell you what is happening.

Most of the time, such a source release means "patching binary blobs into the source".

The source helps little since it's just opaque garbage with little to no meaning.

Your PC, including your Mac Mini, has BIOS/UEFI/other firmware with both boot-time and run-time services. Additionally, it has a hardware, whose sole purpose is to detect and enumerate all the other hardware.

Mobile phones and other embedded devices have none of this.

There was nothing stopping Google from designing such as system -- just like Microsoft and Intel did.

There are many reasons.

First, Google didn't design anything. They were looking for partners for their OS and these partners used their existing design. The first HTCs were almost identical between their Android and Windows Mobile versions.

Second, there are reasons why the embedded systems do not have them. Apart from increased complexity (bad for the designer and manufacturer), increased energy consumption (bad for consumer, and being a competitive disadvantage too), very few of both, embedded devices manufacturers and customers, even count on using other software than the one supplied. From the point of view, there every cent of saved costs on the device makes millions in margin, that would be wasted money.

Google didn't design the operating system? Microsoft didn't design computers either but they have been steering PC manufacturers for over 20 years since Windows 95 and the plug and play initiatives.

Google didn't design the hardware - when we are talking about firmware, booting, pci enum, etc, we are obviously talking about hardware. Their partners did and they reused their existing design.

Microsoft basically strongarmed the PC vendors - they either did what Microsoft said, or didn't ship Windows with their wares. Windows, which was the only game in the town, if you wanted to sell PCs.

Google didn't have such luxury when they started with Android. They needed to be everyone possible to be with them onboard and the "lets throw out everything you have and design new hardware from scratch" doesn't make for a good start.

In mobile, Microsoft also reused Qualcomm's reference design. But contrary to Google, they used ONLY Qualcomm's design, that's why their system looks united. All the WP phones are basically the same board.

So now almost 10 years later, what "other game is in town" that stops Google from taking more control over the hardware except either incompetence or neglect? You won't sell many Android devices that don't run Google Services in the West.

They do design their hardware now. See how they bought HTC.

However, that does not mean you will get an open device now. When was the hardware openness so important, that it played a major role in purchase decision at statistically significant rate?

For 99,999% of people, it doesn't. They want an appliance that works out of the box, without bothering with alternate firmwares. So that's what they are getting.

There's no motivation to put UEFI and PCI into the hardware, just like there wasn't 10-15-20 years ago, when the first designs were made.

No, it's the carrier's fault. The carrier locks down your OS.

The carrier doesn't lock down iOS. Every iOS user worldwide can update to iOS the day it is released if the phone is compatible.

This is a function of market share and customer loyalty, and thus Apples ability to tell carriers to f-off. iPhones will sell regardless whether the given carrier does sell them or not.

On the other hand, iOS updates do cause problems and then it's the carriers, who scramble to modify their networks to make iPhones work (remember when Brits didn't have mobile data for a few days after an update?). They would not do it for Xiaomi or Sony.

Apple rested control from AT&T and the few mobile carriers around the world that were selling the iPhone during the first year with less than 10 million devices sold. There was no reason that Google couldn't do the same. You even had to wait for Nexus updates back in the day that were sold by Verizon.

Apple already had loyal customers, who were ready to buy the devices without regard to mobile operators. iPhone was just continuation of computers and especially iPods.

Also true for Windows 10 Mobile. (My phone gets an update today, why doesn't yours?) Android is the only smart phone platform that carriers still have a say in.

That was not true for Windows 10 Mobile. Some devices never received the update.

What was indeed the insult on top of the injury - the WM devices were all Qualcomm Snapdragon devices. They were never so varied as Android devices are.

It was not true for Windows Phone 8, and therefore some carriers interfered with the deployment of the upgrade. It is true for Windows 10 Mobile, however. If a device is supported for Windows 10 Mobile, all updates are carrier independent. The "Upgrade Advisor" app Microsoft released to the Windows Store effectively allowed you to circumvent the carrier and upgrade to Windows 10 Mobile, replacing the Windows Update source for your phone with Microsoft's.

Ah, so that is how it went. I knew some devices WP devices (didn't note version) never received the updates.

However, the part about them all being the same Snapdragon devices with slightly different cases, cameras, etc. is still true. Microsoft doesn't have to solve how to make a release for Exynos, Kirin or Tegra devices.

The other neat thing they did which included WP8 was that their Developer Preview would do the same thing with the Windows Insider app. If you signed up for test builds, you'd get updates regardless of model or carrier, to the latest build offered. (And a lot of never officially supported phones can use Windows 10 via this method.)

That being said, this was only kindasorta a good thing, because it didn't always have working third party drivers attached. My old Samsung ATIV SE was super glitchy, particularly in the touchscreen department, when I upgraded my phone absent Samsung's blessing.

But it was one more place Microsoft kinda demonstrated even their mobile OS builds were more or less hardware independent, which is a huge contrast from Android.

They have no incentives to do so. I would like Samsung to make it into a business. Have folks pay 5 dollars per year if they want to get ongoing security updates for older devices. I would pay in an instant.

For reference Red Hat charges around $425/yr for extended support. Obviously the situation is different because Red Hat has a lot more software to support but they also have a fewer products and more customers that care enough to buy it. But I think the upshot is that a $5/yr extended support contract is a bit of a pipedream.

Just as an order of magnitude estimate we're assuming that it's about 100 times more effort to continue maintenance of a general purpose Linux based OS than a general purpose Linux based OS on specific set of hardware. And that's before you realize that the market for this support contract is just frugal IT people with specifc Android phones that haven't worn out from use. So not much luck with a 'we'll make it up in volume' analysis.

Google is maintaining Android so why would you assume it would cost massive amount of resources for Samsung to port or backport some security fixes now and then? The comparaison with Debian does not make sense.

Exactly. Why did you think Oracle wanted to muscle in on that?

There is Lineage OS which supports many Samsung devices with the latest android, completely free of charge.

Maybe those little phone repair shops should offer installing it for a small fee as a service.

There is also postmarketOS which attempts to bring a standard Linux distribution to old phones, but it's still in an early stage.

LineageOS? you have to download its roms on shady websites. No thank you.

I don't think not providing updates makes them assholes. Its just the reality of the traditional software model gradually becoming obsolete. They paid the developers to write software, and as a consumer we paid for that software. The cost of additional development has to be borne by someone. The success of the subscription model from biggies like MS, Adobe, Blizzard, SAAS startups, etc has shown that atleast one other model is viable. Its up to others' to show that there can be others.

I have a rooted device, so I can basically make apps do what I want and stop them from doing what I don't want. IMHO that's far better than Google's vision of "security" where they want to be in control and even consider the user an attacker.

How much of a solution is rooting a device for 1 billion users?

Probably more feasible for some of them than buying a new phone, at least.

I think every device should ship with root by default, it's the case for computers, I don't see why phones would be any different.

Because computers don't come with an app store that contains tonnes of crapware. Even if they did, people would install a smaller variety of apps.

I see phone repair shops at every street corner, I don't see why they could not offer this as a service.

Yeah why didn't I remember to tell my mom to just root her phone? I'm sure that will work out well for both of us.

I had a quite high end Android phone from Sony 3 years ago but because it's dual SIM version I maybe receive only one update. I'm running Android 5.0.2 already for 3 years now. My phone works still well but who can count the vulnerabilities I have now on my device...

OK, but it means a billion android devices are vulnerable to various attacks. It would be cool if we could have, idk, backported security fixes for devices that hold tons of critical information?

I'm a little surprised that this is happening on the complete market. Usually when you get less modifyable versions of a product to serve a more broad and simple userbase, you still have these edge cases for tinkerers. There's certainly a big market for that but for some reason nobody is trying to serve that market. Not even relative new comers like this Chinese company Xiaomi or what their name was.

I'd certainly spend $100 more for a configurable phone.

> replacement parts for models several years old are still plentiful.

Data point:

Just replaced a battery in a six years old Samsung smartphone in 20 seconds. It did not even cost me $10. Incredible value compared to the hassle to do this on todays phones, if it is possible at all.

I have an old tablet that doesn't seem to "catch" new updates from Samsung anymore. Perhaps it would be worth rooting or something just to get it current? I would "upgrade" the software if it was available. Buying new hardware isn't something I will do in most situations--the device has to become non-functional before I consider it.

See how Windows 95 & XP turned out. Its full of holes and still being used. We still can't get rid of it.

Can't get rid of Windows 95?

I see a lot of XP computers around, but it's been years since I've seen a 95/98/ME computer.

(Actually, now that I think about it, I think my dad still had a 98 or ME computer two years ago so he could use an old scanner.)

OK 95 is mostly gone, but more people use XP than Macs and Linux combined, according to http://www.netmarketshare.com/operating-system-market-share....

Exactly, my phone is marooned on Android 6.x, and I really can't say that I care about this at all. I'll replace it after it is a few years old with something newer and similarly inexpensive.

Yeah, but if they're not being supported anymore it's not ideal.

How are you so certain obsolescence is planned?

I have seen a prepaid device literally self-destruct from a combination of market segmenting and artificial firmware restrictions.

Edit: There was no CM support, no way to delete bloatware, forcibly disabled SD storage support, and non-optional updates that eventually rendered the device unusable. The two end-user choices were to either remain offline or get stuck in "not enough free space" loops.

Sounds like my Republic Wireless Moto X running Android 2.3 from 2013. It still works, but usability has degraded significantly.

Did you look into Cyanogenmod/LineageOS?

I too am running android 2.3 on my aging phone, thanks to cyanogenmod. Unfortunately, they do not provide any newer version for this particular model.

The case is all scratched up, the protective glass has been replaced two times already (and is up for another replacement soon, touch tends to stop working on cold days in bottom part of the screen), but I am holding on to it, because I haven't seen any newer phone that I wouldn't hate.

They're all either too big (remember when it was cool to have as small phone as possible?), or they lack features like unlocked boot or even a SD card slot.

I'm thinking of going back to some dumb feature phone, if I can find one with good support for importing contacts from outside.

No updates for Android devices pretty much confirms this.

That's quite the opposite. It's hw companies not used to having to support their stuff after it leaves the door. To keep supporting this, they should plan/calculate this in from the get-go. They don't plan anything, so now you have devices that don't get updates.

Supporting/updating devices requires active planning, but then you get cries over companies that actually do perform updates and get the whole 'planned obsolescence' conspiracies.

Android device manufactors are not solely hardware companies. Samsung surely is not, they do publish updates for some time, then they stop doing that. This is planned. As time progresses your device becomes less usable, not because of the hardware, but of the software and bugs/security issues within.

So if your (example) Samsung device gets updates for 2 years, then the planned obsolescence for that device is 2 years + a few months. The amount of months depends on the severity of the security issues discovered. Also, it may not be "planned" obsolescence, but it sure is "accepted" (from the vendors point) obsolescence. Which is even worse.

On a side note, as a customer I don't care about internal structures of companies. I want updates. If they can't deliver that, open source everything.

People make the mistake of thinking of Samsung as a single company - but it is not. Samsung's phone division is absolutely a hardware company, and so are the majority if their divisions. If they would be a software company, their Tizen OS would be in a lot better shape - but it's not.

And most Android manufacturers are hardware companies - their margins are too thin to support/maintain the software side of it. 90%+ of their R&D budget is hardware. It's the same as HP's computer division. No they are not a software company, they use MS Windows as the OS and make sure the correct drivers are present/integrated. This is exactly the same on Android. They buy off-the-shelve chipsets, integrate their drivers - which are developed by the chipset manufacturer - into Android, pour over some crappy GUI customization, in many cases developed by a 3rd party, and they're done.

My phone doesn't become obsolete because of that. It's because I'm not allowed to use many apps without updating them after a certain time. These newer versions are slower and use more resources. Even with regular updates my phone would be unusable after enough userland development.

An unfixed remote code execution (lets say through the SSID, exaggerated example) doesn't make your device obsolete?

The software update case you wrote is a good example of planned (or accepted) obsolescence by the developer.

I often get sympathetic comments for being an Android developer because of this. It's honestly not that bad. Android provides backwards compatible support libraries for whatever SDK you're supporting, and was designed from the beginning to handle diverse screen sizes and hardware.

By far a bigger problem is manufacturers shipping their own version of Android that is sometimes incompatible with the SDK. I've had to implement some ugly hacks for Samsung before, which is unfortunate because of how popular their hardware is. It's becoming less of a problem over time though.

The problem with outdated versions is not app compatibility, but security updates. If a zero-day were released, most of these devices would never receive an update fix the issue.

Worst case scenario: An Android zero day that can be spread via WiFi or Bluetooth that infects devices in a cryptolocker style. The more versions it can affect, the better.

Shoot. Probably shouldn’t give people ideas, especially when I have an Android device. At least it runs LineageOS and can be updated easily...

Edit: To clarify my idea, imagine the Windows XP crypolocker viruses, but for Android instead, spreading not through cell towers or WiFi routers, but instead spreading via the cellular/WiFi/Bluetooth chips in the devices.

I’m starting to wonder if I should buy a portable Faraday cage for my devices...

It's also a problem with compatibility. Just because they've found a reasonable way to mostly work around it (by basically bundling an up-to-date version of the framework into each app) doesn't mean it isn't an issue. Not everything is in the support library.

But I agree, at this point the security issues are a bigger concern.

That "worst case scenario" isn't that hard to achieve. But maybe the only thing stopping something like that from happening is, ironically, the OEM fragmentation which screws up a lot of code related to gaining root or lock screens and similar.

Why not see it the other way around? You can totally go and develop an app that just runs on Samsung Galaxy S8 and nothing else. But with the Android SDK you get the option to support a range of other devices as well with a little overhead. That's far better than with IOS where you only get to support one device type, just maybe different versions of it.

Even if you just target Samsung it's still not the same, unfortunately.

There's a pretty wide range of iOS devices now, but they're all similar, they're all good (or were good when they were released), and you can check your app on them in the Simulator. Just last week I was able to find and fix some bugs in an app that only showed up in certain combinations of screen sizes and iOS 10 or 11, without needing any real devices.

Samsung has many, many more devices; some of them are very good but lots of them are very bad; they do offer some testing infrastructure but it's not as comprehensive or convenient as Xcode; and they frequently make breaking changes to Android without any documentation. A recent example is their "game tuner" which automatically runs games at lower refresh rates and/or screen resolution. Depending which API you use to check the screen dimensions (and Android being Android, there are plenty to choose from) a game can end up displaying at the wrong size.

Yeah, I remember when iPhone changed ratio/screen size, and people scrambled to make their apps work. This is something a developer had to handle from day one on all other devices.

This is still a lot more work than it ought to be on iOS. It's possible to write screen-size-agnostic code, but the tools push you towards individually customizing everything for each of the current screen sizes.

For example, in Interface Builder there's a toolbar with buttons to switch between different screen sizes. But it would be a lot easier if they just made the UI freely resizable (in Interface Builder, not necessarily on the device).

The flipside of this is that developers are forced to support versions of their apps that are compatible with previous operating systems. That's bad for developers, but good for consumers.

iPhones shove updates down your throat as a user. They're so persistent that inevitably most people will accept the new update - and even if you're stubborn like me, eventually your apps will no longer be supported under the newer OS's, and you are forced to update to keep using them. The problem is that the OS upgrades invariably slow down older phones, so even if you're perfectly happy with your iPhone to begin with, it starts to act slow as it gets the newer OS's. It's good that Android users can at least avoid this particular kind of planned obsolescence

> iPhones shove updates down your throat as a user.

And we have the monster that was Windows XP because of users thinking "updates" are "forced" down throats.

iOS is correctly celebrated for having such a high adoption of the "latest and greatest", and certainly hasn't become the demon that is the unpatched Android landscape.

So thankfully, from NetSec to the end user, it's a fantastic thing that iOS keeps devices more up to date than android.

I agree, but it is true that newer updates dramatically slow down older hardware.

I thought this had been tested recently and shown not true? A psychological illusion or something? I’ve never noticed any significant, let alone dramatic, speed change on any given device from iOS 3 on the original iPad onwards.

They tested the performance of the hardware (CPU, GPU, etc), not of the APIs or updated apps. So the CPU and GPU of my iPhone 6 are just as fast as when they were released. But I can guarantee you that the camera app as well as a lot of third party apps aren't as fast as they were when I bought the phone.

Apps that represent light websites like Google and Facebook are now 300mb+. With such memory hogging updates, few people with older phones are going to update.

Size is not speed.

True, but...

Older hardware has older chips (and possibly slower memory) so... a larger size alone would still likely have an actual processing speed impact, no? The newer OS and app versions are developed with chip/memory speed "XYZ" in mind, and that's the target they aim for. That the OS does run on older hardware is great, but if your memory size goes up 2-3 times for apps, I can not imagine that there's 0 speed impact.

Aren't you confusing apps and the OS here?

Apps are definitely bigger and slower, but that's separate from whether the OS is faster or slower.

Anecdotally (and I agree) iOS 11 is slower than 10 for many of the same tasks -- things like switching apps, opening the camera, opening the keyboard.

I thought it was a myth too, but iOS 11 is undeniably much slower for me. And I don't understand why, as it doesn't seem like it adds many features. There's a new filesystem, but shouldn't that be faster, not slower?

Backup, wipe, and reinstall.

In some cases it doesn't help. E.g. iOS 7 update for iPad2, iPhone 4/4S etc.

iOS 7 was pretty rough on anything slower than an iPhone 5

That's bad for developers, but good for consumers.

Is it? I'm a developer --- and a consumer, as are most --- and have always kept to the principle of as much compatibility as possible, mostly by not gorging on new features for the sake of new features, and a "do what you can with what you have" approach. To me, spending a little extra effort to get much more compatibility is well worth it, since I've been on "the other side" and know the horrible experience of not being able to use something just because the developer didn't bother to think about anything but the "new and shiny"; that seems to be something a lot of developers completely ignore or even oppose.

The QA effort to support 3-4 of the most recent OS’s isn’t “a little extra effort.” It can get pretty expensive, too, since you may have to have devices for all supported OS versions and possibly idioms (e.g. iPhone, iPad).

If only Android devs only had to think about 3-4 of the most recent OSes...

There are outliers in either direction, but these days the minimum supported version tends to be either API Level 19 if you're conservative, with a stead shift towards ... API Level 21. For reference, Oreo is API Level 26.

As a developer of a long-lived popular app I've been pretty agressive at cutting off older OS versions from updates (min sdk 21 right now, considering 23). But the Play Store lets you keep serving up an old version of your app for those older devices. So before I cut off an old OS version I make sure to have a solid bug free release that I can serve them for a few years until eventually my backend API server is forced to break backward compatibility at which point I pull it from the app store and serve up an I'm sorry message for anyone trying to run that old version, about 3 years old at this point.

Making it easier for users to run software with unpatched vulnerabilities, even accounting for some extra slowness, isn’t a good thing..

That "isn't a good thing" is paired against another "isn't a good thing": forcing people along an (expensive, disruptive, often utility-losing) upgrade path simply to drive revenue goals.

Perhaps we might look at this as a set of goals:

1. Users shouldn't run software with unpathed vulnerabilitities.

2. Users shouldn't have to discard devices after a small number of years (1-3, from date of purchase, in many cases).

3. Hardware, OS, and software vendors should have a functioning ecosystem in which they can operate profitably.

Unfortunately, the economics of hardware + information goods with an ongoing support liability but a one-time purchase point are pretty much pathological. This isn't a new problem. It's one that AT&T and IBM solved, in the 1930s and earlier, by leasing rather than selling hardware. IBM has continued that model through the present, for its enterprise computing hardware. There are few general-public devices that fall under this category, though.

I think a fundamental problem here is that most information and knowledge goods don't fit well into an economic framework which is based on the assumption of scarcity. Of course you can artificially add scarcity with DRM tech, patent law etc. But what mostly happens in practice is that you need to come up with some kind of indirect business model. Like e.g. Google, developing a lot of great tech, but ultimately being a broker of user attention and data.

This disconnect between business model and products leads to a lot of unaligned incentives between makers and users of product. That's the innocent looking root of evilness - no bad people required.

Pretty much, yes.

Market economics works for commodities.

For wages, it tends to subsistence levels.

For public goods (including information) it under-provisions.

For rents (fixed-quantity goods or services, including both land and attention), this tends to absorb surplus valley.

For assets and risk-based elements, I'm still sorting out the dynamics, though they also appear to be poor.

There's various precedent for much of this:

* Adam Smith's classifications of types of goods: commodities, wages, stock (capital), rents, assets (gold and silver), interest, and "expenses of the sovereign" (public goods).

* Various economic-sector classifications. Alexandre Dumas, Simon Kuznets, Clark, and Beniger come up with 3-5 elements, generally: extractive/sourcing, manufacture & construction, transport and distribution, risk and finance (especially FIRE), governance and information. I'm finding these fascinating.

* Industrial classifications including SIC, NAICS, and ISIC.

* A classification of technological methods I've been looking at for a few years, including materials, networks, information, control, knowledge, and power transmission & transformation.

But yes: inoformation and markets play poorly. Software and systems incorporate both information and risk elements. (And probably others.)

Then manufacturers should fix that problem. The reason people don't like security updates, is that they are tied to feature updates. Most people don't like the new feature updates, and would happily take just the security updates. If users were given that option, I'm betting that a lot of the push-back to updates would drop fast.

I bet most people find digital security too abstract to understand why it’s important, and not bother with updates that didn’t include shiny new features.

Also, Generic Phones Inc. don’t see any money in pushing out pure security features — only big players get that benefit, because it’s a type of quality thats a tragedy of the commons thing.

I’d change the laws by international treaty to require security patches for all devices for whatever the 2σ lifetime is. If the manufacturers don’t want to do it themselves, then an open source requirements and a sales tax to fund hiring developers to fix it.

I'm arguing the opposite: I think people would update if updates didn't break their shit. I have no statistics on this, and would gladly welcome some, but IME people heavily complain that "the last update broke my $x, so I don't want to update again".

If we had 2 different channels of updates: security and feature, then this wouldn't be an issue.

I completely agree with you about the laws and open-sourcing.

Exactly that!

It may be true that "normal" users don't understand security or take it seriously enough, but in my opinion just blaming them isn't fair.

Imagine your car being painted in new colors and handles in the cockpit being re-arranged in unpredictable ways every time you have it serviced.

That's basically what Software updates often do to users.

We constantly force users to re-learn how to use a piece of Software, very often without good enough reason. Additionally updates at some point force them to buy newer hardware, even though they probably neither wished for the changes in the Software nor for new hardware.

That's why I totally understand casual PC users who're not gonna stop using Windows XP as long as it lets them do what they use their PC for.

In my opinion commercial software should be regulated to either provide security updates (distinct from feature updates) or be open sourced.

Manufacturers have no incentive now to do so.

They absolutely do. Android is known to be a security nightmare. That means a bad reputation, which also means less sales. I hate Apple and their products, but if someone said that they got an iPhone because it's more secure than Android, I can't really argue that they are wrong.

>The problem is that the OS upgrades invariably slow down older phones, so even if you're perfectly happy with your iPhone to begin with, it starts to act slow as it gets the newer OS's. It's good that Android users can at least avoid this particular kind of planned obsolescence

I have seen this first hand with my 4S. The updates slowed down my phone, which I was perfectly happy with. Unfortunately, Apple blocks you from restoring your phone's OS back to when it worked great. Heh, and then I bought the 6S, so I suppose Apple got my money anyway.

> That's bad for developers, but good for consumers.

It is bad for consumers as well, since you only have so much time.

Apple has allowed you to download the last compatible version for years - that ability goes as far back as at least iOS 5 that came out in 2012.

No it doesn't. It only allows you to do that for an app you already installed in the past.

If you want to install an app for the first time, where the current version is incompatible with your OS, you can't.

Believe me, I've tried.

There is an work around, download it via iTunes. You don't have to sync via iTunes to do it just use the same account. Apple still makes the previous version of iTunes that allowed you to download apps available to download.

Sure, but will (networked) apps still work? Is it possible to download apps for previous versions still? If you can revert OS but can't run netflix/facebook/whatever then it's not very useful.

Yes. I have a first generation iPad (running iOS 5) that I rediscovered when I moved. I reset it because I forgot the password. Hulu, Netflix, Crackle, theCW, Plex, Google Drive, CBS (?), and Spotify still work.

Apple's productivity apps (Pages,Numbers, and Keynote) also still work and sync with iCloud.

On the other hand, I also rediscovered an old first generation iPod Touch (iOS 3). Nothing that requires network access except for the built in apps still works.

This[0] could give your iPod Touch a slight kick in the butt, and this[1] for your iPad, if you feel inclined to keep using them.



That's really cool. I'm going to definitely try it on my old iPod Touch.

You can to a degree. You’re able to install the last compatible version of an app.

> The problem is that the OS upgrades invariably slow down older phones, so even if you're perfectly happy with your iPhone to begin with, it starts to act slow as it gets the newer OS's.

This is a truism and from my experience it rings false. I ran an iPhone 5 for four years without feeling degraded.

FWIW, as background, I'm an ex-overclocking PC enthusiast and I consider myself very sensitive to any sorts of performance lag.

It's less true on iPhones but even there it starts happening after a few years. On Android, it's terrible.

But yeah, android was a total resource hog when it got started because of Java, and it's gotten worse and worse.

Side note: "truism" means "A statement that is obviously true and says nothing new or interesting."

Or something that’s very obvious to be self-evidently true.

But, he might have thought of the complaint as so typical it has become a saying, and a truism by argumentum ad populum, but in his eyes false. Besides, most truisms are true only until they are not (a truism example). The Sun is hot. One day it won’t even be (exist).

> iPhones shove updates down your throats as a user

It doesn't, you don't have to update iOS. You can keep an older version. The same with Android. The only difference is that AppStore won't serve you older app-versions that would still work for your iOS version, after some time. While PlayStore still serves you much older app-versions.

Hey, they used the data that I made available on my website here : https://www.bidouille.org/misc/androidcharts

Gathering the old data from archive.org snapshots was a pain, I'm glad I saved someone else the trouble :)

One thing that's missing from this data is the actual number of devices in circulation, as said in the article it's only the market share among Android devices, and only those which access the Play Store. Having access to that data would make the graphs much more interesting, but unfortunately I have no idea where to get it.

> only those which access the Play Store

I'll bet this means an enormous number of outdated devices outside the first world are missing. In particular, any area without cheap and reliable data access is probably eschewing the Play Store for some kind of local-area app sharing like Zapya.

Not your fault obviously, these are fascinating stats as is. But I'm also really curious how many smartphones have gone "off the grid" without being retired. Generalizing from Myanmar [1], I suppose Facebook's internal device data would be the best source.

[1] https://craigmod.com/sputnik/smartphones_in_myanmar/

The real problem with mobile devices is that it costs $600-$1000 for a security patch. And when you get it, you'll also be stuck with inferior hardware as a side effect of that very expensive security patch. A device that used to be multifunctional but now is no longer useful for phone calls, music, or videos because it doesn't have a headphone port. One that used to be mobile but now requires you to stay tethered to an outlet because you can no longer switch out to a spare battery. One that's even thinner and more likely to break.

People would like to be secure, but they shouldn't have to pay that much for a security patch and they don't want to downgrade their systems.

>If we look at the newest Android release (8.0, 8/2017), it looks like you’re quite lucky if you have a two year old device that will get the latest update. The oldest “Google” phone supported is the Nexus 6P (9/2015), giving it just under two years of support.

And 2 years is the best-case scenario. Compare to nearly 5 years for iOS devices (which, as far as I can tell was prompted only by a move to 64-bit SoC). It's beyond me that Google hasn't taken a more extreme approach to keeping their devices up-to-date.

My Nexus 6P is eligible for 8.0 under the beta program, the last time I checked, 8.0 was still not available for it in the official channel so I had to switch to the beta program to try out 8.0 on a device.

8.0 has officially been available for the Nexus 6P since August.

Thanks, exiting the beta program to see what happens now.

Outside the US? My 6P got official 8.0 non-beta in September, I'm pretty sure. OTA, the whole nine yards.

Inside the US. I push the check for updates button in October and it told me no. I might have declined once, though.

I bought a flagship device, a Motorola Droid Turbo (1). They finally got android 6 on it a few months ago. Even better is it's so locked down that I have no choice. This is a $1000 phone, why can't I install what I want on it?

They aren't Google devices. They're phones made by companies who downloaded and installed Android on them.

The Nexus 6P was developed and sold directly by Google: https://www.google.com/nexus/6p/

Yes, I understand that Google do make some phones. I own one. But, the vast majority are not created by Google.

The Nexus 6P was made by Huawei. Also usually it is not the manufacturer, but the carriers that hold up or stop updates.

Even if this were true (it's not) that was a conscious choice by Google to capture market share.

This issue was predicted (and observed) years ago, almost since the release of Android in fact, and is only getting worse.

That is all due to Google's own choices.

The real problem with it is Linux. Here's a few facts:

The Kernel has no stable ABI for drivers.

Manufacturers only ever develop a driver for their chips once, and then send that to the OEM. They never update.

The Linux Kernel LTS gets 2 years of updates, Google's fork about 4.

From the day a Kernel is released, to the day it ships in a phone, usually 2 years are spent integrating the blobs and code drops from the chip manufacturers.

On every kernel upgrade that breaks the ABI, those 2 years would have to be redone from scratch.

Linux can't mainline support for every exotic piece of hardware that ever shows up in a device.

Manufacturers can't keep maintaining several developers to update every single chip they release.

Google can't keep Android on 6 year old kernels forever.

Now combine these facts, and you'll see the issue.

That's only a problem because they're keeping driver support closed. If they contributed a driver for their hardware upstream it would be maintained (by others) as the internal interfaces and standards change.

Whenever a security issue or design change happened, their driver would also get updated and fixed with the rest of the kernel.

What the hardware manufacturers SHOULD do is create hardware with a well defined control interface that they CAN make public. Any 'secret sauce', uploaded firmware blobs, etc, should be free to re-distribute since they were too cheep to ship a ROM or EEPROM with the firmware for their device with the device.

That's often not that simple.

For example, SAMSUNG might build your device, and get all of their own code openly.

But now for the US model, due to CDMA, they need to use a Qualcomm processor.

That needs a blob, and Qualcomm won't release that under an open license, nor update it.

So the OEM can either just not have CDMA support, or accept foreign blobs.

It works like this all way down the stack, down to even camera chips.

And then these devices all have custom hardware. Often hundreds of customly designed parts, with custom drivers, only ever for a single device.

Think of the Moto Z Play, withthe replacable components. Samsung phones with facial scanners. LG phones with 3D display.

One-off features that'd never get mainlined.

Apple has the same issues, yet they keep their devices updated and secure for 5+ years.

Well, Apple completely controls the XNU kernel and its I/O Kit framework. By contrast, Google--and especially phone manufacturers--don't control development of the Linux kernel.

My understanding about the US side of this is that the software defined radios and FCC compliance are a major portion of the problem.

STILL, that stuff should be equivalent to a firmware blob that should have been baked in to a ROM or EEPROM. The actual driver controlling it should be able to be open, and for regulatory compliance should use 'magic numbers' as specified for the configuration; which as a fact of how to use that device must be configured already /not/ be covered by copyright (in the US at least).

Well that’s not actually a problem if Google controlled the hardware (or a hardware standard, at least).

But they don’t.

So while you’re absolutely correct from a technical perspective it’s still a consequence of Googles strategy, and a problem for us all.

Android device vendors are Linux distribution vendors, and could support their releases for 5-10 years for a given device generation, like many other Linux distribution vendors are doing. (Or outsource it)

Yes of course it's not free and you can save money by leaving users stranded. But it's myopic to claim it's the fault of Linux.

That’s not really possible.

Let’s imagine you try to build a phone.

You buy an SoC, and you get a single kernel build. If you’re lucky, you get a few binary kernel modules.

These will never be updated.

You will always be stuck on that kernel version.

No manufacturer of ARM SoCs for phones currently provides ever updates for these.

Linux LTS Kernels get 2 years of support.

Now, tell me, how do you support a kernel that was dropped by upstream, with proprietary drivers that you can’t do anything about? I’m not sure if you’ve ever tried porting a custom ROM to such a device, I have. By the time Android was on the 3.11 kernel, I had a device still using kernel 2.6. It was insanity, half the functionality wasn’t working, we were reverse engineering and hacking together the rest, and still barely got anything working. It’s impossible to use a decade-old kernel with modern Android userland, yet that’s what you ask for.

You can support that kernel version, like distributions do now with back port etc work, or you can prefer SoC vendors that promise updated driver support. If the latter was happening, the problem would be fixed by now. So essentially phone vendors have been voting with their dollars for lack of driver updates.

But even for the self caused major version jam, the "get 2 years of support from upstream" is a heavy understatement and even after the n years of community LTS support ends, it's just the baseline you get for granted and you can diy more.

Maybe Fuchsia is an effort to solve such issues? But it won't see the day of light for at least 2 or 3 years.

The official Kernel.org LTS support is 6 years from the Linux devs, some vendors support theirs for longer.

The Kernel.org LTS support was 2 years until a few weeks ago.

Due to Google’s pressure, it’s now 6 years.

http://web.archive.org/web/20170812023641/https://www.kernel... says previously's been 2-6 years for the various LTS releases. But it's always been open to more sponsorship of course.

I've got a 7 or 8 year old Google Nexus phone. Google stopped updating the OS 5 years ago. The only impact I've noticed is that newer apps won't run on and older OS. For me, however, that really isn't a problem since I use it for making and receiving calls and texts, and checking my email. Right now, I'm in no hurry to lay out hundreds for a new phone, Apple or Android, that will be obsoleted in just a couple years when the vendor abandons it.

Many Android devices of that age and even newer had flaws resulting in the failure to properly validate HTTPS connections as they would accept invalid certificates. As a result, every time I fire up an off the shelf WiFi Pineapple in public and run SSLSplit (not to be confused with Moxies SSLStrip), I get credential after credential, typically starting with e-mail accounts. This is obviously bad because if someone is using an e-mail account on their phone for banking, an attacker could gain access to account recovery.

These are the sorts of transparent attacks you don't notice and which cannot be mitigated with anti-virus or avoiding downloading sketchy apps. The sketchy stuff is already running on the device in the form of the OS and apps you use within it. Note that a large number of these vectors were never publicly disclosed including a vulnerability with Samsung Knox that I reported. When it was in use, the device would accept any cert.

Isn't it telling that the antifeatures pushed by the updates are so much worse than the threat of data interception?

Most of these "oh no, security!" issues can be mitigated by avoiding public WiFi or using a VPN on them.

VPN can be a problem, especially on these older devices as those services themselves are vulnerable due to underlying OS issues. In terms of WiFi, keep in mind LTE is effectively broken because of the emergency tower redirection implementation. It's possible for attackers to direct devices to their own OpenLTE tower.


> keep in mind LTE is effectively broken because of the emergency tower > redirection implementation

And it will fails after only a few message, when the phone modem tries to authenticate the network (MME) and fails. LTE and 3G do have mandatory mutual authentication where the device authenticates the network very early on. It's 2G that's the problem: a 2G network does authenticate the device, but not the other way round, which opens the door to the well known MITM attacks on 2G (stingrays). The worst a LTE/3G rogue cell can do is try to attack the modem during the early non-authenticated messages (send corrupted messages), and waste UE time or jam it. But it can't do MITM.

So if you're paranoid and you can afford it due to good 3G/4G coverage, disable 2G on your handset ;)

A good talk covering the issue:


And there are tools to avoid even scanning public wifi networks to prevent e.g. in-store tracking, e.g. Smarter WiFi Manager remembers where you've used wifi before based on cell tower locationing, and disables it elsewhere. Works like a charm for me.

> This is obviously bad because if someone is using an e-mail account on their phone for banking, an attacker could gain access to account recovery.

I'm still using a iPhone4 with iOS 5.something on it, it's obviously un-patched or anything like that, the secret is that I don't have any baking applications installed on it nor is my email attached to any recurring payments scheme. The even deeper secret is that I don't have an online baking account set-up with my bank at all, as I don't trust any of the banks with their online security. I chose to eat up the opportunity costs of actually physically going to the the bank over the sometimes illusory security and ease-of-use offered by online banking.

The difference is that you are a well-read HackerNews enthusiast who comments on threads relating to OS security i.e. one of the 0.001%, whereas > 99% of the people affected have no idea what dangers await an out-of-date device.

The problem that you don't notice is the lack of security updates.

FWIW, the linked article doesn't track security update status at all. It's graphing percentiles based on API version, which correlates only weakly. A vendor with a correctly patched but old OS would show up as "out of date", but one that missed or is late on important security updates on a recent version is "current".

Do vendors distribute security patches?

Right? It may still largely be functional, but I would never trust that device in the open, it's just ripe for a bevy of attacks.

I really wish Google would expand their service lifetime on their own devices, because I feel 2 years is really too short.

Two years is completely too short, even three years if you purchase mid-cycle is not enough.

I own Nexus 5X's on Project Fi, one bootlooped and was replaced, the other still going strong after ~20months. I also have a Pixel XL acquired like 7 months ago, both of those should outlive the updates and giving Google the money directly, they should take care of their customers.

Far from an Apple fan boy, the 2016 MBP and 2017 iPad do not worry me about getting forgotten in the ever ongoing updates.

Two years is too short but once you get on the extended warranty loop you can basically get another 2/4 years of new phones on the cheap.

For the 5X's, the were a great deal, and it would cost more than the phone to get into the extended warranties. Not worth it for our purposes. As long as they keep working, we'll keep using them.

It is 3 years now with the new pixel. Still too little in my opinion.

If you genuinely only use the phone features of the phone, that doesn't matter anywhere near as much. You only need to update if someone finds something like a text messaging buffer overflow. That sort of thing generally makes the news these days.

You can but hope that once it’s old enough, the hackers will stop worrying about supporting it.

When "the hackers" consist of the CIA and NSA, you can be sure that they will not.

Take a quick look at the Vault7 leaks for a reference.

The only impact?

You are a walking vulnerability. KRACK, Blueborne, just to name a few recently highly publicized vulnerabilities.

You are like the perfect exploit, just waiting to get pwned. You are, Bill Harper.

I, like the parent poster, am running the latest update for my phone. Yes, I know I'm a walking vulnerability, but short of purchasing a new phone, there is nothing I can do about it. IIRC, updates for my device were cut off before it was even out of warranty, and I'm sorry, I'm not dropping — I can't drop — $600 every year and a half on new hardware just to get new software. Vendors need to support devices for the actual lifetime of the device.

It's really not your fault. But collectively we should care more about this and hold vendors accountable for continued security of devices they sold us.

AFAIK Microsoft and Red Hat are the only ones who do a good job of patching security bugs on older OSes.

You don't have to drop $600 every year and a half. Which would only be $34 a month over that period.

You can drop $600 every 3 years with google devices and have monthly security updates. You could save $17 every month for that 3 year time to buy the next phone.

If you want to stay secure you will, if it not a priority you wont.

Which is a waste of money for a device that otherwise is fully working.

The beauty of consumist society and digital waste.

Except Google stopped selling $600 devices.

The Pixels are incredibly overpriced given the hardware. I bought a Nexus 6P when they got under $400 and I honestly don't know what I'll do a year from now.

Or you can spend $200 and get a pretty good, non-flagship phone, with software that's (usually almost) as up-to-date as the flagships.

KRACK is essentially irrelevant, the security models of the OS and any sane applications will assume that the network is compromised (e.g. starbucks wifi).

Blueborne on the other hand, is very scary.

Most wifi router vendors have STILL not fixed the KRACK vulnerability. Looks like most companies dont care about user security at all.

From that side, this is why I insist on only buying devices 'supported' by OpenWRT / LEDE.

LEDE, thanks to being open source, had a patch within days, which worked across all supported devices.

I would honestly just prefer the manufacturers 'give up' in house router software and instead contribute to the community software.

KRACK only compromises the client, not the AP (unless you have one in relay mode or something)

So? The issue is on the client side. Unless you use wlan client, or repeater stuff with your AP.

I've got a Samsung S4 laying around that I hadn't used for years (it's 4 1/2 years old). Recently I fired it up just to check some things. As expected, it still runs beautifully for normal Web use across all sites. Other than the small form factor (which some people may prefer), it's easy to see how consumers might stick to older phones.

I'm tempted to dust my old Aviator off and repurpose it as a gba emulator or something.

except for the old android I don't see any problems with my S4, so I'll be using it for another 2 years. And I actually prefer that size, it's easy to use with one hand

I used my S3 until it died on me, a couple of months ago.

The S3 and S4 were pretty nice! Very slow flash, like every other Android back then, but good screens and very capable GPUs. (Since then screen size increases have outpaced GPU speed bumps, so modern phones don't always draw any faster.)

> I've got a 7 or 8 year old Google Nexus phone.

There's probably an Android O ROM out there that someone on XDA has compiled for your device.

Hosted on a dubious server with no guarantee at all there is no malware in it.

It's remarkable how fishy the whole ecosystem around Android ROMs and flashing tools really is.

95% of the posts are in barely comprehensible English. Seemingly every guide tells you to run a random binary from a file sharing host or generic domain.

As a rule, source code is non-existent. Downloads are attributable to a forum handle in the best case. Oh and you have to run it with elevated privileges to both your host computer and the device. Even the shadier warez communities have more accountability and trust.

In my opinion Google has really done a huge disservice by dropping support for their devices so rapidly and condoning planned obsolescence by handset manufacturers. They are directly responsible for channeling a significant fraction of Android users into this mess.

Yep. It's better than it was - most XDA developers understand what a GPL violation is.

I imported my Galaxy S8+ to save over $400AUD on retail. This meant I needed to find a ROM on an obscure site to flash to the phone using a stolen (?) piece of factory software. I can only trust my phone because a Samsung in default configuration won't accept a "modified" update - only one from and signed (?) by Samsung themselves.

Is LineageOS still using "test-keys"? It's been possible to do much better for years: https://mjg59.dreamwidth.org/31765.html

> using a stolen (?) piece of factory software

If you're referring to Odin, there's an open-source alternative in Heimdall (https://www.glassechidna.com.au/heimdall/).

>using a stolen (?) piece of factory software

You mean ODIN! That's probably leaked. Many good memories of that tool.

Android is as mature as Windows XP, every vendor has their own where they customised everything and no-one has a pristine one. And also the pre-installed ROM is also often the same quality as the warez.

I trust the community on XDA composed of actual users and developers who are also users, more than the faceless corporation whose profit largely comes from extracting as much of your personal information as possible and monetising it.

I’d rather trust a faceless corporation with a reputation to keep over a bunch of faceless anonymous dudes on a forum.

They're not anonymous, they're pseudoanonymous, which also means carrying a reputation; and if anyone tries to deceive, the community is not entirely full of idiots, unlike what a lot of others in this subthread seem to imply --- all it takes is for someone to find out and provide proof, and the news will spread widely.

The fact that people seem to be scared of and are basically unwilling to make their own decisions of trust in deference to central authorities says a lot about the state of society today... "distributed trust" and communual free sharing was the norm, until companies started to herd users into their walled gardens and control them by using the "security" argument.

No matter who you choose to trust there are going to be no insurance that vulnerabilities are actually fixed. Its not a magic bullet.

We are talking about a Nexus here so I can't really say that since it's Google but otherwise there's no guarantee that the ROM you have pre-installed does not have malware either.

Well, you’re free to compile the code yourself…

Yes and I'm sure that most people have both the time and the technical acumen to go through every line of the source code and ensure that there are no security vulnerabilities

Yeah, after all there are only several millions of lines of code. When they even share the code used for their builds, which is rare.

It's android, it's entire reason for existence is to be a malware platform.

Why would making and receiving calls and texts and checking email not work on current devices in a couple of years ?

No, the OP means any new phone will just be obsolete again in a couple of years, so why bother if their current obsolete phone is good enough anyway.

Ah, I see :-D. Thank you for the clarification.

One fact I was not completely aware about: Even if you have updated your Android device with a Custom ROM (e.g. Lineage/Cyanogen) to a newer Android Version you most likely still have an old Kernel.

So yes, I am very happy that I can still run Android 7.1.2 on my 5 year old S3, but at the same time it runs on a 3.0 Linux kernel which was originally release in July 2011. As far as I know, that is because some drivers (e.g. the graphics driver) are closed source and are only available as binaries. Therefore, they were never properly integrated into the Linux kernel source and when the kernel changes nobody cares about them.

Yes, I know about the discussion about stable ABIs, but even with a stable ABI, I would still be stuck with an outdated buggy graphics drivers, because the kernel developers only care about source they can access.

To sum it up: I would like to have a product which does not only have an up-to-date userland software, but also a more or less current kernel.

I don't think they just drop in an older Linux kernel. I think Android is more like a Linux fork these days. The current version being based on an older/stable Linux kernel.

If Android updates never touched the kernel, how is it drivers break. They must be updating the kernel too.

Love the HN crowd here explaining that staying still on old tech full of security holes is a-ok. :)

Both Android and iOS have made awesome progress on all fronts, from security to stuff like AR and ML.

You can now have a supercomputer in your pocket - just using it for phone/texts is such a waste.

> just using it for phone/texts is such a waste.

I'd argue the real waste is throwing away a fully-functioning device full of rare-earth metals and other niceties every two years.

It is. Which is why if you buy an iPhone you can use it for more than two years and still receive security updates, as opposed to Android.

Or you do what I do: https://news.ycombinator.com/item?id=15693586 (not without problems of its own, I easily concede)

Well I do not need supercomputer in my pocket (and I guess most people don’t). Phone and text plus decent browser that honors my privacy and security will do.

Music app, Maps and perhaps Youtube as luxury but beside that?

I would rather like a smartphone < 100$ that I can replace every year and do not worry when it breaks or if I loose it.

If you trust them, Huawei has some decent phones in the € 120-150 price range. Nothing super-exciting, but for the use case you describe, they are perfectly cromulent.

Some of us just don't care that much about the newest fastest shiniest thing, or if we do, we care more about all the money spent and/or physical waste that goes into churning through devices all the time.

If companies are dropping support after two years and forcing users to buy a new device or face major security issues, I say the complaints shouldn't be directed at the users not constantly buying new devices, but at the companies creating devices with such a short planned obsolescence.

I have better things in life to spend 600 € on, a mobile phone isn't one of them.

> just using it for phone/texts is such a waste.

What else would you suggest I use it for? It's worse at pretty much everything except GPS than my desktop or laptop.

You take pictures with your desktop or laptop?

Not the OP, but having an actual camera for special events solves that one pretty easily. A map in the car, a sketchpad for notes - analog has its perks.

> Love the HN crowd here explaining that staying still on old tech full of security holes is a-ok. :)

It’s disheartening when a forum full of supposed tech enthusiasts starts to morph into a bunch of paranoid tech Luddites. That is what, imho, killed slashdot. Every post was full of comments slamming anything new. Eventually it just got toxic and boring. Who wants to hear a bunch of paranoid outliers brag about their 8 year old phone on a forum like this?

The tech industry is constantly changing. If you can’t handle it, you should go into something else...

Almost nobody is slamming new things. They're slamming the OS update process. And it very much deserves it. It's not a criticism of the new versions themselves.

And keeping up with tech doesn't require constant purchases. You're not a Luddite because you use something for more than three years, for crying out loud.

Harsh tone but 100% warranted imo. It’s fascinating to see so many otherwise smart people completely fail to understand the changes around them.

Its harsh because there is no way to sugar coat it. This post is full of people bragging about running 9 year old phones with ancient highly vulnerable operating systems. On the same forum that has people bragging about being child geniuses and making posts like “I’m assuming that just by reading HN you have an above average intelligence”.

No. You don’t get to claim you are “above average intelligence” when you brag about downloading OS updates off sketchy “community” forums and then make posts like “better than some faceless corporation”. That isn’t intelligent. That is just being stupid.

Ever hear of the dunning kruger effect? Some folks need to go read about it and then smack themselves upside the head.

Seriously. Paranoid tech ludditism is an eye rolling, tedious, boring circlejerk. Go back to your green screen gramps— I’m sure it is good enough for anything but I like my 4K color monitor, thanks.

...Keep that stuff out of tech forums because it is cancer. Sla

I am happy for you, that you can afford spending several hundred euros/dollars/yen/whatever every couple of years for OS updates.

Majority of us have better things in life to use our money for.

However, a large number of people on HN are software engineers who make their living writing software for these devices; it would seem like a crowd that loves tech like React “Native” might consider the latest devices somewhat important to their business. If developers are running old devices and old OSes, then it follows that they aren’t developing around the latest capabilities because they themselves don’t use the latest capabilities. For a “progressive” crowd, it sure seems like there are quite a few reactionaries.

This “keep my older device” argument makes perfect sense if you are an end-consumer but it makes no sense if your business is building software. Software developers ought to consider it a minimum requirement to be on the cutting edge. We should be leading the way and not doggedly hanging on to older tech.

If we were house painters, then running a 5 year old device makes no difference, but if we are supposed to be building the future, it’s illogical to be obsessed, almost to a hipster-degree with running outdated equipment.

It’s Jay-Z rocking an 8-track.

Just because I am a software engineer, doesn’t mean I am willing to spend more than 600 euros every three years for the privilege of having an updated device.

That are more important things in life.

If Google wants us to actually use the latest features, then they should force OEM to upgrade to Treble and push to their devices.

Not to force us to buy an Oreo device, hoping that this time around OEMs will actually push updates on ALL devices.

> If developers are running old devices and old OSes, then it follows that they aren’t developing around the latest capabilities because they themselves don’t use the latest capabilities.

And what are these latest capabilities? As an user, the only difference between Android 6 and 7 that I noticed are redesigned notifications. Between Android 7 and 8, I don't even have an idea. I don't care for the latest Google or Apple assistant; so this all is not enough of reason to drop 600-100 EUR on a new phone.

Hand-waving about "latest capabilities" is even less of a reason.

Having to wait and sometimes pray for your vendor to ship an update is why I chose to stick to the Nexus line of phones until it ended.

My next device may or may not be a Pixel, but the above coupled with the shitty "value adds" like custom file managers and stuff that Samsung et al tend to cram into their already bloated Android implementations pretty much guarantees I'll never by a Samsung or similar.

My wife's Galaxy S3 was slow the day she got it, and it only went downhill from there, to the point that a spare BB Priv felt like an upgrade to her. At that point the Priv was already 2 years old.

edit: can someone explain the down votes? for real, I thought this was a pretty level headed comment. is it just that I dumped on Samsung?

Would be great if Google made a phone that was affordable. As it is now your choices are spending at least $600 or more to get a phone that will be supported, or buying a phone that probably comes with an outdated Android out of the box and that will never get an update.

did you see the new AndroidOne phones? google does updates for them and they are quite affordable. The Moto one is $400-ish and Xiaomi is $200-ish

The Moto X4 sell at $400 and the Xiaomi A1 is not available in US yet (you can get it ~$220 on some website).

Note Xiaomi A1's system update is not handled by Google according to Wiki.

You're right about Moto. Ill fix my post. Can you send me a link to this source for A1? I'll try to check on it.

I just searched Xiaomi A1 on Google Shopping and there are several results and all looks legit.

As a developer, I need a device that gets Android DevPreview releases, so I can see it my apps work on real hardware before users will try them. (The emulator sucks, and you never know if a bug is caused by the emulator or the app).

Currently that's tonly the Pixels, which sell between $900 and $1300 in Germany.

Yes I agree it is a sad state of things.

As a long time Nexus user (back to Nexus S), the clean OS and updates were always the selling points for me.

With Pixel now dropping the headphone jack, I'm starting to look elsewhere. Here's hoping I get some more life yet out of my 5X.

Looking at Android One devices for the spiritual successor of the utilitarian Nexus 5. No headphone jack is a dealbreaker.

Make sure you are regularly backed up. Anecdote, but I bootlooped -- that's with quite gentle care. Friend bootlooped a couple of weeks later.

Second that. I bought three Nexus 5x for me and my family. Two of those bricked themselves without warning.

Plus I keep reading these stories over and over again. Multiple anecdotes in the discussion to this article alone...

Both got repaired (mainboard replaced) under warranty without issue. I'm still happy with the phone and haven't found anything comparable considering the price (270€ approx. 1 year after release), but you definitely need to have a solid backup strategy.

My 5X bootlooped, so I bought a Pixel. I want to go back to the 5X, that was the best phone I've ever had.

It's sad Nexus got replaced by Pixel, which is extremely expensive in comparison.

I liked running LineageOS or CopperheadOS on an inexpensive device with good updates.

That said, some cheap devices which are well supported on LineageOS have decent updates.

Updates for 2 years, security patches for 3: http://www.androidpolice.com/2015/08/05/google-announces-new...

That is still way to short, especially if you don't buy it on release day. If you buy a nexus device 12 months after release you've already lost 1/3 of it's effective lifetime.

I bought a Galaxy Nexus for Android app development in September 2012 and it lasted me less than a year before security updates ended. I specifically picked that phone because it was supposed to be the best choice for always receiving the latest Android updates.

5 years ago you unluckily bought a Nexus at the exact point in time where it had the shortest support window in the whole history of the Nexus/Pixel line.

> can someone explain the down votes? for real, I thought this was a pretty level headed comment. is it just that I dumped on Samsung?

That's a good question.

Fwiw I like my first gen pixel xl.

For most users, the phone works and they don't care.

For everyone in my family, iOS updates are just an annoyance.

Yes, I think user apathy has to be a big part of it.

I have a 2012 iPhone5 with iOS 6.1.3 still on it. I never upgraded it. When iOS 7 came out, all the news reports said it killed the battery. Same with iOS 8, 9, and finally iOS X.

Yes, I assume that eventually, iOS point release 7.x.x fixed the battery issue but I don't care to keep visiting news websites to figure out which exact version is finally "safe" to upgrade. I don't want to be a slave to the housekeeping of my phone.

Others say the news reports are alarmist -- all one has to do after a new iOS release is to dig into the settings and disable all the new features/polling/etc that eats up the battery. But it's the same situation -- I don't want to put the effort into learning "what's new" that I have to disable.

On the other hand, I'll quickly upgrade major releases of MS Visual Studio from VS2015 to VS2017, or upgrade Webstorm from 2016 to 2017.

I was puzzled over my contradictory approaches to updating software. I think I figured it out: my phone feels like an "appliance" to me instead of a computer and I don't want to mess it up. Another reason is that Apple won't let me pick an exact version to upgrade. I can't pick iOS 7.1.2 -- I'm forced to upgrade to the buggy iOS X or nothing at all.

As a result, I have willingly performed an "IE6" legacy lobotomy on my iPhone.

(As trivia, I also notice that iPhone5s on ebay that still have iOS 6 sell for a slightly higher premium.)

It doesn't help that "upgrading" an iOS device is a one-way ticket.

Religiously updating the original iPad effectively bricked it (not literally, but to all intents and purposes) years ahead of its natural lifetime, due to one particular major release that killed performance, reliability and battery life in one fell swoop.

If there no going back, why would you risk going forward?

My iPad 2 is still actively in use on iOS7 (it was better on iOS6) and I was using iPhone 4S with iOS6 until the end of last year. Many other people reported bad degradation on iOS8/9.

Security fixes, new features, etc.?

If you risk losing the old features, that probably doesn't sound too attractive to most people.

Anecdotally my iPhone6 16gb became way more usable with iOS 11. I went from always running out of room to now having a lot of space. I use https://photos.google.com/ all the time so I rarely have more than 200mb of media on my phone. For me the OS footprint shrunk quite a bit and as a result the phone became a lot more usable.

I wouldn't always believe those "the update made my phone slow" stories you see whenever there is a new OS. Many seem to be pre-written by the haters and always posted regardless of what the truth is.

> (As trivia, I also notice that iPhone5s on ebay that still have iOS 6 sell for a slightly higher premium.)

This is probably because it has a better jailbreak scene around it than newer versions of iOS. Also, just as an FYI, the latest version of iOS is 11, and they're not numbered using roman numerals.

The latest version of iOS for the iPhone 5 is certainly 10. 11 dropped support for 32-bit phones, and the iPhone 5, along with the 5c, were the last 32-bit iPhones.

Because anecdotal evidence of "everyone in your family" is more relevant than the numbers that Apple post that usually within a year, an overwhelming number of iOS users are on the latest version.

People in your family don't care about security?

Honestly, no. Do you take your car in for service the moment your car dash light signals for an oil change? If you aren't in tech, you aren't going to see a pressing need.

I won't let my wife log in to our brokerage because she insists on using dictionary words as passwords. My parents tape their passwords to their laptops. Heartbleed is way down the list for them.

The biggest security threat is still phishing, to which we all remain mostly vulnerable.

They care about security, but most have no clue what is happening, why it's happening and what they should do about it when normal channels fail to help them.

Have you spoken to the average user of phones and tablets?

They don't even understand what security means in context of their uses of these devices a lot of the time.

Does this seem like a trend that goes beyond just tech products? Clothes, appliances, furniture (with fiberboard) all seem to have lower longevity today, whether it's from lacking updates/service or just lacking durability.

Might by survivorship bias. You only remember old furniture that survived long enough for you to see it...

> all seem to have lower longevity today

And they cost significantly less than in the golden days of yesteryear or whatever passes for the mythical past these days.

I would certainly be interested to read a comparative analysis of service lifetimes of various appliances, as long as it’s backed by hard data.

Otherwise, it’s just survivorship bias: https://en.wikipedia.org/wiki/Survivorship_bias

it could be some combination of planned obsolescence and worse-is-better at play.

I still have Nexus 7 running on KitKat 4.2 as I dislike material look and for newer Android versions I always go with phones that ship with customized UI that better correspond to my aesthetics sense. Disclaimer: I am a visual artist as well and hate it when somebody enforces certain style, in my case anything flat, low-contrast, confusing where my brain has to spend >20ms identifying controls.

Are you concerned at all with security of the device? Just asking because I know lots of people who stick with older droids and none seem to care.

Sure I am concerned and am pretty well-versed in advanced cryptology myself and protocol/stack weaknesses/exploits. Frankly, Android lost me when I once bought a new phone and after installing a few apps from play store it was spamming me like crazy and discussing stuff with servers in China. Since then I use all Android devices for harmless stuff like browsing while in bath/sauna, controlling my DJI drone, navigation device on my bike, watching edX/Udacity/Coursera/Udemy etc. but never for serious stuff. For serious stuff I use Sailfish on a recent Jolla phone instead with customized security stack compiled from sources (security by obscurity as well).

Old device user here. The frequency of exploits is going up, so older devices with few features and small attack surface are safer than new devices with the bells and whistles and a bigger attack surface. Basically, fuck you to the assholes pushing updates. They are doing it wrong and I reject them. I will accept no update with antifeatures, no matter how much they say it is good for me.

The old device runs a complete browser with network access and daemons etc. It seems like all of the bells and whistles were already around for quite some time.

That's why I only buy phones that are supported by LineageOS (usually second hand). Not ideal, but it's the best I've found so far.

I guess paying $150 for a fully up-to-date phone that was worth $700 just two years ago isn't such a bad deal.

The last time I tried to install LineageOS on my phone I had to execute a non-reproducible binary of some anonymous haxxor to flash the OS. I remember I could have build my own image from source, but the only documentation was spread over a thread on a message board with a couple hundred pages... and if you screw your build you brick your device.

I remember that with a very very old HTC. The bloody thing only had 256mb of storage or something. Everyone around me was convinced it was better of in the trash.

Then i found some crazy Russian developer that managed to shrink Cyanogenmod 11 to something extremely small. It was functional once again, although very slow and a little useless because it can't work with the current size apps. I learned a lot that weekend, which is always one of the main goals.

Bricking it is near impossible once you get the Clockwork bootloader running.

You never have to do that if you choose your phones well.

How do you flash LineageOS onto a well chosen phone? Don't you need something like TWRP?

Yes, you usually flash TWRP, then Lineage.

And how did you build TWRP from source or where do you get a reproducible TWRP build from? When I checked some month ago, there was pretty much no documentation available on how to build TWRP from source for my phone. The pre-build TWRP binaries were not reproducible.

I just use the prebuilt binaries. But saying it comes from "some anonymous haxxor" isn't fair to TWRP. The situation is no different from the vast majority of binaries we run (unless if you run gentoo maybe, but if you don't audit all sources I don't see how this adds value).

I wonder if Google will brag about that number at its next I/O event. "We're now at 1.3 billion outdated Android devices in-use" - Applause

I've lost hope that Google will ever do anything meaningful about this situation, when they can't even approach the iPhone in updates when their very own Pixel devices. This is despite now having a standard hardware abstraction framework for their devices and having a kernel that will be supported for 6 years. Even so, they can't commit to updating their devices for the time these devices for at least 80% of their lifecycles.

What's a smartphone lifecycle? Well it's certainly not 2 years. The 2 year old phones will not just be thrown into the garbage. They'll either be sold on second hand markets or they'll be given to other family members, who will then use it for at least another 2 years themselves.

Google, and really all makers of "smart" devices, should be supporting hardware at least until only 10-20% of those devices remain in active use. Kind of like how Microsoft couldn't quit supporting Windows XP when it was at 20%, even though it was already like 12 years old. Only when Windows XP got to below 10% or something, Microsoft stopped supporting it for consumers at least, and even then it will be supported until 2019 for enterprise customers.

Ideally this is how all devices should be supported - until they have fewer than 10% of the customers use them anymore. But as an absolute minimum, they should at least follow the 80/20 power Pareto principle, and update the devices until less than 20% of the people use them anymore.

I know this logic isn't totally alien to Google because they are applying it to the supported OS versions by their Play services and APIs for Android.

If 25% of the Pixel 2 devices (which come with Project Treble and a 6-year supported LTS kernel) are still in active use after 3 years, then Google should be supporting the Pixel 2 for at least 4 years (at least with security patches). But as I said, this should be the bare minimum, like something I'd expect from LG. Google should not stop support until fewer than 10% of the Pixel 2 users have stopped using it.

> We’ve seen that Android devices appear to be getting more out of date over time. This makes it difficult for developers to target “new” Android API features, where new means anything introduced in the past few years.

This used to be more of a problem, but the support library deals with this more nowadays. Not for every change and new feature, but for most of them.

If don't mind answering, I'd love it if you could provide an example or two of features that are implementable enough with support libraries, but would be a pain to build without them.



RecyclerViews are only implemented in the support libraries, even for newer versions of Android. I haven't used Exoplayer personally but by reputation it does all of the hard media stuff for you.

I don't believe that's the kind of feature being talked about. Rather than new controls, I think they're talking more about new things to do.

not op but :

Most of the graphical widgets in Android apps come from the support lib.

The most complex and important is probably RecyclerView : it allows to implement recycling lists of items and replace the framework implementation.

It is not even part of the base framework since it is way more convenient to update it independently from the OS (and as a dev, you only have to handle whatever version you ship your app with).

There are shims for many of the framework features too, for exemple notifications or media.

Overall it makes the dev experience very smooth.

IMO the problem with the lack of update is mostly security

For a recent example, Google announced at I/O that it had Android architectural components in beta. They were officially release last week, and can be accessed via AppCompatActivity, and to older Android versions via the support library. For example, the method call getLifecycle(), which is associated with these Android architectural components, is new.

The support library helps a lot, but will never be a complete fix either. Support for KitKat, for example, is beginning to wither, while appcompat had kept it alive for years.

The obvious thing to say is to just get a Nexus/Pixel device and enjoy your updates but I'm sure this isn't an option for some people.

I think the best thing that you can do to ensure you still get security updates is either make sure you get a device with an unlocked bootloader or hope there's a root exploit available so you can put something like LinageOS[1] on it.

I picked up an Essential Phone (on the cheap) for the former even though they appear to be getting timely updates so far (one day behind pixel) if you're willing to sideload with adb (and promises of support for 3 years). Also managed to grab it for < $150 TOTAL (sprint lease after buyout on day 1). They really seem to want to offload some of the stock.

I don't think I'll ever buy an android phone that's not a pixel (formerly nexus) that's not unlocked again.

[1] https://lineageos.org/

Edit: On second thought some of what I wrote is probably not correct[2].

[2] https://twitter.com/CopperheadOS/status/852833915073056769

>The obvious thing to say is to just get a Nexus/Pixel device and enjoy your updates

... for 2 years.

... if you buy it on release day.

It's 3 years now with the Pixel. The Google branded devices have always received timely updates. That's the only point I was trying to make. I'm not saying this is ideal, just pointing it out.

Also unless you get the Verizon version it's going to be unlocked so you can load whatever you want on it.

Nexus 5x and 6p was always 2 years of Android version updates plus another year of security. They have recently increased that by a month or two.


Add me to the list of Nexus users who like plain Android with guaranteed updates but don't really want to pay $650+ for our next phone.

Perhaps the real problem is sloppy development practices that make staying up to date so important.

Unfortunately, nothing is going to change because the companies making these phones (and other software based products) see it as a way to drive sales.

It's even more fundamental than that. The world is built on C and C++, both of which were designed a long time ago and without safety and security in mind.

That's true, but it is actually possible to write C and C++ safely, it's just really difficult and really expensive and requires a lot of discipline, so it's not very fun.

So crappy code is cheaper to develop in the first place, and then companies can sell more down the line when new versions have bug fixes and security improvements. There's really no incentive to change anything.

Stop bundling antifeatures into security updates and maybe people will want them.

Why software updates and especially security bug fixes are not covered by manufacturer warranty as it is with hardware issues? Or maybe they are but no one enforces that?

In other words if I buy a phone with 2y warranty (a standard duration in many European countries) it would be reasonable to expect that any security updates (device fixes) will be provided in a reasonable time within that period starting from the purchase date.

My ye olde Samsung Galaxy S4 mini is better software supported at lineageos.org than Google or Samsung ever did. LineageOS even plan to support Anroid 8 on it!

It's better hardware supported at aliexpress.com than any other phone shop.

In its very small lifespan it has become the most modifyable hackable smartphone i've ever owned. :)

Sadly this is the only way to succesfully update my outdated Anroid device. :(

Part of the reason for this mess is the greed of manufacturers, they want us to buy new devices every 2 years. Consider mid-range devices from OnePlus, Xiaomi and Samsung, these are intentionally sold at a lower price to users who like budget phones and if you would see the device manufacturer distribution list these devices top the list in number of units sold, this is especially true in developing countries. These phones seldom get updates after the (T + 2) cycle.

I hope that with introduction of project Treble this trend can be reversed, Google is literally forcing these greedy manufacturers to include Treble if they ship devices with Oreo and above, but this doesn't mean we will see updates as frequent as iOS anytime soon, one thing I observed lately is that after announcement of project Treble almost all manufacturers are releasing newer phones with Nougat 7.1, this is funny considering that it's mid November now and Oreo was released way back in August.

Up until very recently if I had an old 386 I could still install modern Linux on it and use gnu apps.

Whereas if I have a 2 year old phone the official story is: no it totally doesn't work, throw it away.

This is garbage. Phones are a lot more powerful then that 386, what's different is no one is building to any reasonable standard. Kernel updates should just work.

I'm one of those people. Still using US$100 Asus Zenfone 4, running Android K; with 8GB internal memory and 1GB RAM. My phone still looking and running good, no scratches, and no lags. I only use 1.56GB internal memory for apps, nothing fancy, just some apps that I truly need.

The reason I'm not considering to upgrade my Android is because of this article: It's The User Experience, Stupid.[0] I already see Android O in action, and some newest Android devices, but I don't think it's worth my money. So, I'm planning to keep using my 3 year old phone until it's dead.

[0]: http://usabilitypost.com/2008/12/03/its-the-user-experience-...

Outdated device user here. (Android 6.0)

I bought a Google Nexus 5 so this wouldn't happen. But apparently it did anyway.

Flash some custom rom (LineageOS for example) and you'll have all the updates you want.

I have a obscure low level Oppo device from Asia. Its hardly up to date, but it is still more than i need plus provides a 2 day battery life even after a year of using.

I think we just reached the point where phones grow in specs we dont actually need.

The thing is i use my phone mostly like a public wifi. Trust nothing.

What about security updates?

Oppo no have. But no seriously there still are some but AFAIK they stop next year.

See also: https://androidvulnerabilities.org/

They used more fine grained tracking on vulnerabilities vs Android versions in the field. Shame they haven't kept updating it.

I didn't see it in the article, and so I wonder what the country breakdown for this might be. I get the impression that in the developing world, where android has really taken off, the ability to receive updates is diminished.

Importantly, in China, the biggest Android market, none of the phones access the Play store, so that entire country will be omitted from the data. I'll bet they're not getting updates either.

In Germany most cheap phones (about 100 € price tag) that you can get in big chains like Mediamarkt, are still running 5.x variants.

I do not enjoy phones except for pocketable phone, camera and map. I still have an old stubbornly adequate Moto-G. Chromebooks are cheap lightweight browsing and light typing devices. They work better than fine with no surprises.

This is why I will only ever buy the OnePlus brand at this point. I used to buy Nexus until they started skyrocketing the price (Ting user here) not to mention my last nexus bricked itself when the battery got low.

Is OnePlus good at updates?

With CopperheadOS going non-free, but still open, and Pixel getting an order of magnitude more expensive than Nexus I'm looking for alternatives to run LineageOS.

No it’s not the one plus one was killed very quickly. Not to mention it has its own privacy concerns atm.

You know they are not perfect, I've seen them between 2 and 5 months behind, typically 2 months though. But it beats Samsung and all the big brands - they update all their older phones not just the latest.

This comment is absolutely meaningless. You realize none of the models you mention have open sourced drivers, right? thanks to two or three companies that refuse to share their super secret (ha, it is all commodity) code to power the modem, camera, digitizer, SoC, etc.

All those devices will continue to only be supported for <4 years (in the very best case!) and then off to increase the "outdated devices" count or the landfill!

The model I'm using, Nexus 4, was released 5 years ago to the day. Via a community ROM it still receives monthly AOSP security patches, albeit on a prehistoric 3.4 kernel and vendor abandoned binary blobs.

If I had a spare $600 I might be inclined to support the librem-5 efforts of running a mainstream kernel with lifetime updates.

I have an old HTC Inspire (circa 2011) I still use in my kitchen to control a stereo system. I'm shocked anything on it still works. It's probably a terrible security vulnerability I should throw away.

I have a galaxy s2 skyrocket that I use for music in the childrens' room. It's fine as long as I don't reboot it. Takes like 8 reboots to get it to recognize the storage.

If it is a problem to update smartphones, I just don't want to imagine the nightmare that is going to be on our doorstep with IoT updates...

To borrow another quip -- the "U" in IoT stands for updates.

Just like the "S" in it stands for security.

What do you guys think of Lineage OS and Open GApps?

I put them on an old Nexus 7 (2013) tablet, and they run well. How trustworthy are they though?

I'd strongly argue that they are more trustworthy than the crap that comes pre-installed on most phones by the manufacturer nowadays.

Those billion outdated devices are the low hanging fruit screening me and my fully updated iOS device. I can be confident that casual attackers aren't coming after me, only the higher tier ripoff artists gunning for iOS users and the APTs who are attacking my company specifically.

No, with certainty your private information has already been stolen or sold once or even multiple times. Equifax is just the hack you know about. Insider threats are common and your identity is surely sitting in some giant tarball that is bought and sold. Until society reboots you with a new SSN, new credit score, new drivers license...you are already compromised.

In ten years will there even be a single US citizen whose private data is wholly uncompromised? Doubtful

This is the ultimate data slavery...unable to protect our identifying strings...and unable to repudiate them when they are compromised. My SSN is compromised and I am stuck with it for another fifty years...same as you. Enjoy your phone.

Another interesting iOS and Android comparison: all fully supported iOS devices on the latest OS -- back to the 2013 iPhone 5S -- are 64-bit. On the Android side, almost none are 64-bit. Everything besides ARM7 is a rounding error.

Anecdotally, vendor released Android 7 for my phone some time spring 2017 - not the worst case. Although, OTA update fails. The only path to upgrade my phone is manually flash OS image and lose all data. I'm still running 6 ¯\_(ツ)_/¯

With the sheer number of outdated devices still in use, one wonders what the real world rates of hacks look like.

I don't think that the two are linearly proportional at all unless individuals or groups are being specifically targeted.

I'd like to buy an Android Ereader - there are a few but they're all on Android 4.x, is there a reason for that? I'm guessing its licensing not technical but I'm not sure.

Updated my 5s a few days back. Touch ID stopped working and refuse to activate (error message). Spotlight no longer finds the Calculator app. App titles, like Messages, have become larger and hence takes up more space. When I slide an app up to close it, the animation indicating a close triggers, but the app pops back up, so I have to do that gesture twice now to actually close apps. There’s more but I’m typing on my phone and that’s horrible.

I think Google, Apple, Samsung et.al should be upfront on when they plan to end of life (EOL) their devices. Many devices now a day is SaaS with a upfront cost. So divide the cost of the phone with how long it will be supported, then you'll get the monthly cost. Guys! We need a fully open source smart-phone that can be community supported forever! Why isn't there on yet ?

> I think Google, Apple, Samsung et.al should be upfront on when they plan to end of life (EOL) their devices.

iOS 11 (released in 2017) is compatible with these devices [1]:

- iPhone 5s (released on September 20, 2013)

- iPad mini 2 (released on November 12, 2013)

- iPod touch 6th generation (released on July 15, 2015)

Apple doesn't have to be upfront. Apple users know that the support lasts for years (iOS 10 was released in 2016 and oldest supported device was from 2012, iOS 9: 2015 and 2011, previous versions would usually support three-year old devices).

[1] https://www.apple.com/lae/ios/ios-11/

I have an old-ish Android tablet and have no idea how to update it. I tried and quickly gave up.

My problem is some independent first movers made great games for the Android, then were force off by slow-to-market game owners - who then produce junk "official versions" of the same games - all under the guise of security concerns. To get their way they used the LAW (UCC ) Now we have to have constant update checks for copyright,trademark,look & feel, and anything else they can use of themselves ( like echo,google home, vs independent home automation) or (cloud vs X-drive ) xor (academic library vs paywall library where every student pays for public domain information) rip Aaron Swartz

How are they not all zombies or hit by ransomware?

how is postmarketos doing ?

The problem is not only with security, ok it's the first problem but there's plenty of device that can't do any job right now, event if I want use that mobile for a diy like camera, etc. most of the software no is no more compatible. I don't understand why we go so fast on the new device when the majority won't use that damn new API, and all these gadget UI are so damn useless. Like hearthstone, why didn't you optimize your game for less device do you really need to do a animation if my device don't support it? just don't display it!

I don't see how they're "outdated" if they still work and are being used. So to me, something that doesn't work/isn't or can be used = outdated. There.

The most effective way to solve this is to write a set of exploits that work on most devices. Then brick all the phones that are vulnerable.

Surely not nice, but users suddenly got cured of their complete apathy towards mobile phones.

That's not a solution, that is an exploitation of the problem.

The problem is that there are security holes that cannot be patched in the first place. There is no technical reason that for that to be the case, simply an arbitrary one: Manufacturers do not allow users to unlock the bootloader on devices they sell.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact