Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Options for Android phone no longer getting security updates?
40 points by warner25 on Oct 13, 2022 | hide | past | favorite | 33 comments
What can / should I do with an (otherwise perfectly good) Android phone that no longer receives security updates?

Yesterday’s epic thread about blue and green bubbles, which of course branched off into a comparison of iPhones and Androids, made me think about my own phone more than usual. It’s a Moto G Power (2020) running Android 11 that received its last security update in April.

I’m embarrassed to say that I didn’t realize this, or realize that this is Motorola’s policy (one version upgrade and two years of security updates) until yesterday. I admit that this has given me a new perspective on paying $500 for an iPhone SE that might receive updates for 5+ years vs. $200 for a budget Android phone that might get less than 2 years of support from my date of purchase.

Anyway, I’m otherwise perfectly content with the phone. I bought a budget phone in the first place because I’m not a heavy phone user, which makes the thought of buying a new phone that much more painful. My options seem to be:

1. Stick my head in the sand and don’t worry about the lack of security updates for another couple of years. I’m obviously in good company with millions (billions?) of other Android phone owners, but how foolish would this be?

2. Replace it now with a new phone.

3. Maybe go down the rabbit hole of LineageOS or other custom ROMs? Is this viable for a daily driver that I don’t use much but needs to work when I need it? How mature are these compared to, say, the major desktop Linux distros?



LineageOS in general is very mature, I used it as a daily driver for years. Though it will partially depend on model; there's an upstream that all the different builds share, but individual builds have to be made for individual devices and support was entirely community-based last I checked. So depending on the popularity of your phone, you eg. might only get nightlies and not stables

Assuming this is your phone, looks like you might have to use nightlies: https://wiki.lineageos.org/devices/ocean/

Still, I've used nightlies for significant stretches of time without any major issues. You'll probably see a significant speed boost too vs the OEM software

You will need to follow a guide and do a little tinkering to set up the OS, but I think this is a viable path forward for you


From my experience (which isn't worth much but I have had similar thoughts about this) I went with a used iPhone 8 last year for around $180 because I thought it was going to get iOS 16, which it did. It's good until September next year (when the next iOS probably comes out) and at that point I will probably get a newer iPhone albeit probably a used one to save money.

On custom ROMS, a security researcher named 'madaidan' states that ROMs such as Lineage are insecure (https://madaidans-insecurities.github.io/security-privacy-ad...) with GrapheneOS being an exception.

On the GrapheneOS website, it recommends getting a Pixel 6 and above which has 5 years of guaranteed full security updates (https://grapheneos.org/faq#recommended-devices).

Louis Rossmann recently released a video talking about GrapheneOS as his daily driver and breaks down some usability misconceptions. (https://www.youtube.com/watch?v=yIZmUINSvQ4)


GrapheneOS is OK.

The keyboard kind of sucks.

Assuming you are unwilling to use google location services, GPS is flaky. As a consequence, Camera image location tagging is flaky. Most apps that use map views are broken. (Third party map apps like Here WeGo and Organic Maps and are generally fine, oddly enough.)

Backup is non-existent. (There is a thing. It does not work.)

Unless you want to sync documents through google or some other untrustworthy third party, there aren't any competitive "keep a text document synced between N devices" programs. (Standard Notes is the closest on this front.)

Phone calls and notifications work. Google Camera can be coerced into working (but geotags are iffy).

Google services that normally support anonymous users (especially Meet) aggressively detect android and refuse to work if you are not logged in.

Battery life is OK (as advertised) if you install google services in a sandbox. Stellar without them.

The pixel wireless fast charger has settings that cannot be changed through graphene. The charger setting app requires kernel level permissions for some reason.

Bluetooth support is the best I've seen.

No kernel panics, or strange battery drains, in my experience.

Always on VPN seems to work.

Performance is good.

My next phone will not be an android.

The tire fire caused by not allowing google location services is the main reason. App ecosystem is number two. Lack of working backup is three. The system keyboard is number four. The over processed aesthetic of the camera is number 5 (this last one comes down to taste).

Edit: I shouldn't have said app ecosystem. I meant the lack of non-privacy-invading apps that provide functionality that should be built in: Open PDF/docx/etc, scan + OCR to PDF from camera, print without granting randos permission to send documents to third parties, note sync, photo search, health data, etc...

Hope this helps!


One can, of course, install a different keyboard. Including gboard (disabling network access, if desired) or an open source one like FlorisBoard.

You can also change to use Google's geolocation if you like, cf. https://grapheneos.org/usage


GrapheneOS supports running Google Play as regular fully sandboxed apps without any special privileges and without the OS using them as the backend for anything. It has near 100% Play Store app compatibility when using sandboxed Google Play. You can run GSF, Play services and the Play Store as regular apps. All of the improvements to the sandbox and permission model in GrapheneOS apply to them. We reroute Google Play location service requests to our own OS implementation by default to avoid needing to grant Location access to Google Play services to use it in apps using Play services but it's possible to use the Google Play network location implementation if you choose. We'll offer an entirely local pseudo-network location service as part of the OS location service in the future via publicly available cell tower / Wi-Fi databases (a decent Wi-Fi database isn't available yet).

https://grapheneos.org/usage#sandboxed-google-play

There's also a per-app exploit protection compatibility mode toggle for apps with memory corruption bugs uncovered by `hardened_malloc` or which have compatibility issues with the larger address space (48-bit as opposed to 39-bit).

Due to the advances in the sandboxed Google Play compatibility layer over the past year and the exploit protection compatibility mode, only a few apps aren't working. Most of those apps are choosing to disallow using a non-Google-certified OS via the Play Integrity API. SafetyNet attestation API was the previous legacy approach.

GrapheneOS has a system backup service and it does mostly work. It doesn't have great UX, and has a lot of issues, which is why we plan to replace it. It was originally developed for GrapheneOS but was taken over by a hostile group and we're going to make our own instead. Until then, we still have the existing one.

Many Android apps still disallow backups from backing up their data but this problem was solved for apps targeting Android 12 and above which is about to become mandatory for the Play Store for both new apps and app updates. That issue will be resolved by the end of the year. It was caused by a poorly designed Android manifest configuration option for disabling backups. Most apps just wanted to disable cloud backups for bandwidth, size or privacy reasons. It now means disable cloud backups for apps targeting Android 12 and above. It's still possible to exclude files from backups but it requires a new Android 12+ API with separate lists for local backups, E2EE cloud backups and non-E2EE cloud backups. This issue isn't in any way GrapheneOS specific. It applies just as much to Google's device-to-device backup/restore system shown as part of the initial setup wizard and their cloud backups. It just takes time for the new API level to become mandatory: a bit over a year after the new OS release.


Madaidan claims LineageOS is insecure but fails to compare an outdated and unsupported phone with a supported LineageOS install. Take heed.


https://wiki.lineageos.org/devices/ocean/

A Moto G7 Power like above? Motorola devices can be bootloader unlocked I think.

We have a couple Moto G7 Plus devices and use microG, I use VPN and have a firewall app. Works great. Even notifications can work with apps you choose.

I have been a LineageOS user for awhile. There's no guarantee a particular device will always be maintained but if is, it's not that hard to install. The instructions are pretty clear. I've used it on a old Samsung 3, an Honor5x, Samsung S5, and now Moto G7.


Unfortunately, I don't believe your device is supported by GrapheneOS: https://grapheneos.org/faq#supported-devices

Install LineageOS on it, if it's supported?

https://wiki.lineageos.org/devices/#motorola

But read this about LineageOS, et al to understand the risks: https://madaidans-insecurities.github.io/android.html


:( That page makes me wonder if LineageOS is even worse than my out-of-date Android system.


From the last article:

>The default updater even allows you to downgrade versions yourself.

I think this has changed as I do not see this anymore in my own install. I've read this article in the past and the date is updated but the content may not be?


If you prefer Android devices, always seek out phones whose bootloader can be unlocked so that you can install another OS on it. This way, you can be assured of Android fork / ports being available for the phone even if the manufacturer stops releasing updates. I highly recommend Sony Open Devices - https://static.developer.sony.com/develop/open-devices/get-s... ... Or checkout the list of supported devices that can run LineageOS (a popular fork of Android) - https://wiki.lineageos.org/devices/


Unfortunately, the Sony Open devices seem to be hard to get (at least in Oz). I use LineageOS but there it's only available for a limited set of devices :(


Xiaomi are pretty good, many of their mid range models are pretty cheap and they do have manufacturer supported unlocking (I have 2, Poco X3 pro and the Poco f3, because the f4 is trash)

Both are well supported by lineage and co (I don't use lineage because they refuse to include signature spoofing so microg doesn't work properly) but otherwise fine.


My bank-app decided not to work on android 6 and below.

So the answer 1#, dont worry about it, somebody else does the worrying for you.


No one's going option 1? Are there any stories of people getting pwned because of old android vulnerabilities?


You can buy a Pixel 6a and it will get security updates until 2027: https://support.google.com/pixelphone/answer/4457705?hl=en#z...

It costs quite a bit less than an iPhone ($349 as of this writing).


That's a pretty lousy policy from Moto, even more so considering it has a decent Qualcomm SoC in it.

Android 9 got its last regular security update in January of 2022. If Google's pattern continues, Android 11 itself should continue to get regular security updates until Q1 2024.

What a waste.


The problem with custom ROMs is that a lot of banking apps try to detect if the phone's bootloader is unlocked or it's rooted, and these apps then refuse to work. There are workarounds but they're not bulletproof.


Pixels have relockable bootloaders, so banking apps can run on CalyxOS (and, maybe, GrapheneOS)


This is just not true. I've been using my banking apps succesfully since last year across 3 rooted cheap phones with 4 distinct custom LineageOS ROMs with just some Magisk modules.


Keep it, but don't do anything important on it. Don't read your email. Don't read your social media, if you care about your account being taken over. Don't access your bank on it. Use it for phone calls and texting only, and that if you don't care about somebody else reading your texts.

And for me, that's good enough. I don't actually care about someone reading my texts. I simply don't access the internet on my phone. (Cataracts made it hard to focus close enough to read a screen that small. Yes, you can enlarge the text, but then I'd be scrolling my fingers off.) My personal life isn't tabloid material. I don't have any stalkers. (So far as I know - if I do, hi!) So someone could read my contacts, read my texts, and see pictures of my granddaughter and my cat. Under these conditions, I see no reason why I should care very much about the security of my phone.

Am I missing something in my threat model?


On this line of thinking, one of my concerns is that SMS (to my Google Voice number, which is the app I exclusively use for phone calls and SMS) is the method that many services use for two-step verification, even if my other texts aren't sensitive.


Good point. Still... let's say I'm logging on to a website that uses 2FA. They send me an SMS with a one-time code in it. An attacker reads that code. The attacker then has to hijack my browser session on a different device (since I'm not using internet on my phone). For them to do that, they already own my laptop (or maybe my wireless router or my DSL modem), and have been able to correlate them with my phone. That's possible, but at that point I'm pretty much in trouble anyway.


Airgap it, remove all apps, install Navit [1] and mount the phone on your bicycle to turn it into a sleek, hackable, premium(-ish) offline GPS.

[1]: https://www.navit-project.org/


/me sings: I'm riding in the rain, la la laaa. All the powers of my smartie are washed away, by the showers from above. Hey! Laa la la.


I've used LineageOS to revive a Samsung Galaxy S4 and a Note 3, they work pretty well. The installation is easy. That said, you might encounter bugs on your particular device which may or may not be a big deal for you.

I have had some issues with GPS accuracy and Bluetooth connections from the S4 to a certain device occasionally dropping out, but I haven't done careful before/after tests so these may be hardware problems. I would recommend giving the LineageOS a try, at least before replacing the phone, if that's the path you want to take.


For a similar moto one I saw two problems trying to use microg/lineageos:

1. Bluetooth headset audio had some kind of bug. Something like this is a deal breaker or something you would never notice depending on what you do on the phone I suppose.

2. There's no sign of a key partition to support orange(?) booting. I just see N/A for the keys of whatever OS I might have booted.


Airgap it or install Lineage or one of the other open source replacements, it's not usually hard, but I don't know anything about your particular phone. On Pixels you can literally just go to a webpage and start the rooting and install from there.


Keep it, to play around with LineageOS, but get an inexpensive iPhone.

#u€k these handset manufacturers like Moto whose lack of mainline support feeds our trash heaps - they know exactly what they're doing.


2, and get an iPhone so you don't have this problem again in 2024. I even got security updates on my Windows Phone years after Microsoft abandoned the entire platform, Android is mostly just a joke we all tell ourselves isn't one.


A related question: How secure is an Android phone that does receive security updates from its vendor? I vaguely recall hearing that it can take months before a security patch makes it from mainline Android to consumer devices.


Yes, this and several other comments have made me realize it's easy but probably wrong to think in black-and-white that: "getting updates => secure; no more updates => insecure." I guess there are no obvious relationships between "up-to-date" Android (for the reason you gave), "old" Android, up-to-date LineageOS, and the acceptable level of security for a common user.


> 2. Replace it now with a new phone.

Buy an iPhone. You do not need this fuss in your life.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: