> there are millions of devices that will never be updated
Luckily, almost all (if not just all) these millions of devices which will never be updated never ever received the vulnerable version in the first place. The bug was only introduced in 5.8 and due to how hardware vendors work phones are still stuck in 4.19 ages (or better, 5.4. but no 5.10 besides Pixel 6)
The rate of CVEs an android, combined with the sheer number of manufacturers who are slow about updates or just never deliver any, means that unpatched devices are nothing like the rarity that this statement suggests.
Given this internet connected device stopped receiving security updates in 2020, this seems like a poor decision. Security updates for the 5A are expected to stop next year.
Please buy a device that receives security updates.
> Updates are really important in terms of security.
We're talking about phone apps. 99% of the time this just isn't the case and the remaining 1% is for issues so widely broadcast you would absolutely know.
> which won't be available if the device has widely known vulnerabilities
Probably won't be available full stop. Very few devices ever get manufacturer updates - they're all focussed on just making a new version of the device.
If it's still in warranty, sometimes they'll take it back for a refund.
> Hence why Android phones are often trapped on old versions of Android when launched or shortly thereafter
The reason why most android phones don't get upgrades (or only one) to newer android versions has absolutely nothing to do with qualcomm lack of care regarding their cpu's security.
> Just because phones run an old Android version, doesn't mean no patches get backported.
It’s a bit of a separate problem but I’ve seen an awful lot of ignored software update notifications on the phones of relatives over the Christmas break. Is there data on the install rate of security hotfixes?
>Finally it stops, with January’s update. It is no longer January. I’m stuck at Android 8.0 January 2019 Security Patch. I manually check for updates again, and again, but my phone insists it is up to date. I do not like Android. Android is a liar.
No, it's up to date. I have the same phone - Jan security patch is the latest.
> Hardware devices should receive security updates until they start physically failing.
That's just entirely unreasonable. I recently dug my original iPhone (now 13 years old) out of a box and it still works fine, but, you can't expect Apple or Android to support 13-year-old devices.
>>> The phone's kernel, in addition to being more important attack surface than the Linux kernel (because of the jailbreak market, among other things), is auto-updated.
Most android phones are not updatable at all since manufacturers don't publish any update.
That, alone, should be enough to put phones among the most vulnerable devices on the planet.
> Google now has its own phone—Pixel—that gets security updates quickly and regularly.
The Nexus 5 line used to have this until Google decided after three years to stop supporting it despite the hardware continuing to last well beyond that.
Luckily, almost all (if not just all) these millions of devices which will never be updated never ever received the vulnerable version in the first place. The bug was only introduced in 5.8 and due to how hardware vendors work phones are still stuck in 4.19 ages (or better, 5.4. but no 5.10 besides Pixel 6)
reply