Do you upgrade when Android phone security updates stop?

[NameTaken2]

Security updates for our Samsung Galaxy S8's stopped May 2021.

The S8's have been great, and monthly $38 payment stopped 12/2019 so have enjoyed that savings for nearly 2yrs.
Therefore, inclined to ride the S8's until they die. Both are on original batteries, so will see how long they last then decide if that drives replacing the phones or just the batteries.

Understand there's risk with no further security updates, but level of risk apparently depends on how the phones are used(?) We do standard talk/text/email, and internet for news/some Google searches. Don't use many apps, or add many apps, but do use banking app to deposit checks. Mostly used on home Wifi. Norton 360 installed on both phones.

Internet searches indicate that apparently many android phones are in use with suspended security updates. Realize this Q probably results in "YMMV" responses, but curious to hear any responses regarding level of risk we'd actually be taking by continuing to use the Galaxy S8's.

THX for your time!

 

[Qs Laptop]

No, I do not upgrade my Android phone when security updates stop being pushed out.

In your case, given how you use your phone, the fact you don't do anything financial on it, and most of your activity is on your home Wi-Fi I don't think you're in any real security danger.

I suppose someone could hack your email password but that's a potential problem on just about any device.

One thing about Early Retirement forum I've noticed is there a lot of people that are paranoid they are going to get hacked. I guess I'd like to ask the group exactly what do you think is going to get hacked on your Android phone?

My advice would be to make backups of important stuff on your phone that you don't want to lose, like photos, or certain emails. Then, if something happens to your phone your important stuff is saved somewhere else and you can just walk away from your phone. Most Android phones backup photos automatically to the cloud if you have them set up to do so.

I would think your phone must be slowing down, is not as responsive and snappy as it was when it was a new. Also your battery is probably fatigued and doesn't last as long as it used to. These are reasons that I would replace my phone, and not out of any worry I was going to get hacked because security updates are no longer available.

 

[OldShooter]

Regardless of security updates, I assume that my phone will be lost or stolen at some point -- hence vulnerable. So there is s little as possible on the phone that creates any risk for me. No banking or financial apps or information, no brokerage info. Not even the names or phone numbers of the banks and brokers. There is credit card information buried in there somewhere in order to buy apps; AFIK that is my only point of possible compromise and the card protections apply. The contact list on my phone is strictly limited to a necessary few and it is cleaned periodically to remove names that I no longer need. My calendar is vulnerable in some sense,but really contains almost no critical information.

Vendor security is fine, but I don't count on it for much.

 

[Kerfuffle]

I wouldn't use a phone that is no longer getting security updates. Especially if you do banking. And for sure not if you do any sort of two factor authentication with it which most people do nowadays. That's not a future regret I want to deal with - I am happy to replace tech to try to stay ahead of the thievery when possible. Don't be the low hanging fruit is what I figure.

 

[NameTaken2]

Thanks for your replies-

If our phones are less responsive, it hasn't been noticed. Battery life hasn't degraded appreciably either -almost never need a charge other than overnight. Very pleased with these Galaxy S8 phones -had them 45 mos. now, and interested to see how much longer they can keep going.

I don't worry much about our phones being lost/stolen -but if that does happen then unlocking them would require fingerprint or PIN.

My perception, based only on some related Google searches and now Qs Laptop's response is that continuing our current use without security updates doesn't present high probability of being hacked, and therefore a low risk decision.

Any alternative views?

 

[Kerfuffle]

Well, I personally love it when people ignore potential security issues. The whole low hanging fruit thing. It's like when I go travel or even go out to the store and see people with their purses open and phones sticking out of their back pockets. Thank you for making it less likely that a thief will focus on me! In all seriousness, that's probably the biggest concern here. If there are no security updates, and if a hacker does figure out how to exploit that, you'll be among the folks who get hacked. I used to work for a tech startup where we often saw a lot of the bad hacker/spammer/thieving types, and I made a decision back then to never risk anything like that. I just figure, why do that? Is it really worth keeping an old device around just so you can save a few bucks, when keeping it could literally cost you the headache of theft (monetary or identity or whatever). Just isn't worth it IMO.

 

[NameTaken2]

Kerfuffle, thanks for your reply-

I appreciate that your past experience led to a high level of risk aversion against hackers. My internet searches appeared to indicate many phones are in use with suspended security updates(?) Is there data identifying the number of these phones getting hacked?

I understand risk is elevated when security updates stop. Based on how and where we use our phones and Norton 360 protection, it seems like we are low-risk to be hacked. Those with low risk aversion upgrade, but I"m interested in perspective to determine just how much added risk I'd actually avoid in our situation before spending nearly $2K on 2 new phones -and that's more than "a few bucks" to me.

Yes, this is about saving $ by keeping phones that still work great. If a strong argument/data is presented that makes it clear that even for us keeping phones with suspended security updates is high risk, then I'm open to upgrading.

 

[NW-Bound]

My brother whose specialty is IT security, and who worked for a large brokerage, and now for a commercial bank, told me that many more hacker attacks are made on PCs than on smart phones.

Something about smartphones being harder to hack or less susceptible, I forgot.

 

[Sunset]

Regardless of security updates, I assume that my phone will be lost or stolen at some point -- hence vulnerable. So there is s little as possible on the phone that creates any risk for me. No banking or financial apps ..
Vendor security is fine, but I don't count on it for much.

+1

 

[The Cosmic Avenger]

I am in IT, and I would keep using that phone in your situation. I wouldn't call it low-hanging fruit, because it's not likely that it's suddenly vulnerable just because the OS is no longer being updated. And if an exploit is discovered, then that exploit isn't actually that attractive a target because there will be very few potential victims to be found. I believe most black hats would prefer to wait for an exploit in the most recent OS and try to take advantage of that ASAP, and/or try social engineering when there are no new exploits. Just don't install random apps or open spam emails and it should be fine for a while.

 

[Aerides]

I have a tablet that's still working, but a bit slow, that can't get android updates. It never leaves my house and I don't do much on it, but I'm not worried (and both DH and I have infosec backgrounds).

I don't know that I'd feel the same about a phone that leaves my house. My google account knows all my passwords no matter what device I'm using. It is pin protected at least.

But we usually end up replacing our phones every few years with Google Fi, as there is often a BF/CM deal that makes it a no brainer. I think our last upgrade was something like "buy 2 phones now, get account credit almost equal to the price" so our phone bills were zero for 18 months, net net almost nothing. Crazy.

 

[NameTaken2]

Thanks for all your responses -appears most are aligned with perspective that continuing to use our phones is an acceptable risk.

Interesting that I don't recall receiving a formal notification that security updates were stopping for our Galaxy S8's. Also, there's no caution/warning regarding expired security updates when logged into my account w/service provider. Only notes that our phones are "due for upgrade". If expired security updates result in high risk, would expect strongly worded communications from provider (that would also support their goal of selling new phones!).

 

[easysurfer]

Rather than having android phone hacked, I'd be more worried about losing it and not protecting the data (OTP codes, access to email, other apps) on the phone.

 

[jollystomper]

I have very few apps on my phone that pose a security risk to my personal information. Like others, I assume it might get lost or stolen at some point, so I keep as little personal info on it as possible. I use my phone until the few apps I use say they will no longer be supported on that level of Android. Earlier this year I finally had to say goodbye to my Galaxy S5 and upgraded to a phone that ran the current Android version.

 

[ShokWaveRider]

Nope, still happy with my S7, it works great. Will upgrade it ONLY when the battery dies.

 

[Cricky]

…how much added risk I'd actually avoid in our situation before spending nearly $2K on 2 new phones -and that's more than "a few bucks" to me.

Yes, this is about saving $ by keeping phones that still work great….

I don’t have a particularly informed opinion on the additional risk (though I always upgrade before my phone stops getting security updates), I just want to suggest that 2 new flagship phones isn’t your only option. If you’re happy with the performance of a 3 year old phone then the flagship might be wasted on you anyway. Instead, even at list price, 2 Pixel 5As (for example) would be half that and still give you a performance/feature update along with a few years of Android and security updates.

 

[aaronc879]

My last phone I kept for about 6 years and only replaced it because I ran out of GB storage. My new Samsung which I bought on a year end sale last year for $50 has 32GB and i'm only using 21 so I expect this phone to last until the battery stops charging which should be several years. Security upgrades have no impact on when I get a new phone.

 

[NameTaken2]

I don’t have a particularly informed opinion on the additional risk (though I always upgrade before my phone stops getting security updates), I just want to suggest that 2 new flagship phones isn’t your only option. If you’re happy with the performance of a 3 year old phone then the flagship might be wasted on you anyway. Instead, even at list price, 2 Pixel 5As (for example) would be half that and still give you a performance/feature update along with a few years of Android and security updates.

Very impressed with our Galaxy S8's -and Samsung provides 4yrs of security updates vs Google's 3yrs. Inclined to stay with the mfr of our Proven Winners, and assume value from extra year of security and projected longer lifespan can negate the Pixel 5a's lower price.


If a great deal becomes available for the Samsung S20, I'd consider upgrading. Will be monitoring provider's prices with Black Friday approaching, and the S21 being due for release Feb. 2021 (and maybe there will be S21 deals.)

 

[easysurfer]

I'm in the process of upgrading to a new android phone now. Not my choice but because 3G soon no longer supported by carrier.

If I had my way, I'd stick to my old phone as it was "good enough" and I had things configured properly. The new phone is on Android 10 as the OS and now my notifications are messed up.

I think Android 10 is overly zealous about saving battery life so puts apps to sleep even though there's should be settings to not put to sleep. I was using Signal as my default message app, but now I don't get notified properly. Same with Facebook. My old phone I had Facebook notifications pretty much transparent with my computer. Not any more.

 

[Qs Laptop]

I'll ask again. Assuming there is no financial information on your phone--no bank account numbers, no PIN's, no brokerage info, etc. exactly what are people afraid is going to get hacked on your phone?

 

[Kerfuffle]

I'll ask again. Assuming there is no financial information on your phone--no bank account numbers, no PIN's, no brokerage info, etc. exactly what are people afraid is going to get hacked on your phone?

If you have none of those things and NO apps that can access those things, I'd agree it's super low risk. If you don't use your phone for two-factor authentication or have authenticator apps installed, probably also super low risk.

The OP mentioned they use their phones for banking. To me, that would mean, nope, I'm using a phone that gets security updates. But I think everything in life boils down to risk tolerance levels, and it's clear that most folks have a much higher tolerance for risk than I do.

I do have to say that I don't think many people tend to take the idea of digital security seriously. So if you are a person who isn't careful with all of your digital information, it probably doesn't add greatly to the risk if you use an outdated phone. Things like password management and secure data management would seem a higher priority if you're just getting started with securing your digital existence. Or, just keep throwing caution to the wind, there's always a chance that it won't come back to bite you. All about risk tolerance.

 

[brett]

My android phone is four years old. I recall that I updated it when I first got it. Not one update since....but I do not use it for data.

I would never consider keeping financial data of any kind on my phone.

 

[statsman]

My android phone is four years old. I recall that I updated it when I first got it. Not one update since....but I do not use it for data.

I would never consider keeping financial data of any kind on my phone.

Ours are also four years old, but they were new old-stock. Initial release of this phone was seven years ago. It is not capable of upgrading past Android 6, making it susceptible to BlueBorne.

DW only uses her phone for text messaging and calls. I do the same plus an occasional map lookup or Internet search while out and about. The camera gets used occasionally (no selfies - no one else wants to see those!). No email or financial accounts are ever accessed by our phones.

 

[easysurfer]

Ours are also four years old, but they were new old-stock. Initial release of this phone was seven years ago. It is not capable of upgrading past Android 6, making it susceptible to BlueBorne.

DW only uses her phone for text messaging and calls. I do the same plus an occasional map lookup or Internet search while out and about. The camera gets used occasionally (no selfies - no one else wants to see those!). No email or financial accounts are ever accessed by our phones.

Me being devil's advocate, so when you travel do you bring other devices (tablet, laptop) to perform a function like email or need to access financial information?

I think there's a balance between convenience vs security. I want email on my phone. As, if I'm traveling, I may need to go to email. Or connect to others via social media. Otherwise, if my phone is off limits, I'd have to bring along another device like a tablet or laptop to perform functions I can do on a phone.

 

[OldShooter]

Me being devil's advocate, so when you travel do you bring other devices (tablet, laptop) to perform a function like email or need to access financial information? ...

In our case, we both carry Android tablets and Android phones when we travel, but our home computers stay home. In my case I have a Surface Pro and I usually lock it in my gun safe when I leave town. We use the tablets for email and reading e-books, plus for access to travel information via Evernote. It's not totally bulletproof because some of that info is passport images and creditcard numbers with provider phone numbers, but carrying that needed stuff as physical paper is IMO riskier.

Rules for the tablets are the same as for the phones. No financial or other critical information or activity is allowed. I guess if you're a trader there might be some reason to risk accessing financial information when traveling, but we are not traders so that is not a concern.