[the other thread about Androids brought this to mind]
Hoping for a sober opinion from people who are also generally opposed to throwing away perfectly good electronics.
My smartphone is just about 6 years old now. It has a couple of quirks, but it's still fully functional. I could see myself keeping this phone for ~4 more years.
However, it also no longer gets security updates, because the support for it has expired. I never particularly cared, but based on people in the other Android thread talking about firmware & security, maybe I should be more worried.
Does anyone that knows more than me about security at the end of a phone's lifetime have thoughts? And/or would people here consider getting rid of a perfectly serviceable phone only on account of no longer receiving security updates?
I know there are also a couple of alt OSes I could switch to if I went through the effort of rooting my phone, but that feels more dangerous than just leaving its current OS untouched.
How much to care about ongoing security updates (phone)
Re: How much to care about ongoing security updates (phone)
It's frustrating that you can run an up-to-date OS on a 20-year old desktop, but you're SoL when it comes to a 3-year old phone, isn't it?
So if you want to hang on to your phone, then the thing to do is to minimize security risk. That breaks down to two areas: minimize risk and minimize intrusion.
Minimizing risk mostly entails keeping a reduced set of apps installed. If your phone did get hacked (or physically stolen), what would you lose? You'll probably want to keep maps and a web browser, but do you really need banking and stock trading? If you have multiple email accounts, don't add them all to the phone. And if you're really paranoid, you might consider keeping your MFA app on a separate, disconnected device.
Minimizing intrusion is all about reducing the attack surface. Intrusion tends to happen three ways: 1) installation of malicious apps, 2) wireless attacks, 3) web browser exploits.
The first is relatively easy to mitigate: be careful what you install. Less obviously: be careful what you update. An app can be sold from the original author to a nefarious third party. Think about it: what better way to install some malicious code than to just buy an app with an installed base of a million users? Install only apps you use, from known publishers or that are open source. Consider the permissions that an app requires when installing it. If the app is just an appified version of web functionality, skip it and use the web.
For wireless attacks, shutoff wireless functionality when not using it. If wifi calling works with your carrier, disable LTE at home when you're on wifi. Away from home? Disable wifi. Enable Bluetooth only when actively paired. Use wired earbuds. NFC only needs to be enabled when making a payment. And of course only connect to trusted wifi hotspots.
For browser exploits, the risk might be lower than you'd initially think. While it's true that Android OS updates cease after a few years from product launch, many components of the phone continue to be updated for years. This includes browsers and Android System WebView. If you keep track of updates, you'll notice that WebView gets updated a lot. You're more at risk from being hit with a CVE affecting Chrome than one affecting the Android OS itself, so keep on top of those updates. I'd expect such updates to continue being available for quite a while... Chrome stopped publishing updates in 2021 for Android v5.0, which was released in 2014.
So if you want to hang on to your phone, then the thing to do is to minimize security risk. That breaks down to two areas: minimize risk and minimize intrusion.
Minimizing risk mostly entails keeping a reduced set of apps installed. If your phone did get hacked (or physically stolen), what would you lose? You'll probably want to keep maps and a web browser, but do you really need banking and stock trading? If you have multiple email accounts, don't add them all to the phone. And if you're really paranoid, you might consider keeping your MFA app on a separate, disconnected device.
Minimizing intrusion is all about reducing the attack surface. Intrusion tends to happen three ways: 1) installation of malicious apps, 2) wireless attacks, 3) web browser exploits.
The first is relatively easy to mitigate: be careful what you install. Less obviously: be careful what you update. An app can be sold from the original author to a nefarious third party. Think about it: what better way to install some malicious code than to just buy an app with an installed base of a million users? Install only apps you use, from known publishers or that are open source. Consider the permissions that an app requires when installing it. If the app is just an appified version of web functionality, skip it and use the web.
For wireless attacks, shutoff wireless functionality when not using it. If wifi calling works with your carrier, disable LTE at home when you're on wifi. Away from home? Disable wifi. Enable Bluetooth only when actively paired. Use wired earbuds. NFC only needs to be enabled when making a payment. And of course only connect to trusted wifi hotspots.
For browser exploits, the risk might be lower than you'd initially think. While it's true that Android OS updates cease after a few years from product launch, many components of the phone continue to be updated for years. This includes browsers and Android System WebView. If you keep track of updates, you'll notice that WebView gets updated a lot. You're more at risk from being hit with a CVE affecting Chrome than one affecting the Android OS itself, so keep on top of those updates. I'd expect such updates to continue being available for quite a while... Chrome stopped publishing updates in 2021 for Android v5.0, which was released in 2014.
Re: How much to care about ongoing security updates (phone)
Mr Derailer strikes again...
I aim for browsing web mainly (which is rather resource consuming).
Are you sure about it? The best what I found is puppy linux if we speak about ability to run 10-year-old PC....It's frustrating that you can run an up-to-date OS on a 20-year old desktop...
I aim for browsing web mainly (which is rather resource consuming).
Re: How much to care about ongoing security updates (phone)
Believe it or not, AMD's first x86-64 chip was released 20 years ago. So yes, a modern (64-bit Linux) OS can still run on that. Will it be pleasant? Probably not. But it'll be more secure than a 5-year old Android phone!