back to article Exposed: Lazy Android mobe makers couldn't care less about security

Let's nail this once and for all: too many Android smartphone makers simply aren't rolling out Google's security bug fixes for the mobile operating system. Germany-based Security Research Labs (SRL) today said that even top vendors – such as HTC, Huawei, and Motorola – leave punters vulnerable by not patching devices for known …

  1. Yet Another Anonymous coward Silver badge

    Not just Google

    My 3year old Moto G hasn't received any updates for 3days - damn lazy lineageos developers

    1. Anonymous Coward
      Anonymous Coward

      The issue if Google. No one else.

      Google dumps on each handset manufacturer the responsibility of patching the OS for their handset. This is the equivalent of Microsoft creating a system were each PC maker is able to "customize" the Windows on the PC's they make to such an extent that all patching is on the PC vendor.

      Bull shit.

      Google should do what Microsoft did and standardize the OS, leaving hardware makers responsible for the phone equivalent of the BIOS. If the manufacturers want to load their customized crapware on top of Android, fine. But it should be ON TOP.

      The Android ecosystem architecture as Google created and promotes it is fundamentally flawed and no amount of finger pointing nor lipstick will change that.

      1. John Smith 19 Gold badge
        Big Brother

        Google should do what Microsoft did and standardize the OS

        Very neat.

        See how willingly people can be persuaded to lock the manacles on their wrists.

        I'm not surprised this is posted AC.

        In truth you now have a PC in your pocket.

        Treat it like one. That suggests you need a subscription model for the updates.

        Now if one of the phone mfg were to do a tie up with one of the major Linux distros......

        1. Anonymous Coward
          Anonymous Coward

          Re: Google should do what Microsoft did and standardize the OS

          John, did the whole point go whooshing over your head?

          MS design (for it's faults) is completely vendor agnostic. It make no difference if you run a HP, Dell or Dave WhiteBox PC's. They all get update.

          This was exactly the same with WinPhone (RIP).

          Android design was flawed from day 1. It relied on the vendor to roll out patches, which, when they are making almost no profit of the handsets (especially low end) it is hardly a winning formula.

          They have started to correct this, but how well it goes is another matter.

          "Now if one of the phone mfg were to do a tie up with one of the major Linux distros......"

          You mean something like Unbuntu phone? I guess you blinked and missed that disaster.

      2. Sssss

        Re: The issue if Google. No one else.

        You do realise that it is supposed to be opensource and customisable? So, the manufacturer becomes responsible, and Google can only do so much before they could land up compromising a custom installation, even compromise security.

        So, yes, a better way would be optimal. Such as isolating security. Manufacturers use either Google's or others, security code, and the provider of the code provide updates to it. Outside security, the manufacturers customise. It allows common open security initiatives to exist besides android initiatives.

    2. Captain Scarlet Silver badge

      Re: Not just Google

      Moto G3 user here, Motorola stated it would stop providing updates for the G3 (Damn I can't find the bleeding link but I havent had any updates since last year). My phone well over 2 years old and I got it on the cheap just before it stopped being sold (Also not locked to any provider as meh to that).

  2. Anonymous Coward
    IT Angle

    Mobiles, Automobiles, Killer Robots

    This is and always will be a the norm. The commercial reality of Technology.

    We can always expect updates that trash 45,000 PC's and 4500 servers [Merrick] in one company or lack there of that allows anyone with enough incentive to trash you at will or spread mayhem. [Wifi, Bluetooth & Mobiles]

    Little national or world wide mayhem has ensued thus-far,

    My system and devices are more betrayed and trashed by the O/S and it's manufacturers that other actors

    1. werdsmith Silver badge

      Re: Mobiles, Automobiles, Killer Robots

      The market needs a credible alternative to iOS and Android. Google will use its strength to strangle any newcomer at birth condemning the world to mediocrity. One of the many reasons I won't touch their shitty mobile OS.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mobiles, Automobiles, Killer Robots

        "The market needs a credible alternative to iOS and Android"

        But the market as a whole doesn't want an alternative. Ignoring Lineages and AOSP forks, there's been multiple flavours of Nokia OS, Tizen, Sailfish, Ubuntu, Firefox, Blackberry, Windows, and others offered, and nobody has yet managed to make sufficient sales to economically drive their chosen business model.

        There's plenty of people like you, like me that don't want to pay the Apple tax, but don't like Google's slurping. But too few have put their hand in their pocket and been willing to support an early stage, half baked OS. Looking back, both iOS and early Android were very crude by today's expectations, but people bought them anyway. That no longer seems to apply. And later versions of Windows phone OS were fully featured and mature, but still nobody wanted to step out of line and buy it.

        Who will do it and how this duopoly will be broken I can't say. But I can say the market has been offered a whole lot of choice, but turned its nose up at those choices.

        1. werdsmith Silver badge

          Re: Mobiles, Automobiles, Killer Robots

          both iOS and early Android were very crude by today's expectations, but people bought them anyway. That no longer seems to apply.

          In the case of Android it most certainly does apply!

      2. Anonymous Coward
        Anonymous Coward

        Re: Mobiles, Automobiles, Killer Robots

        "The market needs a credible alternative to iOS and Android"

        There was one, Windows, but people ignored it and derided it due to "lack of apps"

        How about Ubuntu phone remember that? No?

        What about Firefox Phone?

        People need to have 10,000 "torch" apps and 50,000 "HD sexy wallpaper" apps AKA data harvesting, ad pushing malware, otherwise there is no point having it, after all quantity, not quality counts.

        1. onefang

          Re: Mobiles, Automobiles, Killer Robots

          'People need to have 10,000 "torch" apps and 50,000 "HD sexy wallpaper" apps AKA data harvesting, ad pushing malware, otherwise there is no point having it, after all quantity, not quality counts.'

          I'm sure you could rig up a travesty generator to create thousands of torch apps, sexy wallpaper apps, and fart apps, to kick start the app ecosystem of a new phone OS.

        2. leexgx

          Re: Mobiles, Automobiles, Killer Robots

          this silly thing is is Finding a app that does not need 10 unrelated permissions (should only need camera permission to use the flash) some of them are so high the clean ones cannot be found unless you search for "Torch no ads"

          google needs to really re work on how it approves apps , its all well and good having 200k apps when 199,000 of them are full of crap or just a app that is just a bowser placeholder with ads to whatever your accessing) google should just remove and force them into review status all apps

          apart from key apps that are well known and trusted ones (and the ones that are well vastery installed should go for code review to make sure they are not abusing permissions like needing a and adverts or screen overlay ads

  3. alain williams Silver badge

    No money in it

    the user has paid for the 'phone ... the ROI on security updates is zero. Far better to encourage the user to buy a new model that has got lots of shiny new (useless) features.

    No manufacturer brags long term patch availability, so punters do not think about it as a purchasing criterion.

    The only way to get them to do it would be to make the manufacturer liable in some way - as with motor cars. That will be a long time coming.

    The same applies to all IoT stuff.

    1. Lord Elpuss Silver badge

      Re: No money in it

      "the user has paid for the 'phone ... the ROI on security updates is zero."

      The ROI isn't zero. There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it.

      1. Anonymous Coward
        Trollface

        Re: iPhoneX

        Is it Security Theatre? Please tell me the answer is Security Theatre?

      2. Charles 9

        Re: No money in it

        It's called the Midas Touch. That has little to do with RoI.

      3. Anonymous Coward
        Anonymous Coward

        Re: No money in it

        The ROI isn't zero. There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it.

        I don't think that has much bearing on it. Apple have a "relationship" business model. Every other phone vendor is a hardware maker (excepting Google devices), and if they charged £250 more, they wouldn't put that into a shoebox for several years to release for future software support, they'd bank the lot of it as profit and pay out as a cash dividend. Manufacturing is a completely different business to service, and doing either well is hard enough, doing both well is truly exceptional.

        Regarding the Google devices, as others have already noted in this thread, Google are not really a software house - that's just a means to an end, and the end is slurping huge amounts of user data. Even when the phone moves out of support, it is still spewing the user's data back to Google's servers. So they approach software not as a service, but as a manufacturer: "Fling it out of the door, move on to the next one".

        1. Teiwaz

          Re: No money in it

          still spewing the user's data back to Google's servers

          They can't stay that blaise, if the owners wake up to both the insecurity of their device and the importance of such.

          Can't spew much new info when it's sitting at the back of the sock drawer with the other dead pieces of electronics...

          Thankfully, I think the larger public don't know and don't really care still.

        2. Jon 37

          Re: No money in it

          I have an Apple phone mostly because it gets security patches.

          I'm not aware of any Android phone manufacturer with a reputation for providing patches. If I'm wrong, please enlighten me!

          And I don't want to futz around with open source projects. For something as important as my phone it needs to "just work". So I want a firmware build that's tested and supported by my phone manufacturer.

          1. leexgx

            Re: No money in it

            "I'm not aware of any Android phone manufacturer with a reputation for providing patches. If I'm wrong, please enlighten me!"

            google devices for 3 years of point of manufactured (tends to be october every year when they release a device, so 3 years from that date, Not sold) pixel is first google owned device (well technically its HTC) if the pixel 2 did not have stereo speakers i probably would not not bought it

            they might extend it to 4-5 this year pixel 3 as android kernel now has a Longer LTS cycle of 6 years (was 2 years before so by the time the phone came out google was having to backport fixes manually, with it been 6 years they don't need to do that now) personally security patches should be longer then 3 years as it currently is with most mobile makers (who bother to do it)

            some people keep there phones for longer than 3 years or worse sometimes there new contract phone is 2-3 years old with 1-0 years of security updates if any

      4. ecarlseen

        iPhone X

        "There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it."

        One of them anyway. And Apple has been providing not 18 months or two years of updates, but generally at least four years from launch date. Without anyone having to bitch or whine or throw a fit to get them to do it.

        How many times now has Google announced a security initiative with great fanfare (device encryption, etc.) only to step way back later because "it's too difficult?"

        I would agree with other commenters that the mobile device ecosystem needs another OS competitor or three. I use Apple because they're the best overall tradeoff for me (strongest security and fast devices are what I care about, other people have other priorities) in a field of the problematic options. That being said, I think we've past "peak Apple" in terms of their software quality and more options would be welcome. Unfortunately, the only players with the resources and possible interest in delivering them would be Samsung and Microsoft and neither seem capable of executing.

      5. Sorry that handle is already taken. Silver badge

        Re: No money in it

        There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it.

        Is it the same reason Rolex can charge $10k for a watch it cost $2k to make?

        1. Lord Elpuss Silver badge

          Re: No money in it

          "Is it the same reason Rolex can charge $10k for a watch it cost $2k to make?"

          Not really the same point, but you can certainly consider ROI a factor in haute horologie. General rule of thumb is that if a watch costs less than $5k it will depreciate over time, whereas those costing more than $5k will appreciate. Hence ROI.

          1. Sorry that handle is already taken. Silver badge

            Re: No money in it

            Not really the same point, but you can certainly consider ROI a factor in haute horologie. General rule of thumb is that if a watch costs less than $5k it will depreciate over time, whereas those costing more than $5k will appreciate. Hence ROI.

            Rolex doesn't dabble in haute horlogerie, presumably because they sell strongly enough already. That "rule of thumb" is not something I've come across before. Only very few watches (and in the case of Rolex, only a handful of models) have historically appreciated in real value, regardless of list price.

            ROI... As with cars, I can only say good luck to anyone who wants to invest in luxury watches!

            1. Lord Elpuss Silver badge

              Re: No money in it

              ”Rolex doesn’t dabble in haute horlogerie“

              hautehorlogerie.org begs to differ.

              https://www.hautehorlogerie.org/en/amphtml/brands/history/h/rolex/

              1. Sorry that handle is already taken. Silver badge

                Re: No money in it

                While well made, Rolex's stock in trade is basic steel tool watches (which, before their prices began dramatically inflating ~30 years ago, were even considered affordable!) They don't decorate their movements, indeed they are hidden, they don't combine major complications and the most complicated watch they offer is a chronograph. Unlike the true high-end watchmakers, to address more wealthy customers they are content to take these basic watches and throw precious metals and/or gemstones at them (then charge several times the marginal cost of doing so.)

                Almost every brand listed on FHH's website is more innovative than Rolex. When you can't physically manufacture enough of your product to keep up with demand and operate at margins that Apple would likely be jealous of, you don't have to innovate. For (IMO) true "haute horlogerie", some examples would be A. Lange & Söhne, MB&F or Urwerk.

      6. leexgx

        Re: No money in it

        "The ROI isn't zero. There's a reason why the iPhone X can retail for 250 pounds more than the Galaxy S9 and still get away with it."

        people pay more for the iphone because its an iphone and admitty its consistent layout, Not security updates (unless you got the X phone then, with the blackberry playbook gesture system it uses most don't like it and end up selling it or returning it, most non english people seem to be doing this)

        until something like MSblaster happens again but on android people won't care (a lot harder as most people's phones are behind a NAT on mobile providers) but not impossible if it used MMS to send to binary or SMS to link to a binary to then spread to other phones via some sort of bug

        1. Lord Elpuss Silver badge

          Re: No money in it

          ”people pay more for the iphone because its an iphone and admitty its consistent layout, Not security updates...“

          My company pays more for iPhones precisely because of the security updates. Couldn’t give a toss about layout.

          Your motivation != my motivation != everybody else’s motivation.

    2. Ken Hagan Gold badge

      Re: No money in it

      "...the ROI on security updates is zero. Far better to encourage the user to buy a new model..."

      Well if your service is shit, my next phone is from someone else.

      1. Anonymous Coward
        Anonymous Coward

        Re: No money in it

        "Well if your service is shit, my next phone is from someone else."

        And eventually that company goes bust.....

        In 5 years there will only be 1/2 a dozen manufacturers. You either pick one of those disasters or do your best to lock what little you can down.

    3. dajames

      Re: No money in it

      the user has paid for the 'phone ... the ROI on security updates is zero.

      Not really ... I bought a Moto phone in part because the word on the street was that Moto were good at releasing timely patches. Unfortunately the joke seems to be on me, because in 18 months it hasn't been updated to Nougat or Oreo, and hasn't seen a security patch since January last year. There is allegedly a release of Nougat for at least some versions of this handset, but I haven't seen an OTA update for mine.

      My point is: I would definitely pay more for a phone that was guaranteed to receive OS updates a reasonable time -- say version upgrades for three years and security updates for a couple more beyond that.

      For me, it would have to have an SD card slot and a user-replaceable battery ... so the Pixel and the iPhone are both ruled out.

      1. Tom 38

        Re: No money in it

        My point is: I would definitely pay more for a phone that was guaranteed to receive OS updates a reasonable time -- say version upgrades for three years and security updates for a couple more beyond that.

        So get <anything that supports Lineage> and use that. My Oneplus2 gets OTA builds every week and updated to Oreo a while back.

      2. Anonymous Coward
        Anonymous Coward

        Re: No money in it

        My point is: I would definitely pay more for a phone that was guaranteed to receive OS updates a reasonable time

        Guaranteed? By whom? And you'd believe anybody making such promises?

        Only Apple users have good reason to believe their god will protect them here. Except that the proliferation in SKUs for Apple suggest that they're moving to a world of fragmented user base and smaller user numbers per older SKU. And when you get to that, the economics of supporting older handsets simply don't work out as well.

        Cook may well have served Apple's death warrant, simply by launching too many variants.

        1. katrinab Silver badge

          Re: No money in it

          There’s basically three product lines, plus different size and colour options, and the possibility of buying an older model. That’s perfectly manageable.

    4. Daniel von Asmuth
      Devil

      Whose money in it?

      IT people who earn their money with the assumed security of their customers will advise them to patch their software. Overwhelming eveidence shows that software that security patches fix one error at beat, leading to more fixes and patches and never to software that is actually secure, impenetrable and bug-free.

      Therefore, applying security fixes ownly shows you pretend to care about security.

  4. Dieter Haussmann

    I don't know why google did it this way. Surely standard security updates are common code across all devices?

    1. Tomato42

      thank ARM, chipset (SoC) OEMs and lazy developers

      every phone essentially runs a custom version of Android, not a generic version that will run on any platform that has sufficiently powerful hardware (like it is on PCs)

    2. AdamWill

      "Surely standard security updates are common code across all devices?"

      Nope, not really, due to the fact that the boundaries between 'what Google looks after', 'what manufacturers look after', and 'what third parties like driver vendors look after' have always been terribly fuzzy in Androidland; there just isn't a reliable shared core bit of Android in all Android phones which Google can update directly and which no one else touches. Phone manufacturers cook up their own system images from the Android sources and all sorts of other bits, and then it's up to them to re-build the things with updated Android components when Google sends updates out to the Android trees. If the manufacturers don't, you're just not getting those updates (unless you run a third-party ROM).

      Android One is (in part) an attempt to address this, but there aren't many Android One devices available outside the developing world, and they aren't that desirable.

      1. DeKrow

        I'm hoping to take delivery of an Android One device some time this week. I'll get back to you in a couple of years as to its on-going support.

    3. Ken Hagan Gold badge

      Why Google did it this way...

      Well, first off, on the application side, most updates *are* generic. However, the close you get to the hardware, the less likely that a patch will not need to be device-specific, and consequently unavailable to most consumers. I can think of two reasons why Google did it this way, both of which they (G) now regret.

      Firstly, the original Android was a quick and dirty bodge. Yes, there was Linux in there somewhere, but there is little evidence of big G defining a standard platform or insisting that vendors make drivers available. Consequently, every phone is a new platform. (This is very evident if you go to www.lineageos.org, where you will find separate builds for every phone they support (well over a hundred, as far as I can tell) and if there isn't a keen developer with your exact model then there probably isn't a build for it. In the realm of 64-bit ARM-based servers, I believe there is now some moves afoot to standardise a platform. There's nothing similar at the other "phoney" end of the market, and until accelerometers, cameras, GPS and such like become standard kit in server racks (!) I don't think a server platform standard helps us at the other end of the market.)

      Secondly, the phone companies were delighted to be "in the loop" with a power of veto over delivering updates because they were also "in the loop" with bundling an actual phone with your contract for network service. They ended up with the ability to bully you into upgrading your contract every couple of years. Giving them this power was probably the key to getting them interested in Android in the first place, but big G would like the power back now.

      So we have project Treble, as big G says "Thanks for the leg-up into the phone market. I can take it from here myself.".

  5. doublelayer Silver badge

    Android update statistics

    I wonder what the statistics are on these measurements of android update problems:

    1. How many phones were originally released running some android version V and are still on version V despite the new version, or in some cases several new versions, having been out for a long time (at least six months)?

    2. How many phones are being actively manufactured and sold running android versions that aren't the latest or second-to-latest.

    It seems many manufacturers do one or both of those. Sure, new security patches need to come out for phones on a regular basis, but the article is sort of right in that the security problems dealt with in last month's patches probably aren't well-known exploits in use by a lot of malware writers. Instead, they'll focus on the bugs that can affect lots of older versions of the OS, knowing that a lot of phones on those versions are in use. I am not a primary android user, but none of the android devices I or my family members have purchased got a single OS update. I'm sure the flagship $800 devices at least get one, but it doesn't seem good practice that standard or cheap phones would get no attention at all. By the way, we're not talking $30 budget nobody's-heard-of-them manufacturers here. In addition, I took a quick look at a list of standard affordable price ($100-$400) phones. Some of them are running 7.0, but I see many on lollipop or marshmallow. Not a single one runs oreo, even though the main release was seven months ago. I'm prepared to guess that those devices have security holes that are much larger and better known, and that, as they won't be updated to any new OS, they're probably not getting security patches either. If I was writing malware, that's what I would target.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android update statistics

      In my experience...

      If you buy last year's Landfill Android for under $100, about a year later you'll wake up one morning to discover your phone's been auto-updated, and that's the only update you'll ever receive.

      If you buy this year's flagship for $500+, about a year later you'll wake up one morning to discover your phone's been auto-updated, and that's the only update you'll ever receive.

      1. DropBear

        Re: Android update statistics

        It may well work like that now, I wouldn't know. That said, My Galaxy S2 started shipping with Gingerbread, got upgraded to Ice Cream Sandwich, and currently keeps marching on Jelly Bean. Not a bad run altogether I'd say.

  6. Anonymous Coward
    Anonymous Coward

    The article seems to imply Google good, others bad yet even Google will only give you updates for 2 years. I'm typing this on a perfectly serviceable Nexus 10 that is stuck on Android 5 and the final security patch was over 2 years ago!

    1. robidy

      Suddenly Windows on laptops and desktops isn't looking so bad when it comes to patching...

  7. MarkTG

    Locked boot loaders

    And this is one of the main reasons why locked boot loaders should be illegal IMHO.

    At the very least, if locked boot loaders are allowed, manufacturers should be required by law to unlock any phones that they're not providing security updates for. If a phone goes more than a certain period - say 2 months without an up to date security patch, then it should be mandatory that the phone boot loader be unlocked so that it's then possible for others to take on the job that they obviously no longer want.

    Locked boot loaders are one of the reasons why I haven't upgraded from my nearly 4 year old (but very capable) phone that is now getting weekly updates for LineageOS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Locked boot loaders

      I've got a phone (Xiaomi) that has an unlocked boot loader. Makers even happily allow promotion of Lineages OS on their user community web site.

      But that doesn't really solve the problem because it's still far too much faffing around to load a new phone OS, and until you've tried it you've no idea what works and what doesn't. And because there often are a few capabilities that don't work properly on a Lineages port, it is not a good proposition for mainstream users.

      1. Charles 9

        Re: Locked boot loaders

        Plus what about the increasing number of apps that won't run except in a pristine environment?

        1. Ken Hagan Gold badge

          Re: Locked boot loaders

          "a pristine environment"

          Given that we're talking about a network-connected device that hasn't received a patch in living memory, I'd say that "pristine" is probably not the word you were looking for. For a related example, consider that XP went out of support a few years ago. Only a complete fool would connect an XP box to the internet today. Are the rules different for phones? Do they get special protection from hackers? Is their software significantly more hardened against attack? Umm ... not as far as I can see.

          A phone where the vendor has no intention (and no track record with past models) of supporting it beyond 2 years is a phone with built-in obsolescence. It would be interesting to see a test case or two that pitted a phone vendor against consumer protection laws.

          1. Anonymous Coward
            Anonymous Coward

            Re: Locked boot loaders

            Examples please? I would assume any app that requires a "pristine environment" is spyware you should avoid at all costs.

            1. Charles 9

              Re: Locked boot loaders

              Android Pay/Google Pay was the trailblazer. Many banking apps feel the same way, as does Netflix IIRC (it'll be hidden from the Play Store even in a tainted environment). And I doubt the bulk of these are spyware unless you don't trust B&M banks anymore (in which case, you're already in DTA mode and should've left the Internet already).

              1. Anonymous Coward
                Black Helicopters

                Re: Locked boot loaders

                Thanks. So we're talking about banking apps and DRM-protected streaming apps.

                Using banking apps on a phone is just asking for theft, regardless of whether the phone is rooted/tainted or running a typically insecure stock environment. That includes cryptocurrency.

                Why would I trust banks? They're leeches. Predatory lending, anyone? And if they manage to woo everyone with the convenience of mobile payments, they'll have total transactional surveillance, and every little "public service" will cost money, which will be sucked out of your account automatically the instant you use it.

            2. Anonymous Coward
              Anonymous Coward

              Re: Locked boot loaders

              > Examples please? I would assume any app that requires a "pristine environment" is spyware you should avoid at all costs.

              Apparently some banking apps do this. Not an Android user myself though, so that's just from what others have said and not personal experience.

  8. A-nonCoward
    Mushroom

    Moto E second generation

    Update level: October 2016 "your system is up to date"

    quote from Lenovo website (Didn't know Lenovo had slurped Motorola?)

    Security updates

    This device will remain on Android 5.1 Lollipop.

    This product will no longer receive security updates.

    https://mobilesupport.lenovo.com/us/en/softwareupgrade

    @alain williams<br>yup, no ROI on keeping us simple fellows happy.

    1. Steve Davies 3 Silver badge

      Re: Moto E second generation

      @alain williams<br>yup, no ROI on keeping us simple fellows happy.

      Apart from the customer saying to themselves when it is time for a replacement, "ok, moto provided lots of updates and ***** didn't.. Ok, I'll buy another Moto."

      This situation is nothing new. Basically Android phones after 1 or 2 or sometimes 3 years are 'landfill' despite working perfectly. (by landfill, I mean that they are rubbish and should be disposed of correctly).

      What it the alternative?

      Who sells mobiles and gives not only security updates but OS ones for more than 3 years?

      Answers on a rotten fruit core please...

      In essence it shows the rather pitiful state of affairs in the devices that most of us use today.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'll buy another.

        You must not hang around the same people I do. Some may never shop at a certain store again... but 99% of them could have had their dirty laundry stolen, posted on the front of the Daily Mail, and still go back to that firm for a replacement handset.

        It's all to do with the invested money and muscle memory/invested knowledge. Why go to MS/Android when iOS is all you know? Even if you got a bricked phone, or the screen shatters every 5 mins?

    2. Z80

      Re: Moto E second generation

      My 2nd gen. Moto E 4G (XT1524) received Android 6.0 and shows the Android security patch level as 1st Dec 2016. It was purchased in the UK SIM-free if that makes a difference.

      1. Anonymous Coward
        Anonymous Coward

        Re: Moto E second generation

        The Moto gen1-2 range (2013-15) was only updated to Android 5.1 (April 2015) in the US. Not that 6.0.1 (December 2015) is much of an update.

        Most of those phones will run LineageOS 14.1 (Android 7.1.2, April 2017). It's well worth the effort to install (easier than installing Linux on a PC). If you're brave, you can find some test builds for 8.1.

        1. onefang

          Re: Moto E second generation

          I just updated my Moto Z to Oreo a half hour ago, for what it is worth.

      2. Qew

        Re: Moto E second generation

        Yeah, I have the same phone and from the UK, and can confirm your observation. Still, it's now well over a year out of date with security patches.

        Not sure what my next phone will be. It won't be from the fruit company, so I suppose it's going to be another phone that'll be insecure shortly after I buy it. Then again, maybe I'll just have to take the effort with LineageOS.

  9. Forget It
    Go

    Checkup app here

    https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch

    Select Menu: Android patch level analysis

    1. robidy

      Re: Checkup app here

      I must click on this random link in a tech forum from my android fone...

  10. Anonymous Coward
    Anonymous Coward

    My iPhone regularly receives updates...

    ...but given that iOS is now buggier than a termite mound and flakier than a leper in a tornado (and getting worse), this is something of a mixed blessing.

  11. Lorribot

    Google gave the Mobe OEMs what they wanted, a fully customisable OS they could use free of charge and left them to support the OS and apply any patches. Google's only aim was to sell as many apps and stuff it could through the Play store, steal as much user info as possible and if possible destroy MS along the way. The manufactures only interest was/is selling as many Phones as possible.

    Android was never designed to be patched, it is basically similar in design to Windows 95 in this respect and here in lies the problem and the difference to the way Windows 10 works now, which is supported for patching on a much larger range of hardware than Android runs on.

    The big thing that is ignored here is that drivers are provided by the component manufactures not the seller of the kit, this is the main blocker for OS upgrades (always has been for Windows as well, go on the Dell website and try and find some Windows 10 drivers for kit that was sold with XP ro even 7, some of their specialist hardware be missing).

    With XP, to a certain extent, and Windows 8 and 10, to quite a large extent, MS wrote drivers for a lot of kit that the component and peripheral manufactures could not be bothered with, to ease the migration of users. No one wants to upgrade an OS only to find they need to buy a new printer (remember Windows 2000?).

    MS spent most of the 90s and 00s being battered into putting effort in to supporting end users and looking after them, they are not perfect, and let down by the big OEMs, but are a damn sight better than Google who no one seems to care about how bad they really are towards their customers and how they abuse their dominant position in the market.

    GDPR will could have an interesting effect on this relationship as Google could find its core business badly hampered and subject to much litgation.

    1. Charles 9

      And no, you can't force component manufacturers to keep making drivers because their competitive environment is cutthroat. They black-box everything because they don't want to Give Information To The Enemy. Basically, if push comes to shove, they'll bail out instead and leave everyone hanging because there's no more profit in it.

  12. lglethal Silver badge
    Go

    Any chance?

    Any chance of a name and shame of the worst culprits?

    My just under 2 year old Sony still gets regular updates (current state says its up to date to 1/3/18). But wether its getting all of the updates it should, I have no idea. It would be interesting to see which are the worst offenders and which are the best.

    Naming and shaming might be a good way to actually change the manufacturers behaviour. But probably not... ;)

    1. Charles 9

      Re: Any chance?

      As noted, it's not always the manufacturers' faults. If the component manufacturers refuse to play ball, there's little you can do because they can always just walk away.

      1. Ken Hagan Gold badge

        Re: Any chance?

        They could refuse to use components from vendors who will prevent them from meeting their legal obligations (regarding the period of support required by consumer laws). If a few big phone vendors got stung in court then the laggard component vendors would soon have no route to market.

        1. Charles 9

          Re: Any chance?

          Sure they do: the embedded and IoT market. ALL the component manufacturers work the same way because it's the only way to survive, meaning they can ALL abandon phones and concentrate on IoT and embeddeds and still turn a profit. IOW, the phone manufacturers need them more than they need the phone manufacturers.

          1. Jon 37

            Re: Any chance?

            Suggesting ALL the manufacturers would leave the Android component marketplace is nonsense. Let me explain the economics:

            Suppose additional costs were imposed due to a change in the law (or a change in the way the law is interpreted). If ALL the component manufacturers were to abandon the Android phone market, then it would be impossible to make any new Android phones. However, there would still be a demand for Android phones, to replace broken and worn-out phones, and as first phones as kids grow up. So there would be a shortage, which would greatly increase the value of Android phones, both new and second-hand. Because the price of a new Android phone would go up, the Android phone manufacturers would be able to pay more for components. At some point, the price rise becomes more than the cost of following the new law. At that point, the component manufacturers would come back to the market and sell their products again.

            Sane component manufacturers would realise this in advance, and would just raise their prices to cover the costs of the new law, rather than leave the market and risk having their business stolen by saner competitors.

            I.e. requiring security fixes might increase the price of phones, which may mean people buy less, which might be good/bad for some companies, but won't lead to everyone suddenly quitting the market.

    2. The Real SteveP

      Re: Any chance?

      Mu just-over 2 year old Galaxy S7 has received two updates in the past two weeks (I'm on O2).

      I agree with the naming and shaming comment...

      1. Baldrickk

        Re: Any chance?

        My just-over 2 year old Galaxy S7 has received two updates in the past two weeks (I'm on O2).

        Mine (On Vodaphone) hasn't had an update since late Jan or early Feb this year.

        Wouldn't be annoyed too much about that, but now some process keeps crashing, which causes other apps (browser, gmail, camera etc etc) to hang up. Rather frustrating.

  13. mark l 2 Silver badge

    My year old phone is stuck on Android 6 and not had an update to that since July last year. I have now rooted and installed AFwall firewall to try and make it a little more secure.

    Looked at alternative ROMS for it which there are quite a few Android 7 updates available but there are usually some aspects that aren't working on the custom ROMs that do work on the stock manufacturer firmware, So i have been reluctant to switch them until they are fully working. But it seems that since the manufacturer has stopped selling this phone, now the number of people working on updated ROMs has began to dry up. So i might never see a fully working Android 7 version never mind 8 so might have to buy a new phone if i want an updated OS

    1. Anonymous Coward
      Anonymous Coward

      If you're ready to buy a new phone "any day now" it can't hurt to try those alternative ROMs. Just backup your data and be ready to buy a new one if things go pear-shaped. You should be able to backup and restore your old OS if you're careful though.

      If all goes well, you'll get a few more years out of your old phone. The time you save wrestling with crap apps will make it all worthwhile.

  14. ChrisPv

    Google fault

    Manufacturer, once device was sold gets 0 profit from continued use. Google on the other hand profits handsomely from every one Android in operation. It is logical, that Google should pay, but they don’t care, until it will endanger their business model.

  15. JLV

    I like how it's implied that all would be good, if only the bad manufacturers took nice Mr. Jekyll Google's security updates.

    Sadly, bad Mr. Hyde Google did not get called out for their sloppy updates on their own Nexus/Pixel line - 3 yrs after initial release you can go fly a kite for any further updates.

    1. Manolo

      Well, most Nexus kit doesn't survive that long anyway.

      Currently on my third 5X, replaced under warranty.

      First one just bricked itself, second one the infamous bootloop.

      Nexus 5, microphone stopped working.

      Galaxy Nexus, USB port broke, not charging.

      Both Nexus One's broken power button.

      Only my Nexus 10 is still working, however that has been having WiFi connection problems since day one.

      And don't think you can use a Bluetooth keyboard with it while on 2,4GHz WiFi.

      I like the Nexus philosophy of running plain Android and having regular updates, but the build quality

      of all my Nexi has been less than stellar.

  16. Carl D

    Looks like my Samsung Galaxy S5 has joined the long list of "Abandondroid" products.

    No security updates for over a year now. Too bad - I will continue to use it until it dies (Hardly ever use it online anyway since it has a Vodafone prepaid SIM card in it).

    I also still have (and use) a Samsung Tab 3 10.1 inch tablet that hasn't seen a security update for 4 years now. I don't keep anything important on it and I usually do a factory restore about once a month to keep any security issues at bay.

    1. Irongut

      You're complaining about a 4 year old phone and a 4+ year old tablet. How long do you continue to do work for a customer after they paid you once? I'm guessing much shorter than 4 years.

      1. doublelayer Silver badge

        Longer if they were buying my product

        Do you use windows? Windows 7? That's getting support and security patches for 11 years. Windows 10? Although you may hate it, it has been getting security patches for four years now and they're still doing it. MacOS? All OS updates are free. True, they may break your device, but that wasn't intentional. Your mac from 2010 onward runs the latest MacOS update, albeit slowly. How about Linux? They don't even sell you the OS and yet Ubuntu LTS versions have support for five years. IOS? I have an iPhone 5S that runs IOS11, even though it shipped with IOS7. People update products when they take ownership of them. It is perfectly reasonable, especially when devices cost as much as phones do, to use them for a while. You shouldn't have to give up on a device that is still capable of the processing required for your use case, and for those who use their phones for phone calls, SMS, email, light browsing, and multimedia consumption, the processors from four years ago are fine. If the phones were properly secured, many people would use them like that.

    2. Tomato42

      My current phone I bought 3 years ago did cost more than twice my first laptop (a 1.6GHz Celeron with 256MB of RAM, easily over 10 years old). I can run current Linux on that laptop (just need patience when browsing the web), can't run current Android on my phone (not even alternative ROMs).

      Yet the phone still lasts 4 days on charge, Firefox is snappy on it and in general has better specification than current entry level phones

      The situation with phones is a total disaster, plain and simple.

    3. ecofeco Silver badge

      Just shorten that to "Abandroid."

  17. Irongut

    Not always the manufacturer

    "El Reg can vouch for this first-hand. One of our offices has an Android 7 Samsung Galaxy S8 handset that, despite being "up to date," can't fetch any security patches since August last year."

    Well that is not down to Samsung. My S8+ was updated to 8.0 recently and has the March 2018 security updates. Perhaps something to do with operator branding?

    1. ecofeco Silver badge

      Re: Not always the manufacturer

      The updates are indeed reliant on the phone brand manufacturer.

  18. Anonymous Coward
    Anonymous Coward

    This is one area where Apple iPhones excel over Android phones.

    Part of the problem is that various Android phone makers are too clever by half, and attempting to be 'innovative' by modifying the Android OS into a bloated mess to 'differentiate' and to 'give customers an innovative experience'. Telcos are also given free license to install crapware into these phones.

    The time taken to bug test and validate the patches massively increases. For the small time cheap Android phone makers, they usually do not bother, because it makes no economic sense.

  19. Cynicalmark
    FAIL

    Telco handsets on installment deals

    This has been a problem since smartphones came into existence. Manufacturers sell phones via networks and they in turn re-tweak the OS to a ‘branded experience’ which removes updates as well. They bugger up a phone and lock out swaths of settings/security options and really want the phone to last the contract term if you’re lucky but on their terms.

    Mind you if they lock it from using certain app stores then maybe they are saving the users from more grief (from what I’ve seen the ‘droid stores are a mine field of uncertainty)

  20. GIRZiM

    Brave New World

    troland: If you buy last year's Landfill Android for under $100, about a year later you'll wake up one morning to discover your phone's been auto-updated, and that's the only update you'll ever receive. [...] If you buy this year's flagship for $500+, about a year later you'll wake up one morning to discover your phone's been auto-updated, and that's the only update you'll ever receive.

    mark l 2: But it seems that since the manufacturer has stopped selling this phone, now the number of people working on updated ROMs has began to dry up. So i might never see a fully working Android 7 version never mind 8 so might have to buy a new phone if i want an updated OS

    This is the problem in a nutshell.

    If we're lucky, some alternative OS will become available that can run on a wide range of hardware and, like linux, be updated and kept secure. Unfortunately, like linux in its early days, the chances are that it'll be many years before it can run on a wide range of hardware - and that's only assuming that it ever arises in the first place.

    The closest I see to anything like that happening are Sailfish and LineageOS, but, as mark l 2 points out, most ROMs become abandonware almost as fast as Android itself because there's not enough manpower to maintain old versions and keep up with new models and ranges - and the devs like to keep up with exciting, wizzy new phones rather than focus on boring incremental updates maintaining old ones.

    Which is why troland's point is so significant.

    There's no point buying anything with the expectation of it being worth the money in more than the short term. If you just want a phone, get a 'landfill phone'. The Moto G range is perfectly adequate for most people's needs, most of the time (far, in fact, from 'landfill' really) and, if you get the 'Plus' models, you're reasonably assured of a version of LineageOS becoming available reasonably quickly.

    If, for whatever reason, your need for performance exceeds that then, by all means, get yourself a flagship hone but don't expect it to last any longer in terms of what we're discussing here (security), because it won't. So, you're paying for right here, right now performance, no more.

    If you want to try keeping a phone going longer then, frankly, even LineageOS probably isn't going to get you there and you're probably better off looking into simply rooting it, maybe using Magisk (with or without systemless Xposed), locking it down as tight as you can and being sensible in your usage. And, in such a case, you want something like the Moto G range or anything else that offers you vanilla Android because it means there will only be the flaws inherent in your version of Android itself and not the extras introduced by the OEM as well, so whatever security you apply to it won't be rendered useless because it can't account for them, only vanilla Android.

    Other than that, maybe a 'community' move to get Sailfish in place as a viable alternative could achieve something but, really, I don't see it getting much further than LineageOS in terms of install footprint - there are just too many devices. It would take some major leage adoption by a serious player to turn it into more than that, I think.

    Fundamentally, as alain williams pointed out, there's no money for the OEMS in maintaining either the OS or the hardware, so, until they are obliged to do so by legislation (because we are destroying the only planet in the entire universe known to support life and we can't keep up the 'consume today, use it up and throw it away' approach any more), we are just going to have to accept that every three to five years (tops), we will have to buy a new phone of some kind or else run the risk of being pwned.

    That's the long and the short of it as far as I can see.

    1. Charles 9

      Re: Brave New World

      But almost NONE of the decent smartphones out there today feature user-replaceable batteries: a make-or-break for me as that's the thing I replace most often. Nothing to date compares to my Note 4 which is why I stick with them through thick and thin. Yet because of Verified Boot, Knox, and root-aware apps, I have to stick to stock firmware.

      "...and we can't keep up the 'consume today, use it up and throw it away' approach any more..."

      Sure you can. It's called "Eat, drink, and be merry, for tomorrow we die."

      1. GIRZiM

        Re: Brave New World

        But almost NONE of the decent smartphones out there today feature user-replaceable batteries: a make-or-break for me as that's the thing I replace most often.

        That a whole 'nother issue that I also take issue with but for privacy reasons more than anything else - if the phone isn't going to be secure for as long as the battery lasts and I'm going to replace it for that very reason then a replaceable battery is a nicety as far as I'm concerned.

        There's also the fact that, when something does go wrong and the phone hangs, I can't fix things by popping the battery, but that's only ever happened to me twice and it simply meant having to wait for it to die.

        Nothing to date compares to my Note 4 which is why I stick with them through thick and thin.

        Performance-wise, I couldn't comment, but security-wise, I'd suggest upgrading. The Moto G5 came/comes with a removable battery, however, and not only supports Nougat but is officially slated to receive an update to Oreo as well. So, unless you've got some reason to hang on to your Note 4 for the camera, some other hardware feature that you absolutely must have or because it will still outperform the G5, I'd suggest having a look at that latter as a possible upgrade sooner rater than later - before you can't get it any more (which will be the case RSN).

        Yet because of Verified Boot, Knox, and root-aware apps, I have to stick to stock firmware.

        The Moto G range phones all have unlockable bootloaders so far.

        So far, it seems to me that, based upon your need case, the Moto G5 is something you might want to have a look at - I can't tell you anything about its performance (never had one myself) but the specs aren't bad for a phone in that price range (albeit the 5.0" display is a bit small) .

        But you're still gonna be fighting a losing battle, as I said. You'll get the update to Oreo, eighteen months to two years of security updates, you might squeeze another couple of years out of it by rooting it and/or flashing a ROM but after that it's a security breach in your pocket.

        What people forget to factor in is that, by and large, apart from the serious security flaws in things like the SSL libraries, kernel, etc., for the most part the biggest attack surface isn't the OS but the apps. Once the devs upgrade to supporting the latest version of android, unless they're corporate, it's unlikely that they'll dedicate much time to ensuring that previous versions get fixes for more than the most serious security flaws (the kind of thing that could see them getting sued), and then probably only one or two previous versions at the outside.

        You're more likely to be compromised by a flawed app that hasn't been updated than you are by your Android version having a serious exploit in it because you don't access things with Android but with Apps. You're more likely to find your identity stolen thanks to the breach of the customer database on a smalltime dev's home server or their self-managed AWS security. And that's why the OS version is significant more than due to any real shortcomings of the OS itself - it won't support the latest (secure) version of the apps.

        After Oreo, I'm sure there'll be improvements made to it over time but the principle of being able to upgrade the security separate from the rest will at least give you a fighting chance of keeping a device running a bit longer because the community might release security patches after Google/the OEMS stop doing so.

        Underlying flaws in drivers are a separate issue - if the OEM doesn't release a closed source update and nobody can/does reverse engineer the device/chipset then a security flaw in your networking is going to be worth upgrading your phone for and a more serious consideration than "can I get a removable battery?"

        Seriously, I know what you mean - If I could, I'd still be using my Sony P910! But your Note 4 is not gonna get Oreo and you're not gonna get that separation of concerns, so, any security flaws in the OS/apps are there to stay and, furthermore, won't be fixable with a community driven Oreo patch. Although I can't vouch for the performance myself, the G5 looks like a worthwhile consideration for you. It'll get you Oreo and a bit more lifespan security-wise, give you the option of rooting/flashing afterwards and squeezing a bit more lifespan out of it than that.

        Ultimately though, the model is based upon the 2-to-4 year upgrade cycle. There's even the 'free upgrade' option on phone contracts - which are, oh, so coincidentally, one or two years normally. Until that changes, don't expect my description of the state of play to change unless, as I said, some miracle OS appears that can handle all the different hardware platforms. And even Ubuntu gave up trying with that one!

        Sure you can. It's called "Eat, drink, and be merry, for tomorrow we die."

        Yep, nail on head.

        1. Charles 9

          Re: Brave New World

          "You're more likely to be compromised by a flawed app that hasn't been updated than you are by your Android version having a serious exploit in it because you don't access things with Android but with Apps."

          I find that a little hard to believe. Apps aren't as dependent on the OS version as you think. Heck, the latest Facebook (and I DO use it, albeit minimally and only out of necessity) still runs on an old Galaxy Tab 3, and that's stranded on KitKat. Most of the updates to the Android OS are more to support itself than the apps. The biggest app-related upgrade was in Marshmallow when app permissions switched to on-demand instead of on-install, but that's something of a six-of-one-half-a-dozen-of-the-other thing.

          PS. I specifically like the Note 4 because I have big hands, and it's 51/2 inches. That G5's no bigger than the S5 I keep as a backup unit (and I was forced to use it when my previous Note 4 suffered an internal hardware failure--unlike the S4 before it, the US S5 supports LTE Band III).

          1. GIRZiM

            Re: Brave New World

            I find that a little hard to believe. Apps aren't as dependent on the OS version as you think. Heck, the latest Facebook (and I DO use it, albeit minimally and only out of necessity) still runs on an old Galaxy Tab 3, and that's stranded on KitKat.

            As I said, the corporates are more likely to ensure backwards compatibility and I wouldn't draw any conclusions about the security landscape from them. Look at the Shellshock vulnerability in the BASH shell. Twenty years it was there! So much for the 'many eyes' theory. So much for a single dev having the time/resources or even the interest in checking that old issues are ironed out before upgrading their offering with whizzy new features or compatibility with new devices.

            Once I've sold you my app, unless I charge for upgrades I'm making no more money from you. My interest, therefore, is on ensuring that any new features offered by new hardware or OS updates are accommodated so as to attract new customers with their new hardware and/or OS platforms.

            There's only me (and possibly two other guys) working on it and my stable of apps includes four others so my (our) time is divided and at most you can expect a fraction (say 20%) of 20% of my attention for your OS and even less for your device unless it's widely used (say 20% for a Note). So, in total you're getting 20% of 20% of 20% of my attention. That's not even 1%. And only if you have a popular device. If it wasn't/isn't popular forget it; count yourself lucky if any changes I make to the app don't stop it running altogether.

            The latest version of my app might run on your vintage OS on your oldtimer phone but I'm not patching it to accommodate newly discovered flaws on either; I'm selling to the new customers with devices that don't have those flaws any more and my attention is focused elsewhere. If the latest version runs, great. If your OS has has unpatched flaws, sorry, I'm not wasting time patching them in my app, upgrade your OS or hardware.

            Remember, what's in question here isn't whether the app will run, but whether it's secure - and those are two entirely different issues.

            Most of the updates to the Android OS are more to support itself than the apps. The biggest app-related upgrade was in Marshmallow when app permissions switched to on-demand instead of on-install, but that's something of a six-of-one-half-a-dozen-of-the-other thing.

            Yeah, that's a whole different matter again. As a developer the only concern I have about the permissions model is accommodating it to the extent that I am obliged to and no more. If the OS upgrade doesn't update that then neither will I. If it does then I will. Neither way around, however, does that make any difference to what I said before: if your OS has has unpatched flaws, you're on your own; I'm not wasting time patching them in my app - upgrade your OS/hardware or live with any consequences.

            Moreover, how many apps designed for older versions will run on the newer release and accommodate any changes? Only those that made blanket request for features they never used anyway. I've got apps that run on Nougat but only if I grant them the same permissions they demanded on Marshmallow or KitKat. The change in permissions model didn't stop them running. It also didn't fix the security/privacy concerns inherent in running those apps in the first place and the devs aren't going to resolve them either - I can pay for an updated version (if there is one) or, more likely if it's a smalltime dev/team and they've let the app lapse in the meantime, search for a new app by someone else (if I can find one).

            PS. I specifically like the Note 4 because I have big hands, and it's 51/2 inches. That G5's no bigger than the S5 I keep as a backup unit (and I was forced to use it when my previous Note 4 suffered an internal hardware failure--unlike the S4 before it, the US S5 supports LTE Band III).

            Then you are either stuck running the risk of an outdated OS version or will have to bite the bullet and accept a phone with no removable battery, I'm afraid.

            There are basically three phones with removable batteries that are worth your consideration in 2018 (the first three on the list here. After that though, removable batteries are gone for good.

            The only way that situation could change would be legislation mandating removable batteries - and I don't see even the EU going that far ; )

            1. Anonymous Coward
              Anonymous Coward

              Re: Brave New World

              I would take it with a grain of salt when some writer for Mashable declares removable batteries dead. Writers are Apple users as a general rule; this one seems to be no exception; and they would see inevitability in this trend because Apple started it. Most consumers, on the other hand, would gladly accept a rugged plastic phone that's 1mm thicker if it has a removable battery, headphone jack, and one-fifth the pricetag. That's the future of smartphones after the novelty wears off.

              Sealed batteries are fine if you've disabled all the battery-draining location-tracking spyware and get 4 days on a charge. But I think they're largely a concession to metal & glass phones, because you can't simply pop the cover off. In other words, this is just foolishness.

              1. GIRZiM

                Re: Brave New World

                I would take it with a grain of salt when some writer for Mashable declares removable batteries dead.

                Indeed. And I've been around the block more than enough times to be aware of that. But I wasn't about to list twelve other articles - one is enough for people to springboard off and research further, unless they just want to kneejerk to one single article (in which case it wouldn't matter how many links i posted).

                Writers are Apple users as a general rule;

                Erm, no, there's no basis for that statement whatsoever; writers are a mixed bunch - some use Apple, some Android, some Blackberry (believe it or not), some more than one. You can't say "writers use <brand> as a rule" - that's not even bollocks in the same way that Deepak Chopra is not even wrong.

                this one seems to be no exception; and they would see inevitability in this trend because Apple started it.

                It has nothing to do with who started it and everything to do with what the trend actually is across the board. Seriously, give this one up; you won't find many phones with removable batteries, period - and it doesn't matter who the OEM is, that's just the way of things and the way they will continue.

                Most consumers, on the other hand, would gladly accept a rugged plastic phone that's 1mm thicker if it has a removable battery, headphone jack, and one-fifth the pricetag. That's the future of smartphones after the novelty wears off.

                Most consumers want whatever will impress their friends, family, co-workers and randoms at the bar/pub that is within their budget; they don't know or care whether its good so long as everyone else thinks its good. I think you are possibly spending too much time in the company of the cognoscenti and not enough in the company of Joe Public - the average smartphone user doesn't care what the specs are or what features it has, all that matters is that it's an iPhone or a flagship Android, trust me. They don't even care that it's a smartphone; all that matters is that it's expensive and, therefore, by definition, good.

                Sealed batteries are fine if you've disabled all the battery-draining location-tracking spyware and get 4 days on a charge. But I think they're largely a concession to metal & glass phones, because you can't simply pop the cover off. In other words, this is just foolishness.

                Joe Public doesn't know about spyware or tracking, doesn't care about it when you tell him and will get pissed off with you if you persist in explaining it - he doesn't want to know (he has nothing to hide and no-one is interested in him or you, you paranoid schizophrenic, you).

                You and I are concerned; he isn't, believe me - I've been explaining it to people for the last forty years and even post Snowden they still don't want to believe.

                Trust me on this, people don't know, don't care, don't want this or that or the other, they'll take what they can get as long as everyone else thinks it's good (because people wouldn't think it good, if it weren't, right?).

            2. Charles 9

              Re: Brave New World

              "The only way that situation could change would be legislation mandating removable batteries - and I don't see even the EU going that far ; )"

              And I think they will. Two words: Note 7. Many airlines already ban them specifically, and it wouldn't take too many more spontaneous battery combustion to get internalized batteries classed an unacceptable fire risk. At least removable batteries can be replaced when danger signs such as bulging emerge.

            3. Charles 9

              Re: Brave New World

              OK, I'll keep it brief. I'll take the security risk over the fire risk. Push comes to shove I can be pwned by the radio chips, and those are in feature phones so I'm already screwed. Plus, at least a security risk can't KILL me.

              1. GIRZiM

                Re: Brave New World

                The Note 7 is a good point. But how many other phones are famous for that flaw?

                Let me see now. Erm, none.

                How many other phones are banned on airlines? Uh, None.

                How many are going to be banned on airlines in the future? Well, until there's another 'Galaxy Event', as it were, exactly none.

                In fact, airlines have recently moved from 'airplane mode' to 'sure, use your phone' mode.

                Personally, I prefer removable batteries myself but, in the even of my phone catching fire in my pocket, that's gonna be the last of my concerns. If I can, I'll get it out of my pocket and hurl it away from me. If I can't, I'll remove whatever item of clothing contains it and hurl that away from me. The last thing am going to be doing in the instant in which I am potentially about to get a hand/limb/face full of plastic, metal and poisonous chemicals is faffing around, trying to get the battery out, believe me - anyone who does is due some sort of Darwin Award (or at least a runner's up consolation award for effort).

                I like a jack socket for my headphones, even though I never use it - it serves as a useful physical standby in case my Bluetooth ever stops functioning for some reason.

                I like having a microSD (or whatever) slot so that I can expand my storage.

                I like having physical buttons for power and volume.

                But all that is going the way of the dodo. When wireless charging is in everything (and it will be), you just watch the uptake on all-glass phones. No ports, no buttons., everything soft.

                Retail phone? What's that? You won't need to worry about buying a SIMless phone, you'll buy one locked to a service provider and either stick with them or get it changed over to another within 28 working days - as long as you can switch carrier, legislation requiring flexibility from the OEMs/suppliers/vendors/networks will have been met and there will be no obligation to provide you with a physical SIM separately to the phone.

                Need more storage? You won't need to buy a card, you'll just get the more expensive model.

                Headphone socket? Nobody uses them any more - just carry a second pair of Bluetooth earbuds/headphones and/or a charger.

                What's that, you say? You don't like that vision of the future. That's a shame, but, hey, you know, it's a free market and you're not obliged to have a phone if you don't like any that are on offer. You can always wait and see if enough other people want what you do to encourage some OEM to tool up for it alongside their standard all-'glass' injection-moulded models.

                In the event of another 'Galaxy Event', the EU (or anyone else for that matter) will not legislate in favour of removable batteries - that could end up with them being sued by someone foolish enough to try to remove an overheating/exploding battery. The airlines/whoever will simply impose a "You're not bringing that on here" rule and it'll be up to you to take it up with your phone's OEM if that results in a significant inconvenience in any way.

                Sorry, but that's just the way the world works right now and I really don't see it changing for the better in any way. Over the years, I've just seen it get steadily worse until we barely have any say in our lives any more. From autolimiting recording devices where I can't set the levels any more, to autodetection of recording format so that I can't overload it to achieve a particular sound, to autofocus on cameras, to all-digital and no way to overexpose, to BIOS featuresets that prevent me from changing harddrive parameters, to locked phone bootloaders, to Facebook pre-installed and permanent on my phone, to autonomous vehicles, there is less and less control and less and less choice. Get used to it.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Brave New World

                  "Get used to it."

                  And what happens when more and more people reply with, "Stop the world, I wanna get off!"?

                  1. GIRZiM

                    Re: Brave New World

                    And what happens when more and more people reply with, "Stop the world, I wanna get off!"?

                    Do let me know when you've given up owning a mobile tracking device phone yourself, won't you?

                    I love the idea myself but I can't because (thanks to all the people who constitute more than you, me and our friends) if I want to accept an offer of work, I have to be available for people to contact me on the phone whenever is convenient for them, not me.

                    Because, unfortunately, there are more of them than there is of me and, however much I might lament the fact, I have to live in a world in which people send texts rather than call, use WhatsApp to do government/business, don't even send a text but put something on social media that I might miss but, hey, that's my problem not theirs (they put it on Facebook, didn't I see it? Oh, well), use Facebook Messenger to discuss how awful it is that Facebook gathers all this data on them, the list of evidence for the fact that 99% of the world's population has an IQ below 70 is almost endless.

                    You, me and four other people might hold out for something better - but just like hunger strikers in prisons, we aren't going to change anything of any significance except our health and, just maybe, how many days in the week we get mashed potato for lunch instead of boiled potatoes.

                    The world and their dogs aren't going to say "Stop. I want to get off." If they were, they'd have done something about it already. They'll keep upgrading their phone every two years. They'll keep voting to have their right testicle electrocuted instead of their left. They'll keep giving away more and more control of their lives until they own nothing and have no rights any more, not even to themselves - having the right to say who gets to use your data is not the same as having the right to generate no data at all in the first place.

                    As I've said on another thread: one day, you won’t log in to this site or that email account at all, let alone with different credentials. You’ll have a single ID. Like OpenID, but it won’t be optional — in fact, very soon now, opening a Facebook account will be mandatory and if you don’t do it voluntarily, you will have to make do with your court appointed account. You’ll log in to that ID and every service you are subscribed to in any way (FaceBook, Twitter, What’sApp, email, Amazon, PayPal, the restaurant you booked a table at, the pizza delivery firm you ordered from, the taxi firm you booked a cab from, the airline you booked a flight with, etc., etc., etc.) will be simultaneously active and sharing information between them. You won’t be able to separate them out nor will you be able to log in to them in any other way.

                    It’s already here in the form of fingerprint scanning and facial recognition ‘security’ systems on smartphones. The next step will be the smartwatch (the real thing, not the silly toys currently on offer that require you to have a smartphone they link to.) or even ‘GoogleLens’ contacts that you wear instead of ‘glasses’.

                    Eventually, of course, there’ll be the 'option' of implants—so that you can’t mislay, lose or have your device stolen. Then you’ll never be offline again … even when you sleep.

                    You won’t come home to a home. You’ll live in a coffin hotel, with shared amenities—you’ll pop down to the food hall for your meals and use the communal showers to wash, collect your clothes for the day from the cleaning service and give them the dirty ones, etc. What do you need space for anyway? All your possessions are digital and stored in the ‘cloud’—all you need is room to sleep in, with a couple of speakers either side of your head and a screen above your face. If you want sex, you'll book into a ‘Love Hotel’—just enough room for the woman to go on top, provided she doesn’t want to sit fully upright. I suspect that addresses will have elaborately appealing names and you’ll live somewhere like 3515 (Floor 35, Room 15) ‘Paradise Gardens’— you don’t want people knowing they live in a cage.

                    What you want, what I want, what a handful of iconoclasts like us want is immaterial. What the vast majority wants is to not have to think, not be obliged to take responsibility for thinking, not be confronted with awkward facts or discomforting information that would require them to take any action that would be more effortful than their current lifestyles. And what they want more than anything else is to not be told that they're stupid for buying the phone they have by someone like you or me who think we're so clever but, if we're so clever, why aren't we Steve Jobs/Bill Gates/Elon Musk/running Sony or Samsung or Facebook or or or? Yes, we did tell them they were stupid; they distinctly felt we did when we explained why their choice in phone was less of a cause for celebration than they had been led to believe by the advertising and their friends and colleagues . Well, if we're so smart that we're smarter than everyone they know, the advertisers, the marketers, the OEMs, why aren't we running the show, eh? Answer them that!

                    Isn't it terrible the way Foxconn had to put in nets to stop people from killing themselves rather than work just one minute more? How's your phone by the way? Produced by a Bangladeshi workers co-operative from naturally and locally sourced biodegradable materials and bought by a Fair Trade distributor? No? Why not? I thought you wanted to get off.

                    Yeah, maybe a movement will get up in arms about something or other. Maybe Apple or someone will pay lip service to the idea of 'listening to the customer'. No doubt, one day, Occupy will be found to have got Starbucks to use one layer of cardboard less in the heatshields around their polystyrene coffee cups.

                    People want their shiny phones. They want to be able to wave them around and for their friends, family and colleagues to "ooh" and "aah" over them. That isn't gonna change and neither you, I nor our friends are going to make even the least dent in that - we have as much hope of changing human nature as a gnat has of flying to the heart of the sun and back.

                    Get off, if you can and good luck to you. if you make a success of it, please stop by and let me know how you did it so that I can try too. Nobody else is gonna follow our lead though. Not enough to make any difference. Because we can't change other people, just drop off their radar when they stop texting us because we never reply and they forget we ever existed.

                    If you can design a new phone with a removable battery that you can also market so well that it becomes the iPhone killer then removable batteries in phones might become a thing - I won't be holding my breath though.

    2. DropBear

      Re: Brave New World

      "we will have to buy a new phone of some kind or else run the risk of being pwned"

      There's your mistake right there, assuming that buying a new phone you're somehow magically free of the risk of being pwned. Actually, ANY statement extolling the security benefits of new phones beyond a simple "older = more pwnable" is highly arguable regarding the exact amount of "additional protection" they are supposed to be offering. No amount of money in the world can buy you "security". You cannot achieve it. You cannot get anywhere near it. You can only get very, very, very, very, very, very slightly closer...

      1. GIRZiM

        Re: Brave New World

        ANY statement extolling the security benefits of new phones beyond a simple "older = more pwnable" is highly arguable regarding the exact amount of "additional protection" they are supposed to be offering.

        No amount of money in the world can buy you "security". You cannot achieve it. You cannot get anywhere near it. You can only get very, very, very, very, very, very slightly closer...

        I wasn't extolling the benefits of new phones over old ones but, rather, lamenting the 'pwnable' factor itself and facing up to the reality that the only way to mitigate that as it stands is to upgrade the hardware for the reasons cited.

        You are absolutely right: the only secure phone is the one you don't own, that is not associated with you in any way and does not have your details stored in it by a friend, family member, acquaintance, colleague, employer, client, customer, government employee, representative of an alien race from another planet, anyone.

        But, really, anyone needing me to spell that out for them would have to be so ignorant of how the world and technology work for it to be pointless them spending time on this site in the first place.

        The fact remains that:

        1. absolute security and anyone else in the world ever becoming aware of my existence are mutually exclusive;

        2. we all live in the real world;

        So, given the above, and the aforementioned reluctance on the part of OEMs to do anything to make old OS releases, firmware or hardware more secure, there's no option for us but to upgrade if we want something approaching what I wouldn't even term 'very, very, very, very, very, very slightly closer' but simply 'very, very, very, very, very, very slightly close'. Because the nature of software/firmware/hardware bugs is that, whilst in an ideal world we might hope that it were, this isn't an ideal world and there's no guarantee that the new phone/OS will be more secure and we can only hope that it is at least no less so (differently in/secure, if you will).

        Arguing that it's an imperfect solution doesn't change the reality that it is the only solution so long as the business model remains as it is. Rightly or wrongly, perfect or not, when the OEM/app developer stops putting their heart into the old model/release then it becomes more pwnable and the lack of a significant improvement over that being due to a new phone doesn't change that fact in any way at all.

        That's not extolling the virtues of new phones, it's simply pointing out that the business model being what it is and technology functioning the way it does, 2+2 = 4 and can't be made to equal anything else thanks to wishful thinking about what it might be, could be, ought to be or should be.

        1. Charles 9

          Re: Brave New World

          I think what the other guy's saying is that newer isn't always more secure. If more are introduced than quashed, then the cure's worse than the disease, so to speak. Plus this says nothing about hardware exploits which likely can't ever be corrected.

          And PS. 2+2 doesn't always equal 4. Think gestalts. Or what I sometimes like to call gestFAULTS which come from combining otherwise-safe code segments just so.

          1. GIRZiM

            Re: Brave New World

            I did say myself that really what I hope each time is that it is no less secure/no more insecure than the last model/version thanks to new bugs. I do, however, hope each time that it is actually more secure - I know, I know, but otherwise I might as well just give up hope and live in a cave somewhere.

            And the hardware exploits thing is just another reason for upgrading - again, yes, there might be new ones but, really, we can't lead our lives on that basis.

            Ultimately, the problem as I see it is that, whilst new bugs (soft/firm/hard) not only may be but are introduced with each model, they have to be discovered first whereas the old ones are known. Moreover, as new ones are discovered, so long as the OS/firmware/hardware is current, there is some hope that a fix/patch might be supplied. There's no such hope for outdated kit and the known exploits will be exploited - and not only in the OS but also, as I said elsewhere, in apps that are no longer updated for a given platform because the dev/s has/have moved on to newer, more exciting versions.

            Okay, yes, that made me smile, but I wasn't thinking of hardware calculation but the abstract reality of 2+2 - and you knew/know that too ; P

            1. Charles 9

              Re: Brave New World

              "Okay, yes, that made me smile, but I wasn't thinking of hardware calculation but the abstract reality of 2+2 - and you knew/know that too ; P"

              Actually, I WAS thinking of the abstract reality, which is why I brought up gestalts (concepts that are greater than the mere sums of their parts). Abstract reality, being abstract, isn't always hard and fast.

              PS. As for the new bugs, consider the possibility they weren't accidental, meaning they're already known from day -1, with everyone else mummed on threat of an espionage charge (which even in the US can be capital).

              1. GIRZiM

                Re: Brave New World

                Ooh, no. The philosopher me wants to agree with you about the nature of Reality, but as a psychologist and German speaker, I have to say that in neither instance is '4' a Gestalt concept - albeit it can be calculated as being the result of some process, it's conceptually atomic.

                Day-minus-one bugs/exploits, yeah, well, I've given up mentioning them to people. It's hard enough getting them to understand the consequences when they're unintentional - they come up with the whole "I'm not important" argument as though that would, somehow, negate the need for alarms on their home because the burglars haven't taken a personal interest in them as people rather than simply a source of things to steal for fun and profit. How far do you get when you suggest that they might be intentional?

                1. Charles 9

                  Re: Brave New World

                  Further than you think when you realize MOST people have a Hate List, which means odds are you're on on someone else's Hate List, too. And it isn't actually paranoia when they really ARE out to get you.

                  PS. Don't think of the "4" as the gestalt but rather the "2 + 2" where in a gestalt it could end equaling "4 and something else".

                  1. GIRZiM

                    Re: Brave New World

                    And in what universe does 2+2 = 4+x?

                    As for people being willing to listen to your hate-list argument, you must be mixing with a higher proportion of intelligent individuals than I - in my experience, the vast majority of people won't even listen to that argument, they'll just start warbling on about paranoia (as if they knew anything about it themselves) and how you need to see 'a shrink' if you think everyone is out to get you (analogies/metaphors go straight over their heads).

  21. armyknife

    Absence is a feature?

    Chalk up another one to feature phones.

  22. Anonymous Coward
    Anonymous Coward

    Risk Analysis

    Don't smoke.

    Don't drink too much.

    Wear your seatbelt.

    Drive more carefully.

    Avoid unsafe vehicles.

    Be safe in bed by 1am.

    Eat properly.

    Beware of falling coconuts.

    ...

    And on page 308, be overly paranoid about Android patches.

    I'm just pointing out that some folks will be very concerned about this Android Patch issue, while puffing on their 27th cigarette of the day.

    1. GIRZiM

      Re: Risk Analysis

      Beware of falling coconuts and seagulls

    2. onefang

      Re: Risk Analysis

      You left out -

      Avoid getting anywhere near Australian animals. Except scorpions apparently, the Aussie breeds are not lethal.

  23. karlkarl Silver badge

    The only patches they ever put out in a timely fashion are those that prevent useful functionality such as being jail broken or installing custom firmware allowing us to do what we want with the hardware :(

    Something is not right here!

  24. Anonymous Coward
    Anonymous Coward

    could care less

    1. GIRZiM

      > could care less

      On an unrelated note, this turn of phrase puzzles me - because I really couldn't

  25. ecofeco Silver badge

    Anyone surprsied?

    Yeah, me neither.

  26. Wolfclaw

    Should be enshrined in law that once a manufacturer EOL's a handset and refuses to support it, it's last update should be to return it to stock Android without all the crap they installed, so Google can try and give general updates.

    1. Charles 9

      That still doesn't help if component manufacturers won't cooperate.

  27. Sssss

    BTW, what, do you mean there are actual updates for my Hauweies!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like