57

I bought brand new HTC Desire 526G with operating system 4.4.2 (Kitkat), everything is as it should be (not rooted) so it is still on factory settings.

But now I didn't get for a long time any security updates, I have checked manually in system updates and it says: There are no updates available for your phone.

If I check my Android version it says: 4.4.2 & Android security patch level: 2016-01-01, but in a same time if I go on CVE details, I founded a lot of vulnerabilities for this system.

Also I have installed X-Ray from Duo Security to check if my system is vulnerable to any exploits and it gave me positive result, that my device is vulnerable to different ones.

What can I do in my situation, I mean how can I update my Android device in order to protect it from publicly known vulnerabilities?

NVZ
  • 141
  • 3
  • 13
user134969
  • 1,298
  • 4
  • 15
  • 24
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/61065/discussion-on-question-by-user134969-my-android-phone-is-vulnerable-but-there-a). – Rory Alsop Jun 25 '17 at 18:49
  • there's a russian [blogspot](http://h526g-roms.blogspot.rs/) with a 6.0.1 fork of LineageOS... I'd say try it at your own risk (not for govt. work obviously) It was linked through [xda](https://forum.xda-developers.com/desire-526/general/lineageos-r79-htc526g-fixed-t3627193) (possibly by owner of the blogspot) and the comments were active today. – Aaron Jun 26 '17 at 21:19
  • Once your phone is out of warrantee, I'd put CyanogenMod on it. I've used it on a number of old phones, like Galaxy s2/3s and it's a great replacement. – stacey Jun 26 '17 at 19:03

3 Answers3

60

You are essentially asking what to do if you are using software which is known to be vulnerable but where no updates are available. This is a problem not restricted to Android phones but you'll find it everywhere, for example in IoT devices like routers or cameras but also with software on the PC which only get support for a limited time.

The answer should be obvious: either replace the software (or device) with one with no known vulnerabilities (and still getting updates) or reduce the risk of infection by decreasing the attack surface.

In the case of an Android phone the best option would probably be to get alternative and still supported software like LineageOS for it. If no alternative software supports your device you might need to get a new phone with still supported software and this time hopefully from a vendor known for better support.

If none of this is possible or if the costs don't match the assumed risk you could decrease the attack surface to reduce the risk of an exploit against your device. This can be done by having no network connection (neither mobile, WiFi nor Bluetooth) and removing all apps you don't really need. In case you have root on the phone you could also install some firewall on it to restrict network traffic to only a few selected apps.

Note that there is no perfect security even with supported software. How much effort and cost you invest for protection depends a lot on what you need to protect. If there are no sensitive data on the device you might accept a limited risk by using it in mobile network and maybe in a restricted WiFi network (so that it cannot be used to exploit other systems in your home network). If instead you have sensitive data on the device you should probably invest some more and get a still supported device from a vendor with fast updates.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 17
    This answer talks about costs of protection. This is probably a consumer phone. _Any_ new phone is very likely cheaper than a customized solution, unless lineage etc. is applicable. It's one of modern societies points of failure that we need to replace pefectly capable hardware with new garbage. – antipattern Jun 26 '17 at 01:24
  • 12
    "This can be done by having no network connection (neither mobile, WiFi nor Bluetooth)". It can also be done by switching the phone off. In both cases, the phone is no longer much use for anything (unless you meant no "**data** network connection - in which, a) I think you should say so; b) that's probably not what the OP bought his phone for). – Martin Bonner supports Monica Jun 26 '17 at 07:13
  • 4
    @MartinBonner: I know that switching off any network traffic severely reduces the usefulness of the device although there are still uses for a non-networked small computer like an offline phone. But you might have noticed that I also showed other options like having limited access for selected apps or having access in specific WiFi networks. – Steffen Ullrich Jun 26 '17 at 12:23
  • 3
    @antipattern: the actual costs of the device vs. investing time into customizing it to reduce the attack vector depends a lot on the time, income and knowledge of the affected user. While some might rather spend money to get a better phone others might instead invest time because they have more time than money. Or they might live with the remaining risk since there is not much value they have too loose if the phone gets compromised. – Steffen Ullrich Jun 26 '17 at 12:27
  • 1
    I see your point @Steffen Ullrich, but many phones on the market are simply not supported "out of the box" by lineage. And starting your own branch requires a very specialized skill set, which effectively nobody has, and alot of time. For these phones, all bets are off. – antipattern Jun 26 '17 at 15:40
  • @antipattern: If you mean with customization to make new Android versions work on unsupported hardware or even to fix the existing bugs in the existing version then you are definitely right. Customization by removing unneeded apps and restrict existing apps with firewall or similar instead is more doable by the average if at least root access is possible. – Steffen Ullrich Jun 26 '17 at 16:27
  • @steffenullrich Yes, thats what I meant. The question definitly mentions an obsolete Android and not only apps. For security issues inside the OS, a firewall can only do so much...I made the mistake of buying a unsupported chinese phone myself and now I regret it. – antipattern Jun 26 '17 at 19:09
19

This is a pervasive problem with nearly all Android phone vendors.

I suspect (only suspicion, I'm afraid) that they do it to boost the sales of their new models. I have tried reaching out to vendors and received responses that vary from "please wait, an update is on it's way" (no it wasn't), to "we're no longer releasing updates for that old model" (if this is the case, most often the vendor simply doesn't respond).

Your options:

  • dance to their tunes, buy a new phone (repeat this every year or so)
  • if your phone supports it, put a custom OS on (CyanogenMod or similar) it (but then, how long will the custom OS support updates on your old-ish phone?)

I'm afraid we (the consumers) aren't quite the winners in this game.

Sas3
  • 2,638
  • 9
  • 20
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/61083/discussion-on-answer-by-sas3-my-android-phone-is-vulnerable-but-there-are-no-up). – Rory Alsop Jun 26 '17 at 07:26
  • 6
    The reason we're not the winners is two fold, not enough pressure on the vendors (if people buy phones that don't get updates vendors will sell them) and the fact that security is costly. My Samsung S6 edge is still on the latest android version and updates regularly. but I paid for that with a high upfront cost. – DRF Jun 26 '17 at 08:10
  • 10
    "I suspect (only suspicion, I'm afraid) that they do it to boost the sales of their new models." - that sounds rather unlikely to me. Let's face it, most users do not really care about "technical topics" such as security updates. If anything, the fact that plenty of users buy new models (out of a sense of fashion or whatever) has, for once, a *positive side-effect* in that those users are more up-to-date security-wise than they would care to on their own. – O. R. Mapper Jun 26 '17 at 08:41
8

It's a bit late for you now (I imagine), but as an Android fan I make sure and only buy phones from manufacturers that I know provide regular security updates. In the past I've had phones that received effectively zero security updates over the lifetime of the device, and I didn't want to have to worry about that again.

To be clear the reason this happens is because android is an open source system used by the phone manufacturers, and there is absolutely nothing that forces them to update their phones in a timely basis. Many manufacturers make their own changes on top of the stock android system, which means that an update isn't even a simple matter of passing along updates from google. Instead they would have to incorporate any changes to the android system to their own builds, verify that everything still works, and then deploy the new bundles. It can be a very time consuming and expensive process (unless the manufacturer specifically plans for it before hand), and the fact of the matter is that most people don't care. So until there is a clear push from consumers for regular updates and better security, it isn't going to happen. To be clear, that level of consumer-driven demand is never going to happen.

Here is a (fairly) recent list of devices that actually get updates:

https://www.bleepingcomputer.com/news/security/google-publishes-list-of-42-phones-running-latest-android-security-updates/

Also, here's an article that gives you an idea of what the state of affairs looks like, and the fact that even google isn't very happy about it:

https://arstechnica.com/gadgets/2016/05/google-hopes-to-shame-slow-android-oems-with-update-rankings/

Keep it in mind the next time you get a new phone. In the meantime, the other answers here have some great tips for right now.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96