Too many perfectly usable phones are put into a questionable security situation by lack of vendor support for keeping key software up to date.

But what’s the actual risk of using an Android phone on a stock ROM without updates? What’s the attack surface?

It seems like most things that’d contact potentially malicious software are web and messaging software, but that’s all done by apps which continue to receive updates (at least until the android version is entirely unsupported) eg. Webview, Firefox, Signal, etc.

So are the main avenues for attack then sketchy apps and wifi points? If one is careful to use a minimal set of widely scrutinised apps and avoid connecting to wifi/bluetooth/etc. devices of questionable provenance is it really taking that much of a risk to continue using a device past EOL?

Or do browsers rely on system libraries that have plausible attack vectors? Perhaps images, video, font etc. rendering could be compromised? At this point though, that stack must be quite hardened and mature, it’d be major news for libjpg/ffmpeg to have a code-execution vulnerability? Plus it seems unlikely that they wouldn’t just include this in webview/Firefox as there must surely be millions of devices in this situation so why not take the easy step of distributing a bit more in the APK?

I’m not at all an Android developer though, perhaps this is very naive and I’m missing something major?

  • Hemingways_Shotgun
    link
    fedilink
    English
    arrow-up
    30
    arrow-down
    1
    ·
    1 year ago

    To be fair, unless you’re using some incredibly obscure phone, chances are a ROM exists to keep it up to date long after the manufacturer has walked away from it.

    I realize not everyone has the know how to install one, but if they’re concerned, it’s not hard to find someone who does. (we’ve all got techie friends, and if you don’t, that means it’s YOU).

    Heck, my pixel 2XL was updated to the newest Android version up to last year thanks to the Pixel Experience ROM. Would likely still be updated if I hadn’t finally upgraded.

    • andreluis034@lm.put.tf
      link
      fedilink
      English
      arrow-up
      21
      ·
      1 year ago

      You can update your phone with custom ROMs, but it won’t update the closed source components of it(device drivers, bootloader, etc…). If a vulnerability is found in one of those components, it’s unlikely that it will get parched

      • TWeaK@lemm.ee
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        I think those kind of vulnerabilities are pretty rare, though. If one is discovered while the phone was in widespread use, then hopefully it will have been patched, but after that attention will be focused on finding exploits to newer, more popular phones.

        Really, most of the things you need to worry about are in the software, so updating that with custom ROMs should fix the vast majority of potential issues.

        • andreluis034@lm.put.tf
          link
          fedilink
          English
          arrow-up
          9
          ·
          1 year ago

          I think those kind of vulnerabilities are pretty rare, though.

          Not really… If you go read the security bulletin from google, you will see every month that there are a couple of issues fixed on closed source components https://source.android.com/docs/security/bulletin/2023-07-01

          Also vulnerabilities related to kernel code, I highly doubt most ROM “developers” are actually backporting security fixes for that specific device’s kernel branch/source.

    • ffolkes@fanexus.com
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      The vast majority of Android phones in the USA are locked. It has been impossible to upgrade the ROM on any flagship Galaxy for the better part of a decade here, and the few times it is possible, it’ll also trip Knox and disable important features permanently.