Android - updates and security questions

freebooter · 10 May 2022 at 14:38

I need to buy a new phone. My current phone is a Wileyfox Swift 1

and its version of android is too old for some apps now. I have been thinking of replacing it for a couple of years now but every time I start looking into it the market seems too complicated.

A major aspect I don't understand is security and android updates. I have only ever used my phone for unimportant things where security hasn't really been an issue. However, now a lot of banks are pushing apps or some banks are purely app based. If using a phone for banking I assume I need to pay more attention to security in the same way I would accessing bank sites on my pc?

I don't want to pay a lot for a phone as my use is limited. At the more budget end of the market it seems that you are lucky to get 2-3 years of updates from phone launch so unless you buy it as soon as it is released that could only be 18 mths.

The other aspect to security is how trustworthy the companies are when it comes to some of the Chinese brands.

So far I have looked at Nokia who offer reasonable updates but the hardware is often poor compared to the competition, Motorola are a bit better on the hardware but seem to have a poor reputation for updates and then there are the Chinese brands like Xiaomi/Poco etc who offer bargain hardware but unclear updates and questions over data collection.

Other than that it is premium brands like Apple, Google and top end Samsung which are too expensive for my usage.

Am I worrying too much about security? Is a bank app on a phone vulnerable to security issues with the OS or would it be more self-contained and secure in itself?

thanks

Dazstoke · 10 May 2022 at 16:13

Off all the phones I've had..... different brands including Motorola,Samsung,Lenovo, Huawei, network branded.....the one getting the most updates is my current and 2 yr old Xiaomi that cost £140 and I'm expecting a further update to android 12 in the summer.

throwaway4372 · 10 May 2022 at 16:36

Android phones tend to stop updates after 2-3 years, which is a typical contract length. Samsung are trying to do better than that, but we'll see. Apple do 5 years.

I have made the argument before about how this results in many insecure devices which is a national security risk, and loads of e-waste from people replacing perfectly good hardware which conflicts with climate targets. Not enough people seemed to care because they've gotten used to regular upgrades.

The main issue with bank apps on your phone is you can lose your phone. It's much easier to get physical access in general. I personally don't do banking on my phone because I always have a PC available so there's no need to risk it.

I don't really think the security updates are anywhere near as important as preventing physical access. However the usual rules about not visiting unfamiliar sites, opening random files, etc. all applies on phones too.

I take your point about Chinese brands, but I don't really think any Android phone is any more trustworthy as Google track everything you do anyway. Because you can't tell - you always have to assume your phone isn't entirely under your control. The way Microsoft is going, this is becoming true for PC also.

Orcvader · 10 May 2022 at 22:17

One good thing these days is some of the security updates comes from the Play store itself, called Google Play system update. They're decoupled from the OS and are monthly, although this only benefits phones running Android 10 and above. Security updates that requires deeper changes still depends on OS updates however.

I would worry more if you do install apps outside the Play Store, but even then, sometimes there are dubious apps on the store itself (which does eventually get caught and removed by Google). If you stick with the more reputable apps and avoid random links/files then you'll be mostly fine with a slower security schedule.

The_Arbiter · 10 May 2022 at 23:55

I've thought about this too, but ultimately came to the conclusion that i'm not interested in paying £20+ a month just so i can app stuff. I'm sure there'll be a day where it will be a requirement to have a "good" phone, but i can't see Windows/browser banking going anywhere for a long time, besides there's Linux if you don't want the Windows environment as well as Proton email etc.

The biggest gripe for me is the potential of losing the phone, even with tracking and being able to secure it, i'm still back to the issue of cost of replacement.

I know of people who have no internet and yet get along just fine. Each to their own.

In regards to banking apps, if your OS is too old they won't work, not sure on the reason, but you'd expect it is due to security.

freebooter · 18 May 2022 at 22:43

Thanks for the replies. I ended up getting a budget Motorola. It is a big upgrade over what I had and I am sure it will be good enough for me for a few years. I was very tempted by a Xiaomi that was on offer and would have been better hardware.

I ended up being not too worried about frequency of updates from Xiaomi but I did see some claims that they run aggressive data harvesting and this is why they can sell the phones so cheap. I just decided that I didn't want to spend too much time figuring out how to turn that off if it is possible.

I am also uneasy about having banking access reliant on something that is carried all the time and could be lost or stolen. However, phone app banking seems to be the way the sector is going and often app based banks are offering better deals. I don't understand why any bank that has an app couldn't also offer web access. I would have thought it wouldn't be much extra cost to them.

I also noticed that many bank apps are available for versions of Android that no longer have security updates? Does this mean that the banks are confident their apps are safe even on old unsupported versions of Android?

I did wonder whether to have a spare phone kept at home just for banking and similar use and another for everyday carrying use. I don't know whether tablets can run these apps or whether they need a sim installed.

Richie · 19 May 2022 at 06:42

You appear primarily worried about the security risk of losing your phone.

How long have you had your previous phone and not lost it? It's a possibility, sure, but is it likely if you're careful?

Also - yes, buy a tablet or spare phone for home banking use. They don't need a SIM for banking, just WiFi will work.

kona786 · 19 May 2022 at 08:13

Banking apps have a secure login. And so should your phone. What are you worried about?

Orcvader · 19 May 2022 at 14:24

freebooter said:
I also noticed that many bank apps are available for versions of Android that no longer have security updates? Does this mean that the banks are confident their apps are safe even on old unsupported versions of Android?

They want to keep their apps available for as many users as possible, not everyone will be upgrading their phones every couple of years (like you have). Some will hold onto it for a very long time. Google used to publish version share numbers but they haven't for a while, but Statcounter shows Android 8 still has a sizable userbase: https://gs.statcounter.com/os-version-market-share/android

Some banking apps do take it further though requiring the phone to pass SafetyNet API. This is just to make sure the phone is not rooted or anything, so if malware does somehow get through and break this, the app will refuse to run.