[billysielu]

This is relevant to EVs due to needing apps to charge.
It's going to become more relevant over time as phone-car integration continues.

You've probably seen the news today about Android security updates:

One billion Android devices at risk of hacking

Watchdog Which? wants Google to be more transparent about security updates for old phones

www.bbc.co.uk

More than one billion Android devices at risk of malware threats – Which? News

Just over 40% of Android users worldwide are no longer receiving vital security updates, potentially putting them at risk of malware, data loss and cyber attacks.

www.which.co.uk

I emailed my MP about this issue a few weeks back but haven't received a reply, so now it's petition time.

I have made a petition and need 5 sponsors to get it listed:
(I think once I get 5 sponsors this link will crap out and I'll have to replace it with the live link once the petition is listed)

Click this link to sign the petition:
Petition: Require phones to receive security updates for 5 years

My petition:
Require phones to receive security updates for 5 years

Legislate that phones must recieve security updates for a minimum 5 years after their UK release date.

Over 40% of Android users may no longer be receiving important security updates, potentially putting them at risk of malware, data loss and cyber attacks. Apple typically supports iPhones for around five years, and Microsoft will now continually update Windows 10 for the foreseeable future, having supported previous versions of Windows for up to a decade. People should not have to choose between using an insecure phone and replacing a perfectly good device

 

[husoi]

The interesting bit is that everybody says that China isn't safe...

 

[Wightleaf]

Have just sponsored you, good luck

 

[Duncan]

My petition:
Require phones to receive security updates for 5 years

Legislate that phones must recieve security updates for a minimum 5 years after their UK release date.

Why 5 years? Google commit to providing OS and security updates for 4 years after the release of their phones, but in practice they have issued security updates beyond that cutoff. So no big deal if you can get them commit to 5 years for security, that's no less than they do already.

The problem of course are the other manufacturers who just want to push a cheap phone out the door and never ship any updates. Are you proposing to make it illegal to sell such a phone in the UK?, because otherwise I don't see how the UK could force an overseas manufacturer to supply updates if they don't want to do that.

Oh, and your claim that Microsoft will continue to support Windows 10 mobile devices is wrong, they already ended security updates for all Windows 10 mobile devices just over 2 years after its last release.

Windows 10 Mobile, version 1709 (released October 2017) is the last release of Windows 10 Mobile and Microsoft will end support on December 10, 2019,

Microsoft to end Windows 10 Mobile updates and support in December

 

[billysielu]

@Duncan If Google said they would provide updates for 4 years I'd like the source for that - because they're certainly not doing it in practice. Android phones typically get updates for 2-3 years. All you have to do is pick a phone model and read the wikipedia page to see that. My own phone, which got me looking at this in the first place, only got updates for 2 and a bit years (Samsung S6).

Regarding making it illegal, I left it unspecified on purpose so someone who does this stuff for a living can fill in the blank. For example, a company could sell a phone and say they would provide 5 years support but then not actually do so - so it wouldn't be at the point of sale that they broke the law, it would be some time later and there'd need to be a way for the consumer to deal with it.

The Windows 10 thing is from the Which article, I think it's talking about Windows 10 desktop. Windows mobile is a good example of consumers getting screwed because this law was not in place.

 

[HandyAndy]

Ditto sponsored you. Best of luck!

 

[Duncan]

@Duncan If Google said they would provide updates for 4 years I'd like the source for that - because they're certainly not doing it in practice. Android phones typically get updates for 2-3 years. All you have to do is pick a phone model and read the wikipedia page to see that. My own phone, which got me looking at this in the first place, only got updates for 2 and a bit years (Samsung S6).

Regarding making it illegal, I left it unspecified on purpose so someone who does this stuff for a living can fill in the blank. For example, a company could sell a phone and say they would provide 5 years support but then not actually do so - so it wouldn't be at the point of sale that they broke the law, it would be some time later and there'd need to be a way for the consumer to deal with it.

The Windows 10 thing is from the Which article, I think it's talking about Windows 10 desktop. Windows mobile is a good example of consumers getting screwed because this law was not in place.

Google provide 4 years updates for all of their phones, though they actually state it as a list of end dates for the various devices. See Learn when you'll get Android updates on Pixel phones and Nexus devices - Pixel Phone Help

Google have since 2018 required a minimum number of security updates (2 years, wow!) on new Android contracts but there's not a lot they can do retrospectively.

The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.

Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.

Google mandates two years of security updates for popular phones in new Android contract

Phones can’t go more than 90 days out of date on security.

www.theverge.com

I still think if you want updates for a Samsung device then Samsung should be the first port of call.

 

[billysielu]

@Duncan forgot to respond to "why 5?": Essentially it's just a judgement call. We want phones to receive security updates for their entire lifespan. Many people have contracts so get a new phone after 2 or 3 years - which of course lines up with the current 2-3 years support they receive. For people who buy their phones outright, they'll be replacing the phone when something else goes wrong with it - e.g. need more storage, need 5G, battery is failing, etc. My feeling is this tends to happen around the 5 year mark, but of course there'll be people using phones beyond that.

The opposite force is how reasonable it is to ask phone companies to support old devices. I'm a software engineer supporting a system I wrote 10+ years ago and it's a genuine struggle. Even when it's officially supported, quality inevitably drops because it's so difficult to do, knowledge leaves the company, etc. This is why I didn't say something longer, e.g. 10 years, instead.

Edit:
It's also the benchmark that Apple already set. It's tough enough taking on Google without taking on Apple too.

 

[billysielu]

@Duncan Those dates work out as 3 years, not 4.
For example, Pixel 4 was released October 2019, security updates end October 2022. That's 3 years.
But look at the wording: "Pixel phones get security updates for at least 3 years from when the device first became available on the Google Store in the US."
This is why I specified UK, because most things don't launch worldwide on the same day.
It's good that they're upfront about what their support is though, most don't even do that.

Legit point about whether it's Samsung or Google who's responsible.
I intentionally didn't specify it, because from the consumer's perspective it doesn't matter.
However, seeing as Google write the software and Samsung tweak it and release it, I'd imagine most security patches would involve them both.

Edit:
Also considered the difference between release date and purchase date. I chose release date because it's easier.

 

[Slammer]

Legit point about whether it's Samsung or Google who's responsible.
I intentionally didn't specify it, because from the consumer's perspective it doesn't matter.

Fair enough but Google cannot do (core) security updates to Samsung devices. Same way as Google/Android is not going to fix your AndroidAuto issues, your car manufacturer would have to.

 

[andrew*debbie]

Vote with your £££'s and only buy Android One phones. All Android One phones get at least two years of system updates and at least three years of security updates. The updates roll out far faster than most.

For example, my Nokia 7 plus just got the 1 Feb 2020 security patch a few days ago. It is also got an update to Android 10.

Android One: Secure, up to date and easy to use.

Android One phones have the latest AI-powered innovations and security protections. Enjoy a smart, secure software experience designed by Google.

www.android.com

Android One - Wikipedia

en.wikipedia.org

 

[andrew*debbie]

Legit point about whether it's Samsung or Google who's responsible.

Samsung. Samsung will get a drop from Google and then have to add their changes and test before releasing an update.

 

[billysielu]

@andrew*debbie I like Android One. The speed of updates being rolled out is important. But this petition is only about the length of security updates.

You said they offer three years of security updates, I went to the link to try and confirm that...
(presumably again it's from release date, but nowhere does it say)

The Android One page does not say how long it offers security updates for.

That Android One page does the classic thing of putting asterisks and never explaining what it means.
"With monthly security updates** and Google Play Protect integrated, Android One phones are among the most secure. "

Wikipedia says 3 years, but the source isn't Google.

So I'm no wiser.

 

[Duncan]

@Duncan Those dates work out as 3 years, not 4.
For example, Pixel 4 was released October 2019, security updates end October 2022. That's 3 years.
But look at the wording: "Pixel phones get security updates for at least 3 years from when the device first became available on the Google Store in the US."
This is why I specified UK, because most things don't launch worldwide on the same day.
It's good that they're upfront about what their support is though, most don't even do that.

Legit point about whether it's Samsung or Google who's responsible.
I intentionally didn't specify it, because from the consumer's perspective it doesn't matter.
However, seeing as Google write the software and Samsung tweak it and release it, I'd imagine most security patches would involve them both.

Edit:
Also considered the difference between release date and purchase date. I chose release date because it's easier.

Thanks, yes you're right, I evidently have problems counting up to three. Google's launches for phones are actually pretty good at least as far as the UK is concerned they ship at pretty much the same time as the US.

As for who ships the security fixes, if it's part of the OS then it's the manufacturer has to ship it. However, a large part of Android actually isn't baked into the OS itself and over the years Google has moved more and more of the api out into libraries. In that case the updates come direct from Google but because they're not tied to a specific device they also keep coming for as long as your version of Android can take them.

I think you have a legitimate concern that Google can't control its ecosystem the way Apple can but I think they recognise that and are trying to make it better. I don't see that legislation would help.

 

[John Kendrick]

The trouble with updates is they can break the 'apps' which don't always get updated.

 

[The Witchfinder]

I still think if you want updates for a Samsung device then Samsung should be the first port of call.

This. Samsung in particular are terrible for adding bloat and tinkering with Android. It's why I've given up buying anything that isn't a Pixel.

 

[Duncan]

The trouble with updates is they can break the 'apps' which don't always get updated.

Two types of update: security fixes are what this petition is about are unlikely to break much unless it the app was doing something it really shouldn't have been doing. Updating to a more recent version of the OS is the one that is most likely to break old code.

An example where an OS upgrade broke things because it fixed a security hole (note they only made the change in the OS upgrade because it was breaking): the company I work for produces an app that pairs with a bluetooth device. In Android 10 this stopped working because pairing with any bluetooth device now requires permission to get the user's precise location. So now we have to request a permission that most users won't understand why we need it.

 

[billysielu]

Although I'd imagine being on an out of date Android version sometimes means an app you want can't be installed at all.

 

[andrew*debbie]

Wikipedia says 3 years, but the source isn't Google.

So I'm no wiser.

Hmmm. The text is gone from the latest Google Android One webpage. As far as I know it still applies. You'd have to dig down and look at what comes with the individual One phones. I looked at three and all have 3 years of updates.


Nokia 7.2:

Nokia 7.2 mobile

Take stunning photos with Nokia 7.2 and its triple camera setup, featuring a 48 MP main camera and Zeiss Optics. Then add your own creative twist to your photos with ZEISS bokeh effects. Plus, enjoy real-time HDR conversion for videos you watch on-the-go.

www.nokia.com

Ready for Android 10
A phone that keeps getting better with time. Thanks to the latest Android 9 Pie experience you can look forward to 2 years of Android upgrades and 3 years of security updates

and from the older 7 Plus (mine)

Nokia smartphones get 2 years of software upgrades and 3 years of monthly security updates.

It probably is from release date, not purchase date. Phones that shiped with Pie will likely get Android 10 and 11 and security upgrades for one year after 11 drops. That is just a guess. There might be better information on XDA forums.


Spot checking Motorola One Vision:

Motorola One Vision | motorola UK - motorola UK | Android phones & Razr

To help keep your information private, motorola one vision comes with the security of Android 9™ Pie, the latest Android operating system.

www.motorola.co.uk

Secure and up to date
Enjoy three years of monthly security updates, plus guaranteed software upgrades to the latest version of Android One.

 

[billysielu]

Petition is now listed, the link is:

Petition: Require phones to receive security updates for 5 years

Legislate that phones must recieve security updates for a minimum 5 years after their UK release date.

petition.parliament.uk

Please sign, share, etc.