How long to safely use an Android phone

[FIRE 20/20]

My partner has a Samsung S10e that should get its last security update around March 2023.  Samsung has promised 4 years of security updates for this phone, and it was released in March 2019.  Pretty much every article I've read suggests that the moment a phone stops getting security updates it's dangerous to use.  It seems to me that the phone should be safe for at least a few months after the latest security update, with growing risk the older it gets.  Does anyone know the actual risk of using a phone that doesn't get security updates? 

For context, she's careful to only download apps from google's app store and only has a small number of well-known apps.  She is almost never on public wifi, and has a VPN for the rare time she does use it.  She doesn't have any credit card or banking apps on her phone, but does use it for 2-factor authentication (texting codes).  I think that's the biggest security risk, along with having her e-mail on the phone. 

Financially, getting a new phone isn't a big deal.  We've been FIREd for 3+ years and have been under budget pretty significantly each year so far.  She loves her phone and really doesn't want to get a new one.  They don't make many phones as small as hers any more and she likes the size.  The battery life is still good (she's also careful when charging and to avoid heat), and performance is excellent.  Security would be the only reason to replace her phone. 

[secondcor521]

I personally think this risk, while real, is overblown as a way to encourage people to upgrade.

The risk is that there is some security hole that (a) exists in her phone's software, (b) is not discovered in the development, testing, or 4 years of real world use by thousands of customers and hackers, (c) is discovered after that point, (d) is bad enough to be concerning, but (e) not bad enough for Samsung to offer a patch even after the 4 year timeframe.

Oh, and (f) exploited by a hacker (g) in a way that impacts her because she has some hole in her security practices which already sound well above average.

Oh, because (h) it's not publicized where she can read about it (i) before she upgrades her phone at that point due to the security risk.

Also, note that (j) the security risk of a new phone with newer, less tested and more recently modified and updated software isn't necessarily any safer - new exploitable security holes may have been introduced in the changes, and (k) more people might own the newer phones, so the economics of a hacker are better to find and exploit holes in phones with more customers.

And remember, (l) most of those sites where you read those breathless security articles probably sell ads for those newer phones, so they are incentivized to help their advertising customers sell more phones and continue to buy ads on their sites.

If you want to upgrade because you think it's more secure and you have extra money, sure.  But because of the above train of thoughts, I feel perfectly safe using older technology and generally don't upgrade for security reasons.

[Sibley]

If you're concerned, then don't use financial apps.

[dang1]

also LineageOS for the Samsung Galaxy S10e
https://wiki.lineageos.org/devices/beyond0lte/

https://www.xda-developers.com/most-popular-custom-roms-android/
"custom ROM is essentially a third-party operating system that replaces the factory-installed stock ROM or skin on your phone. Even though manufacturers like Samsung, OnePlus, and Xiaomi have done a great job of refining their Android skins, there’s still plenty of interest in custom ROM development for plenty of devices.
As soon as Google drops the source code of a new version to the Android Open Source Project (AOSP), the modding community starts working toward making the latest flavor of Android accessible to more and more devices in the form of custom ROMs. As such, there are a number of Android custom ROM distributions to choose from. If you’re itching to try out the vanilla Android experience on your shiny new Android phone or just want to breathe new life into an old device stored in your closet, but unable to pick the perfect candidate"

[RWD]

I just checked my phone and it hasn't been updated in nearly 2 years..... I found this article which seems to imply with good practices you could be relatively safe:
https://www.makeuseof.com/safe-use-phone-no-longer-gets-updates/

LineageOS could be a good choice if you want to make sure your phone stays up-to-date.

[bacchi]

Yeah, the last security patch for my phone was in 2019. I'm not worried about it. The apps I install are from established companies (banks, google, health care).

I agree with secondcor521 -- newer phones with large sales are mainly the targets. Why spend time trying to hack a phone from 5 years ago with a low (especially now) user base?

[AccidentialMustache]

The unfortunate reality is that if she sees ads on the phone, anywhere, in any app (but particularly the browser, including the browser embedded in other apps), then she's at risk, even on a still-being-patched phone. Which is about to say, "if you use the phone for more than calling, text, gps, and google authenticator." And maybe not even those, because text (or email) has folks sharing links -- click on it and suddenly you're somewhere that's serving ads, in the browser.

On the patched device, you're talking about the scope of risk being zero-days. Those are, if not rarer, certainly more expensive to acquire, either in money or time (... which since you're probably paying someone to look for them, is just money). They're worth saving to hit high-value targets (think corporate/nation-state espionage), or worth using for a massive attack where you care less about the device's owner and more about scale (think large botnet or ransomware).

When patches stop, that window opens up from "just zero-days" to "any exploit past the last update." That starts getting ugly from a risk perspective as time passes.

My personal policy is unpatched devices are fine, provided they have no useful/sensitive data. Eg, I'll happily run a windows xp virtual machine to play an old video game... but I won't do anything else there. No logging in to websites, clearly no banking or similar. Same goes for phones -- old and unpatched but still runs the sonos controller? Fine. My (real) email on that? Not fine.

[AccidentialMustache]

Yeah, the last security patch for my phone was in 2019. I'm not worried about it. The apps I install are from established companies (banks, google, health care).

I agree with secondcor521 -- newer phones with large sales are mainly the targets. Why spend time trying to hack a phone from 5 years ago with a low (especially now) user base?

Bad guys don't target "your phone model" they target the software on it, which is all but identical between different models.

[FIRE 20/20]

If you're concerned, then don't use financial apps.

She doesn't access any financial accounts in any way (apps or websites) from her phone, but her e-mail and texts are there.  Without those it's not much use. 

[FIRE 20/20]

My personal policy is unpatched devices are fine, provided they have no useful/sensitive data. Eg, I'll happily run a windows xp virtual machine to play an old video game... but I won't do anything else there. No logging in to websites, clearly no banking or similar. Same goes for phones -- old and unpatched but still runs the sonos controller? Fine. My (real) email on that? Not fine.

This is the direction I'm leaning.  I just saw that the S22 is essentially the same size, just 0.7 mm wider and 3.8 mm taller than the S10e, and it'll have 5 years of security updates.  Since I'll probably buy it  a year past its release, that should give her 4 years of use before I have to re-think this question. 

Thanks for the input everyone. 

[Paul der Krake]

Two thoughts:

- Google has been pushing as much of Android as they can onto the play store instead of the core OS, which means that you get more security updates for free. So long as you keep that up, the attack surface is considerably less than it was, say, in 2018.
- "Never use public wifi without a VPN" was good advice 15 years ago. Today it mostly just sells VPN subscriptions (often from even sketchier providers).

All this to say, unless your wife is a high-value target, relax. Just get her a new phone when this one dies.

[AccidentialMustache]

She doesn't access any financial accounts in any way (apps or websites) from her phone, but her e-mail and texts are there.  Without those it's not much use.

So everything a bad guy would need to bypass financial account security via a password reset or similar? I consider that equivalent to account access, fwiw. Then again if your financial institution likes to text you codes, if you're a high value target, the bad guys will just social engineering some $5/hr call center phone monkey overseas to do a sim swap and your security practices don't matter anyway.

- "Never use public wifi without a VPN" was good advice 15 years ago. Today it mostly just sells VPN subscriptions (often from even sketchier providers).

Yeah this. Let's Encrypt has been a huge help in getting the web pretty mostly encrypted.

[stoaX]

This is a useful topic for me since I am in a similar situation. PTF in case any other insights are posted.

[FIRE 20/20]

She doesn't access any financial accounts in any way (apps or websites) from her phone, but her e-mail and texts are there.  Without those it's not much use.

So everything a bad guy would need to bypass financial account security via a password reset or similar? I consider that equivalent to account access, fwiw. Then again if your financial institution likes to text you codes, if you're a high value target, the bad guys will just social engineering some $5/hr call center phone monkey overseas to do a sim swap and your security practices don't matter anyway.

Exactly.  These are the kinds of things I'm worried about, but not using a phone for texting and e-mail dramatically reduces their utility.  I'm not sure where to draw the line between security and utility.  My answer has varied over time, but at this point it's pretty much - use text and e-mail, don't use any banking apps, don't install unnecessary things, stay up to date on security updates, and only use public wifi with a VPN I trust.  That may or may not be a safe approach, but that's where we are not and I'm curious how much the "stay up to date on security updates" part matters. 

[zolotiyeruki]

I'm in the "keep the phone you have, and use LineageOS if you need updates" camp.  There are a number of other benefits beyond security patches.  You can install LineageOS with only the barebones of Google services, which reduces your exposure by both pushing google apps out of the system partition (better security) and reducing the number of apps that are installed (also better security).  Also, you can install a system-level adblocker, which absolutely transforms the web experience.  And if you're geeky and want to root your phone, there are tons of quality-of-life tweaks you can then do, but that's outside the scope of this discussion.

My phone (Pixel 3a) got its last update from Google just last month.  And while I'm not terribly concerned about things on the security front, I *am* seriously thinking about jumping the fence to LineageOS in the near-ish future.  My previous phone ran the equivalent of Android 7, and my Pixel is running 12.  In my opinion, five major versions of Android have precious little to show in terms of improvements to the user experience.  I wish Google would put their resources into optimizing the code they already have, rather than dreaming up new features that nobody except the most phone-obsessed tech bloggers care about.

[SquarePeg]

I know in the past there have been Bluetooth exploits where someone nearby can use it to do bad stuff on your phone. Not sure how much of a deal that is these days, but I'd say to turn off Bluetooth, NFC, and any other network protocol you're not actively using. Could help battery life too!

[Sandia]

Two thoughts:

- Google has been pushing as much of Android as they can onto the play store instead of the core OS, which means that you get more security updates for free. So long as you keep that up, the attack surface is considerably less than it was, say, in 2018.
- "Never use public wifi without a VPN" was good advice 15 years ago. Today it mostly just sells VPN subscriptions (often from even sketchier providers).

All this to say, unless your wife is a high-value target, relax. Just get her a new phone when this one dies.

I'm wondering what makes someone a high-value target? Wouldn't most people on this forum have enough assets to be to be appealing to a hacker?

[Paul der Krake]

Two thoughts:

- Google has been pushing as much of Android as they can onto the play store instead of the core OS, which means that you get more security updates for free. So long as you keep that up, the attack surface is considerably less than it was, say, in 2018.
- "Never use public wifi without a VPN" was good advice 15 years ago. Today it mostly just sells VPN subscriptions (often from even sketchier providers).

All this to say, unless your wife is a high-value target, relax. Just get her a new phone when this one dies.

I'm wondering what makes someone a high-value target? Wouldn't most people on this forum have enough assets to be to be appealing to a hacker?

A high-value target is someone with direct access to a lot of money, or a lot of information, or a lot of power.

This can be an executive at a public company, a political consultant in a political campaign, an inconvenient human rights activist, etc. There's no typical profile.

A typical upper middle class individual with single-digits millions of liquid funds doesn't move the needle. There are millions of people who fit that description, the majority are old and not particularly tech-savvy, yet you don't hear about Vanguard or Fidelity or Schwab losing their customers' money to hackers. Any brokerage firm worth anything understands that their customers are far from perfect when it comes to security, so they have multiple layers of internal safeguards. The higher the amounts, the more scrutiny transactions get. Otherwise they wouldn't stay in business very long.

[Turtle]

She doesn't access any financial accounts in any way (apps or websites) from her phone, but her e-mail and texts are there.  Without those it's not much use.

So everything a bad guy would need to bypass financial account security via a password reset or similar? I consider that equivalent to account access, fwiw. Then again if your financial institution likes to text you codes, if you're a high value target, the bad guys will just social engineering some $5/hr call center phone monkey overseas to do a sim swap and your security practices don't matter anyway.

- "Never use public wifi without a VPN" was good advice 15 years ago. Today it mostly just sells VPN subscriptions (often from even sketchier providers).

Yeah this. Let's Encrypt has been a huge help in getting the web pretty mostly encrypted.

Another way to mitigate some of this risk is to use a separate email address for all financial related activities and never, ever use that email from your phone. 

[Trying2bFrugal]

I am still at S10. Not going to update anytime sooner even when the SW update isnt going to happen. Below is what I do

- search 'pi-hole', you can set your wifi with less ad traffic but one culprit who always know how to pass is Google itself
- monitoring your activities or ads shouldnt be the concern as Google daddy anyways spy on where you go, what you do even though you switch gps, location services, data off. They sell to ad companies and thats how android get all ad traffic.

- Using Incognito mode on browser
- Use Firefox
- not opening any link from any messages
- using banking applications with updated apps
- not installing any unknown apps side loaded
- take out any unwanted permissions from applications.

- i use my office laptop with most security on for banking
- i upload all my important files on cloud, incase of any hack, i dont worry on contacts or photos and just wipe and reload the OS.
If you arent like to do Techy stuff, just back up online cloud. I use BOX (i got it when they introduced, they gave me 50 gb, which is plenty).


iphone or android - security updates are mostly after someone hacks or find loop hole or crack in current sw version.
Its always better to be on upgradable side. I usually just delay until the point where the battery doesnt hold the charge and the phone's worth is lessthan  100 on ebay or swappa. Either one, i upgrade to the latest last version.

[alsoknownasDean]

I'm running a Redmi Note 8 Pro that's likely to get its last security update in the next few months.

The end of security patches (after only three years) is a reason why I'm considering upgrading, but not the only one (flaky NFC being another).

Maybe you can run a bit longer, maybe there'll be some additional updates issued in case of some high profile zero-day vulnerability, but it's a risk profile thing.

How many OEMs only provide software updates quarterly rather than as soon as they're released? You may be OK for a little while. My last update still used an April security update.

If you're really concerned about getting a security patch the moment it's released, then you're looking at a Pixel or an iPhone. Anything else the patches go through the OEM (and potentially also the carrier) for testing.

Probably also worth going through any apps and removing those which you aren't using.

[alcon835]

I'm a bit late to this game, but as I do cyber security consulting, I figured it would worthwhile to jump into this thread as the only one to reply who seems to have knowledge of the actual security implications to an individual of not updating your phone.

I'll give away my policy right at the front: I never keep a phone past its end of life. Part of the reason I buy iPhone over Android is the longer lifespan.  Usually my phone dies before Apple stops updating it, forcing me to buy a new phone. But when my wife had her phone long enough for Apple to stop updating it, we tossed it and got her a new one.

What is the real risk to having an unpatched phone - specifically an android phone? The overwhelming majority of cyber attacks fall in the "spray and pray" category. An attacker creates an attack that takes advantage of some vulnerability and then just puts it out into the world and waits for something to hit back. This could be an advertisement, it could be a nasty website, it could come through email, or it could just hit your phone when you're out in the world connected to some random wifi. These attacks are laughably ineffective. 99.999999% of attempts fail - usually because whatever machine they're trying to get at is either patched against the attack or isn't reachable. This is more true on cell phones, where application sandboxing means one app cannot interact with another app unless you specifically allow it (the most common method of compromising a cell phone is through an application or an advertisement displayed by an application). Even then, those interactions are usually happening on the backend, so if your Chrome app is compromised it can't reach out to your mail app or finance application.

Android was actually late to the game on Sandboxing (mostly because it made advertising less effective) but if you've bought a phone in the relatively recent past your phone is relatively safe from bad apps or compromise.

That being said, the holy grail of smart phone cyber attacks is getting around that sandboxing and it happens with some regularity. Someone will find a way to get from a text message to the backend of the phone and suddenly they've "jail broken" your phone and can get to anything they want. Or someone creates an app that has a way to get around asking for permissions, or something else. There's always a more clever person figuring out ways to get around the security inbuilt to your phone. Google, Apple, Microsoft, et al spend hundreds of millions (and sometimes billions) of dollars a year paying hackers to find these exploits and tell them about them so they can fix it. It's called bug bounty programs and a subset of individuals make an extremely good living doing it.

Because of bug bounties, it's not super common to find a major exploit out in the wild without the manufacturer already knowing about it. They are out there though. As lucrative as bounty hunting is, it is still more lucrative to be a hacker and they're always going to be more clever than the rest of us. Still, the worst attacks against cell phones are usually announced after a patch has been released.

All of that background was build up for this next part: within 24-72 hours after a patch is announced for a vulnerability, hackers are sending out spray and pray attacks for that vulnerability. And while most of their attacks are unsuccessful, the successful ones come from individuals with unpatched systems.

Now, hacking a phone is not the same as hacking a computer. With a computer, Ransomware allows you to lock the user out of their machine and forces you to pay them to get access to your computer back. That doesn't work on cell phones because of sandboxing. So instead they use their malware to steal data like usernames and passwords from cell phones.

For most people, their phone is the center of their lives. Netflix, Amazon, Food apps, shopping apps, travel apps, credit cards, email...everything lives on that phone. Even if you do not access your bank from the app, if you use your email to access anything (banks, Amazon, Netflix, whatever) hackers will use access to your email to get into everything else. For instance, if I have your email, I don't need your user/pass for your bank account. Old emails will tell me the username and your email will give me everything I need to change the password. And not just bank accounts, access to email is all anyone needs to gain access to pretty much everything you and she have (unless you are one of those extremely unusual people who create a unique email for each login). If not, your bank account or paypal or venmo are at risk. Or if its just Netflix, there is an entire industry where folks steal Netflix accounts and resell them. Or Amazon, there are industries built around gaining access to Amazon accounts and using the account to buy the hackers garbage stolen stuff. Or airline and hotel travel points, or just about anything that can be used to buy something.

There are more, for as good as I am at my job, hackers are much more creative than I will ever be.

So to try and summarize, are you in any immediate danger the day after your last security update? No, not really. The risk at that point is very low. But every day you run the risk of a new attack being announced - either because it was discovered by a hacker or it was announced by Google with their latest round of patching. And from that point on you a playing risky game. Every new app you download or wifi you connect too or place you go puts you at risk of losing out on a lot.

So, yes, I would strongly advise you to buy a new cell phone once patching ends for your current model. If you are bothered by having to replace a phone every 4 years, consider making the leap to Apple where you can squeeze as much as 8 years out of a phone (and by that time, it's probably about dead anyway).

Smart phones are the center of our entire world. They are attached to everything we do, and people are not well versed enough to understand the actual risk they pose to their lives if access to the phone or the information on it gets into the wrong hands.

[stoaX]

I'm a bit late to this game, but as I do cyber security consulting, I figured it would worthwhile to jump into this thread as the only one to reply who seems to have knowledge of the actual security implications to an individual of not updating your phone.

I'll give away my policy right at the front: I never keep a phone past its end of life. Part of the reason I buy iPhone over Android is the longer lifespan.  Usually my phone dies before Apple stops updating it, forcing me to buy a new phone. But when my wife had her phone long enough for Apple to stop updating it, we tossed it and got her a new one.

What is the real risk to having an unpatched phone - specifically an android phone? The overwhelming majority of cyber attacks fall in the "spray and pray" category. An attacker creates an attack that takes advantage of some vulnerability and then just puts it out into the world and waits for something to hit back. This could be an advertisement, it could be a nasty website, it could come through email, or it could just hit your phone when you're out in the world connected to some random wifi. These attacks are laughably ineffective. 99.999999% of attempts fail - usually because whatever machine they're trying to get at is either patched against the attack or isn't reachable. This is more true on cell phones, where application sandboxing means one app cannot interact with another app unless you specifically allow it (the most common method of compromising a cell phone is through an application or an advertisement displayed by an application). Even then, those interactions are usually happening on the backend, so if your Chrome app is compromised it can't reach out to your mail app or finance application.

Android was actually late to the game on Sandboxing (mostly because it made advertising less effective) but if you've bought a phone in the relatively recent past your phone is relatively safe from bad apps or compromise.

That being said, the holy grail of smart phone cyber attacks is getting around that sandboxing and it happens with some regularity. Someone will find a way to get from a text message to the backend of the phone and suddenly they've "jail broken" your phone and can get to anything they want. Or someone creates an app that has a way to get around asking for permissions, or something else. There's always a more clever person figuring out ways to get around the security inbuilt to your phone. Google, Apple, Microsoft, et al spend hundreds of millions (and sometimes billions) of dollars a year paying hackers to find these exploits and tell them about them so they can fix it. It's called bug bounty programs and a subset of individuals make an extremely good living doing it.

Because of bug bounties, it's not super common to find a major exploit out in the wild without the manufacturer already knowing about it. They are out there though. As lucrative as bounty hunting is, it is still more lucrative to be a hacker and they're always going to be more clever than the rest of us. Still, the worst attacks against cell phones are usually announced after a patch has been released.

All of that background was build up for this next part: within 24-72 hours after a patch is announced for a vulnerability, hackers are sending out spray and pray attacks for that vulnerability. And while most of their attacks are unsuccessful, the successful ones come from individuals with unpatched systems.

Now, hacking a phone is not the same as hacking a computer. With a computer, Ransomware allows you to lock the user out of their machine and forces you to pay them to get access to your computer back. That doesn't work on cell phones because of sandboxing. So instead they use their malware to steal data like usernames and passwords from cell phones.

For most people, their phone is the center of their lives. Netflix, Amazon, Food apps, shopping apps, travel apps, credit cards, email...everything lives on that phone. Even if you do not access your bank from the app, if you use your email to access anything (banks, Amazon, Netflix, whatever) hackers will use access to your email to get into everything else. For instance, if I have your email, I don't need your user/pass for your bank account. Old emails will tell me the username and your email will give me everything I need to change the password. And not just bank accounts, access to email is all anyone needs to gain access to pretty much everything you and she have (unless you are one of those extremely unusual people who create a unique email for each login). If not, your bank account or paypal or venmo are at risk. Or if its just Netflix, there is an entire industry where folks steal Netflix accounts and resell them. Or Amazon, there are industries built around gaining access to Amazon accounts and using the account to buy the hackers garbage stolen stuff. Or airline and hotel travel points, or just about anything that can be used to buy something.

There are more, for as good as I am at my job, hackers are much more creative than I will ever be.

So to try and summarize, are you in any immediate danger the day after your last security update? No, not really. The risk at that point is very low. But every day you run the risk of a new attack being announced - either because it was discovered by a hacker or it was announced by Google with their latest round of patching. And from that point on you a playing risky game. Every new app you download or wifi you connect too or place you go puts you at risk of losing out on a lot.

So, yes, I would strongly advise you to buy a new cell phone once patching ends for your current model. If you are bothered by having to replace a phone every 4 years, consider making the leap to Apple where you can squeeze as much as 8 years out of a phone (and by that time, it's probably about dead anyway).

Smart phones are the center of our entire world. They are attached to everything we do, and people are not well versed enough to understand the actual risk they pose to their lives if access to the phone or the information on it gets into the wrong hands.

Thanks for the easy to understand explanation.

[RWD]

So, yes, I would strongly advise you to buy a new cell phone once patching ends for your current model. If you are bothered by having to replace a phone every 4 years, consider making the leap to Apple where you can squeeze as much as 8 years out of a phone (and by that time, it's probably about dead anyway).

What are your thoughts on LineageOS to keep getting security updates?

[alcon835]

So, yes, I would strongly advise you to buy a new cell phone once patching ends for your current model. If you are bothered by having to replace a phone every 4 years, consider making the leap to Apple where you can squeeze as much as 8 years out of a phone (and by that time, it's probably about dead anyway).

What are your thoughts on LineageOS to keep getting security updates?

Honestly, I have no experience with it and this thread was the first I've heard of it. Doing a quick search (their website + Wikipedia) it is an interesting project, but I would have a few concerns from a practical and security perspective:

Practically, this appears to require some additional overhead by the user for setup and maintenance. That's not a deal killer for some people, but most people cannot use computers (https://echohack.medium.com/many-people-cant-use-computers-and-why-it-should-worry-you-9e9e155dbf37) and it always worries me when a user is expected to be very hands on with anything related to security. LineageOS, if I am reading it right, does not have feature parity with Android without adding too it, which also adds some danger.

My security concerns would be a few things:

• Open Source does not necessarily mean transparent or secure - just because someone can look at code, doesn't mean they are. Most major attacks against open source projects happen by an attacker sneaking something in. This is pretty different from Android or iPhone where Google and Apple respectively have a significant number of people dedicated explicitly to stopping that from happening.
• Sideloading adds risk - adding in additional apps not natively supported and using non-managed stores (aka not Google Play or the Apple Store) opens up to a TON of risk. Most apps on third-party stores have some kind of malware in them and there isn't any governing body checking to stop that.
• I have no idea if LineageOS is sandboxed - Ideally it is, and if so then I take this back, but I haven't dug deep enough to find out and if it isn't, that is an insane security risk for a cell phone. Further, if sandboxing does exists, I would want to better understand what can break it.

I have a bit of a bias against open source applications - especially for things that are important (like my entire life on my cell phone). I also don't personally like that I have no one to hold liable if my life is taken away because of a cyber attack against my phone or a new version of the OS contains a massive attack against me due to lack of Quality Assurance. Or worse, what if they were to sell the code to a malicious third party? That happens with shocking commonality, someone will create a project, it will become popular, and a hacker or hacking group will buy the project from someone. This last bit is unlikely in this case due to LineageOS' longevity, but always a concern if times were to get tough.

In short, I haven't done enough due diligence to know if this is a good alternative or not, but my initial perspective can be seen from the above. Further, I know a lot of people in security and privacy and I don't know of anyone who uses LineageOS. That doesn't mean it's bad, but it does suggest that it's probably missing something that Android and iOS have.

[bill1827]

For most people, their phone is the center of their lives. Netflix, Amazon, Food apps, shopping apps, travel apps, credit cards, email...everything lives on that phone. Even if you do not access your bank from the app, if you use your email to access anything (banks, Amazon, Netflix, whatever) hackers will use access to your email to get into everything else. For instance, if I have your email, I don't need your user/pass for your bank account. Old emails will tell me the username and your email will give me everything I need to change the password.

I do find these claims somewhat hard to believe.

Over here services which take security seriously don't send passwords via email, so even if you're foolish enough to enable access to old emails on your phone, they won't do a hacker any good.

Financial institutions over here take security seriously and most use some sort of two factor authentication, so you need more than a user name and password to access an account.

To log in to my bank account first I need my 10 digit user number and date of birth, then either a card reader (so I need physical access to my debit card) or 3 random digits from a 6 digit passcode which will generate a text message with a code sent to my phone. That code has to entered into the website to gain access to the account. Those details are not available on my phone so won't be available to a hacker.

I suppose things could be different in the US, so you may only need a name and password, but if so that's down to the incompetence of the financial institutions.

[zolotiyeruki]

It may not be applicable to all of your banking apps, but lots of websites will happily email you a password reset link, and if the hacker has access to your phone (and therefore your email), they can get that password reset link, change your password, log into that account, etc.

[alcon835]

For most people, their phone is the center of their lives. Netflix, Amazon, Food apps, shopping apps, travel apps, credit cards, email...everything lives on that phone. Even if you do not access your bank from the app, if you use your email to access anything (banks, Amazon, Netflix, whatever) hackers will use access to your email to get into everything else. For instance, if I have your email, I don't need your user/pass for your bank account. Old emails will tell me the username and your email will give me everything I need to change the password.

I do find these claims somewhat hard to believe.

Over here services which take security seriously don't send passwords via email, so even if you're foolish enough to enable access to old emails on your phone, they won't do a hacker any good.

Financial institutions over here take security seriously and most use some sort of two factor authentication, so you need more than a user name and password to access an account.

To log in to my bank account first I need my 10 digit user number and date of birth, then either a card reader (so I need physical access to my debit card) or 3 random digits from a 6 digit passcode which will generate a text message with a code sent to my phone. That code has to entered into the website to gain access to the account. Those details are not available on my phone so won't be available to a hacker.

I suppose things could be different in the US, so you may only need a name and password, but if so that's down to the incompetence of the financial institutions.

I am not sure where "Over here" is so I'm going to assume Europe? Europe, Canada, and China are the three places whose security practices and laws I am most familiar with outside of the US. Europe especially since I have to interact with GDPR a lot, though it can vary some between countries.

Regardless, to your first point, no one sends passwords via email, but everyone sends password resets via email. I don't need your password to get into your bank, I just need your email and the ability to trigger a password rest. 

Secondly, most people reuse passwords, so if you use your password on Netflix and your bank website, then I only need to get it from a Netflix leak. Most of the world has had at least one password leaked in their life and getting previously leaked passwords is trivial. And since very few folks actually use a separate, unique password for every website it is pretty easy to get to get a password. Also, password hints often will tell you more-or-less exactly what the password is - especially if you have another version of that user's password from a leak.

Third, Account Number and Date of Birth are often trivial information to get - especially if I have access to your email. Most financial institutions will email you your Account Number at least once, and many of them do it with every email. Date of Birth is information out in the world and often posted on Facebook, Twitter, LinkedIn, etc. If not, it can still be gathered relatively easily...usually just by googling someone's name.

So I'm not sure why it's hard to believe? Email is the backup of every login. It should be the most highly protected part of your world. I highly recommend people use Two-Factor Authentication, a password manager, and a truly unique, long (25+ character) password for any email account associated with any login, website, or other part of your life. More so, I strongly recommend a Password Manager with one long nasty unique password you can remember an a unique 25+ character password for every other login.

[bill1827]

Over here is the UK.

My bank does not send password resets via email. You have to log on either via a browser or the app and use a card reader and your debit card in order to change the passnumber. An email hacker isn't going to be able to do that, he needs physical access to a bank card.

Similar security protocols are in place for my other financial accounts.

Financial institutions that I have dealt with in the UK simply do not send either account numbers or password reset information in emails. If they refer to a CC number they just use the last 4 digits of the 16 digit number as an identifier.

All my accounts use different passwords, usually fairly secure although not generally 25 digits long. I don't use social media so I doubt that anyone could find my information with a google search.

Yes, if you have a user with terrible security consciousness and a banking system with terrible security consciousness it's theoretically possible to hack an email account to access someones financial accounts, but I would surmise that most fraud uses much simpler means of access.

[alcon835]

Yes, if you have a user with terrible security consciousness and a banking system with terrible security consciousness it's theoretically possible to hack an email account to access someones financial accounts, but I would surmise that most fraud uses much simpler means of access.

Almost everyone has terrible security consciousness, and most attacks are attacks of opportunity (especially against individuals). But again, they don't need access to a financial account. There are credit card accounts, streaming accounts, hotel and airline points, and many many other ways to make money off of someone.

[FIRE 20/20]

First, thank you!  @alcon835 !  This is exactly what I was hoping for when I posted my question.  I tremendously appreciate your willingness to offer your expertise here in such a clear post. 

For instance, if I have your email, I don't need your user/pass for your bank account. Old emails will tell me the username and your email will give me everything I need to change the password. And not just bank accounts, access to email is all anyone needs to gain access to pretty much everything you and she have (unless you are one of those extremely unusual people who create a unique email for each login).

Actually, she and I both have unique e-mail addresses for "categories".  I have about 20 categories, so if someone gets my Amazon e-mail address they don't have my Banking e-mail.  When I start to get spam on one address I just change addresses, so if my Banking e-mail is compromised I can switch to Banking2 (not the real names).  I think she has more categories than I do. 

So, yes, I would strongly advise you to buy a new cell phone once patching ends for your current model. If you are bothered by having to replace a phone every 4 years, consider making the leap to Apple where you can squeeze as much as 8 years out of a phone (and by that time, it's probably about dead anyway).

Buying a new phone every 4-5 years isn't a big deal, and neither one of us likes Apple products.  We've never used them, so the UI is totally baffling to both of us.  The main reason I asked the question is that she doesn't like replacing things that she's used to and she prefers small phones.  Battery life and performance on her current phone are good, so she'd rather stick with it if it's safe.  Also, it's getting harder and harder to find good small phones but I think the S22 will work well for her.  I'm hoping for a price drop around Black Friday, or possibly next January right before the S23 comes out.  The S22 is scheduled to get 5 years of security updates, so she should be able to use it for 4+ years.