We wonder if using an Android device is possible even when it no longer receives any security updates. Google is not responsible for updating every Android device out there, just its own Pixel series. For other mobile devices, it is up to the manufacturer to produce and transfer updates to individual users, including security updates.
Let’s take the flagship Samsung Galaxy series devices as an example: when Google releases a new version of Android, Samsung modifies it by integrating its interface, many customizations, and additional features and then making it available to its customers. Each manufacturer releases Android updates with different timings: the supported Google Pixels, of course, are the first to receive new versions of Android.
Every Google Pixel enjoys three years of operating system updates (think major releases like Android 12, Android 13,…) and receives security patches every month. Pixel 6s and later get security updates for five years, with the support period always starting when Google releases the phone, not when you buy it.
Flagship phones and tablets made by Samsung now receive four years of major operating system updates. In comparison, cheaper devices from the same company don’t go beyond 2-3 years of support, with no specific warranties. However, each manufacturer applies its specific update policies, despite the “pressure” exercised by Google. OnePlus has promised that some smartphones introduced in 2023 will receive four significant releases of Android and five years of security patches (even if the latter are released every two months rather than monthly).
Motorola only provides 1-2 years of updates for most phones. A list of smartphones their respective manufacturers will abandon over the next few months is available at this address.
In any case, most Android devices stop receiving the significant updates (new versions of the operating system) and security patches that Google documents every month in its bulletins well before the hardware becomes unusable, for example, because it shows up a failure or becomes obsolete (e.g., because Android apps impose higher requirements…).
What Happens When Android Support Ends?
Most of the services and apps on Android devices are updated independently of the operating system. This also applies to the Google Play Store and Play Services in general. Unlike what happens in the Apple world, the central system components continue to be updated to the latest versions even when the manufacturer no longer supports the device in use.
Regarding Play Store, it still works on Android 4.4, which first appeared on the devices presented in September 2013. Indeed, with Project Mainline, further improved in Android 13, Google can force the distribution and installation of critical security patches, overcoming the “immobilization” of individual manufacturers, reducing timescales, and having the opportunity to protect many devices Unsupported Androids that are out there today and are actively used by users.
The Google Chrome browser itself, like other Android apps (unless individual developers change the requirements), updates without problems via the Play Store on all Android devices that have now passed the life cycle set by the manufacturer. We said that the Play Store still works on devices from 10 years ago: it’s not the same thing for Android apps. For example, the Facebook app requires Android 6.0 and later, and Outlook only works on Android 8.0 and later.
Usually, the “Lite” versions or web applications allow you to use the apps even on older terminals. The problem is the new security vulnerabilities discovered in Android as in any other operating system and resolved monthly by Google engineers. Indeed, critical components such as Chrome and Android System WebView are constantly updated through the Play Store (this significantly reduces the attack surface), but even today, having an Android device capable of regular security updates is the best way to be as protected as possible.
Unfortunately, Google Play Protect does not yet offer adequate protection. On Android devices not updated with the latest security patches, you should evaluate using Malwarebytes Antivirus Mobile, which offers solid protection even against apps that use dangerous permissions. To resolve the situation and get back to receiving Google security updates, documented every month in the company’s bulletin, you can upgrade Android to an alternative ROM.
To proceed, it is generally necessary to activate USB debugging in the Android Developer Options, unlock the bootloader, and install a custom recovery (this is the “service” environment which is usually activated by simultaneously pressing the power button and the “volume down” key ” ) such as TWRP and use it to replace the official manufacturer ROM with an alternative one.
The choice should always fall on the best known, appreciated ROMs that can count on an active community constantly committed to improving the product: LineageOS is one of the best known while Pixel experience is among the most “pure”; that is, they allow you to slavishly replicate the experience of using Google Pixel smartphones. By installing one of the best alternative ROMs, you will be sure to receive monthly Google security updates and thus benefit from an Android device that is always protected.
Instead, little-known ROMs and projects that are not open source should be avoided: for all the most famous alternative ROMs, the source code is promptly published and updated on GitHub. Anyone can view it, carry out in-depth analyses and ensure the source does not contain potentially harmful code. Third-party ROMs are derived from the Android Open Source Project ( AOSP) version of Android – this is the source code of the Google operating system that anyone can use to develop alternative projects.
AOSP forms the basis of Android Vanilla, which is also distributed to device manufacturers and is extensively customized by them. The AOSP version lacks Google services and applications, including the Play Store. Google’s partners enter agreements with the Mountain View company to include the Play Store and other apps in the ecosystem. AOSP is undoubtedly one of the main reasons for the success of the Android platform worldwide.
How long can I use my Android device safely? You can do this as long as the support from the manufacturer does not end. As we have seen, by replacing the official ROM with an alternative ROM, you can extend the receipt of security updates for several years. Even the alternative ROMs are not eternal: by accessing the official website of each project and clicking on the Show discontinued devices or similar boxes, you can find out which devices are no longer supported.
It is also possible to continue using an Android device that no longer receives security updates, but in this case, you will need to be even more conscientious. First, go to the About phone section of your Android settings and select Security patch level. By examining the date next to this item, you can determine when the smartphone has received the latest security patches.
If this entry is not found or you want more information, it is possible to install and run DevCheck: by accessing the System tab, you can check what is reported in the security patch entry.
As we have seen above, the latest security patches may have been received several months ago on devices no longer supported by the manufacturer. However, Google Play Services (see below on the DevCheck System screen ) will be recently updated.
Suppose you continue using an Android device without any security updates. In that case, it is essential to install apps from official sources such as the Google Play Store or the Amazon store and limit yourself to choosing only those made by known developers. It is also essential to refrain from assigning any potentially dangerous permissions, special permissions, and accessibility features.
Many Android malware like GodFather exploits them to interact with the mobile device at a low level. At the same time, it is crucial to keep the web browsers used on the device updated and a crucial component like Android System WebView used for rendering web page content within applications.