21

Background

Quite a few software developers offer special "long-term support" (LTS) or "extended-support release" (ESR) editions of their products. You install the product once and get security updates for up to ten years, without having to upgrade to the next major version of the software.

Here are some examples: You can install one version of Firefox ESR and then get security updates for version for about a year. Or you can install one version of Ubuntu LTS and then get security updates for that version for five years.

Unfortunately, Google doesn't offer a special long-term support edition of Android. Security fixes get backported to your device's Android version until Google stops backporting them. These patched Android versions get built into new firmware images for your device until your device manufacturer or third-party ROM builder stops building new images.

(For example, it looks like Android 6.0.1 "Marshmallow" is still getting security fixes. The latest versions of Android 6.0.1 are android-6.0.1_r56 through android-6.0.1_r63. Each of these eight Android versions was released on the same day: on Aug. 1, '16. Each of the eight was designed to support a different set of Nexus devices. Device makers can pick any of the eight and then port it to other Android devices. As of this writing, it looks like Android 5.1.1 "Lollipop" may also still be getting security fixes. The latest version is android-5.1.1_r38, which was released July 19, '16; it may also be known by the build code LMY49M.)

iOS

Apple tends to support iOS devices for three to five years after their initial release. (Source.) They ship both new features (which slow down your device, thereby encouraging you to upgrade) and security updates. But I want a device which is more open and expandable than an Apple device.

My question

If I'm buying an Android cellphone today, and I want to get security updates for it as many years as possible, how should I choose?

(Monthly security updates are nice, but today I'm not asking about monthly security updates. My question is not about which Android phones get security updates the most frequently. Instead, it's about which Android phones get security updates for the greatest number of years after purchase — even if I must wait six or twelve months between updates.)

Please don't recommend a specific make and model of mobile phone and leave it at that. Such an answer would be useful to readers today, but not to readers who view this question a few years from now. Instead, please tell me how to compare products myself. How important is it for me to choose a best-selling device? Does it matter whether I buy a midrange phone (US$100-$200 with no contract) or a high-end phone ($600-$800 with no contract)? Must I choose hardware from manufacturers who get their drivers into the Linux kernel, and if so, which manufacturers are these? What other criteria should I use in order to make my choice?

Please assume that I'm willing to download and install custom ROMs in order to get security updates, but that I'm not willing to compile anything myself.

I know that you can't predict the future with perfect accuracy. Please just try your best.

Improve this question
20
  • That's a hard question to answer. Almost all of the mobile OS vendors out there are not after providing the customer with the latest security fixes, they are after how to get you on the new OS in such a way that you will spend some money to get the new features on a new model device. Most vendors don't even move two major versions up on an older devices (with the exception of nexus). Having said that, there are few choices which maybe useful, blackberry's Android platform, samsung's knox, and potentially google's own nexus devices. I am interested to know what other opinions come forward.
    – yetdot
    Commented Aug 25, 2016 at 12:14
  • I recommend to have a look at the supported models with cyanogenmod. Its probably the best you get with long term support and you will also notice that there are vendors which are heavily supported while others are not.
    – Steffen Ullrich
    Commented Aug 25, 2016 at 12:19
  • @SteffenUllrich: If I'm considering one certain device, how can I tell whether CyanogenMod is more likely to support it for six months or for five years?
    – unforgettableidSupportsMonica
    Commented Aug 25, 2016 at 12:23
  • 1
    I am interested in this answer too, the minimal research I have done indicates: a) support isn't OS release specific, rather is device specific, because the vendor sells the device and so has warranted responsibility b) Google seems to have the best track record for device vendors with the Nexus line, promising updates for 18 months after last sale date of the device, though have more digging to do
    – Jonah B
    Commented Aug 25, 2016 at 12:24
  • 1
    @AndyYan: Oh. I just looked into the matter. Nobody has ever been able to even root the BlackBerry Priv, let alone develop a third-party ROM for it. :(
    – unforgettableidSupportsMonica
    Commented Sep 11, 2016 at 3:31

7 Answers 7

Reset to default
7

The Dutch consumer organization retests their smartphones periodically for updates: https://www.consumentenbond.nl/acties/updaten/ruim-een-derde-smartphones-heeft-sterk-verouderde-veiligheidsupdate

The list is basically: the Google Nexus/Pixel phones (~3 years), Nokia / HMD Global, last (& this..) year's flagship Samsung (~1.5 years), this years flagship Sony Xperia.

(These phones had the February 2018 update begin March)

In the mean time iDevices are updated for up to 5 years (4 years + security updates until next iOS). This makes them cheaper year-over-year over the lifetime of the phone. Please see the "Depreciation" and "Sources" worksheets in this Google Sheets workbook.

Improve this answer
4
  • That Google Sheets workbook you linked to is impressive. Who's created it?
    – unforgettableidSupportsMonica
    Commented Jan 6, 2020 at 10:48
  • I posted my own spreadsheet
    – Henk Poley
    Commented Jan 6, 2020 at 15:24
  • Did you create it, and start maintaining it, just because I posted this Stack Exchange question?
    – unforgettableidSupportsMonica
    Commented Jan 7, 2020 at 17:45
  • It is my own spreadsheet. I created it a few years ago. At first mainly to track Android phones to recommend to my family. Then I added an iPhone and was like 😯 about the difference in depreciation cost.
    – Henk Poley
    Commented Jan 8, 2020 at 15:28
3

Modular may offer official long-term support

Not quite ready today are modular phones, like that for Project Ara. Be aware that the schedule for modular phones has already slipped by years, so I would still treat the dates as questionable. Due to their modular nature, the expectation is that they will continue to be supported for a long time.

Update: Project Ara was nixed not long after I wrote this answer. VentureBeat has a story on Project Ara and the difficulties with modular phones.

Unofficial support

Without official support, you are basically trying to predict the future about what phones will have a sufficiently enthusiastic user base to support the phones. There are no simple hardware or price based criteria you can use to do this.

If you want something today, I would recommend a Nexus device. The guaranteed updates aside, these seem to have enough of a following in the community that there are custom ROMs available years after the official support has ended. Don't expect updates to be released in a timely manner, however, because people are basically supplying this out of their volunteer time. I have a Galaxy Nexus (maguro), for example, which was released in 2011. The latest maguro Cyanogenmod releases are:

  1. cm-13.0-20160820
  2. cm-13.0-20160816
  3. cm-12.1-20160719
  4. cm-11-20150626

I was surprised to see an update to the 12.x line last month because it had been so long since the last update. I ended up reverting to the 20150626 build for development purposes because video on 12.x had problems, so also be aware that the custom ROMs can't work magic with less capable hardware.

Having unusual hardware has not dissuaded motivated volunteers from continuing to support the Galaxy Nexus, which has an unusual Texas Instruments processor. There were rumors that Google dropped support relatively early because of this.

Short of maintaining the device yourself or paying someone to maintain it for you, you have to guess.

Improve this answer
5
  • +1, because this is useful information for other readers. But it isn't useful for me. I want a device with a certain uncommon built-in hardware component, and none of the Nexus devices have ever included this component.
    – unforgettableidSupportsMonica
    Commented Aug 29, 2016 at 5:25
  • Let me quote, again, from my original question.
    – unforgettableidSupportsMonica
    Commented Aug 29, 2016 at 5:25
  • "Please don't recommend a specific make and model of mobile phone and leave it at that. [...] Instead, please tell me how to compare products myself. How important is it for me to choose a best-selling device? Does it matter whether I buy a midrange phone (US$100-$200 with no contract) or a high-end phone ($600-$800 with no contract)? Must I choose [a phone with a SoC made by hardware makers] who get their drivers into the Linux kernel, and if so, which manufacturers are these? What other criteria should I use in order to make my choice?"
    – unforgettableidSupportsMonica
    Commented Aug 29, 2016 at 5:26
  • Because this answer is useful to others, it's worth keeping. But it would be most excellent if you could please provide information which would be more useful to me. Stack Exchange allows you to post two answers to one question; perhaps you could please add a second answer which would help me more.
    – unforgettableidSupportsMonica
    Commented Aug 29, 2016 at 5:31
  • Bear in mind that Cyanogenmod is now discontinued, and all support is going into LineageOS. There is no way of swapping between the two save for a total reinstall atm.
    – 520
    Commented Jan 13, 2017 at 15:49
3

Other answers mention that aftermarket distributions can provide you with security updates. This is only true to some degree. They usually integrate low level-code (proprietary blobs) from the manufacturer and those parts don't get updates after support from the manufacturer ends.

The same is true for firmware bugs of hardware components. (e.g. Broadpwn)

postmarketOS tries to solve those problems with a GNU/Linux distribution for phones and open source firmware.

Improve this answer
2

Your best option would be to buy a Google Nexus phone. Because Google is Android's developer, Nexus phones get updates first.

Example of their updates is the Stagefright patch. The oldest phone that got the security patch was the Nexus 4. The phone was released in 2012 and still got the update. Nexus phones which did not get the update from Google got it from third-party ROM developers — Google's phones seem to attract developers.

At the time of writing, the latest Nexus phone is the Nexus 6P.

List of end-of-support dates for Google phones:

  • Nexus 6P September 2017
  • Nexus 5X September 2017
  • Nexus 9 October 2016
  • Nexus 6 October 2016
  • Nexus 5 October 2015
  • Nexus 7 (2013) July 2015
  • Nexus 4 November 2014
  • Nexus 10 November 2014
  • Nexus 7 (2012) June 2014

Security patches aren't guaranteed to end at these dates, but it's very possible that they will.

(Source)

List of patched vulnerabilities pushed out via OTA to Nexus devices (stagefright):

  • CVE-2015-3873
  • CVE-2015-3872
  • CVE-2015-3871
  • CVE-2015-3868
  • CVE-2015-3867
  • CVE-2015-3869
  • CVE-2015-3870
  • CVE-2015-3823
  • CVE-2015-6598
  • CVE-2015-6599
  • CVE-2015-6600
  • CVE-2015-3870
  • CVE-2015-6601
  • CVE-2015-3876
  • CVE-2015-6604

(Source)

Improve this answer
6
  • 1
    This answer is useful because it points out "Google's phones seem to attact developers". But the rest of the answer is a bit confusing. There have been multiple vulnerabilities found in libstagefright over time, and your answer doesn't say whether the Nexus 4 got an update for one, some, or all of these vulnerabilities.
    – unforgettableidSupportsMonica
    Commented Aug 29, 2016 at 5:24
  • @unforgettableid Hopefully my edit clears up some things.
    – jan
    Commented Aug 29, 2016 at 9:29
  • 1
    -1. Your post is still confusing. The "Stagefright bugs" are an ill-defined set of security vulnerabilities, not all of which were found in libstagefright. Providing a long bulleted list of CVE identifiers lengthens your answer and doesn't really clarify much; you can just link to the list. Your answer, in general, needs improvement. Please read over your answer again, slowly, at least once. Please work on your grammar, clarity, and formatting.
    – unforgettableidSupportsMonica
    Commented Sep 6, 2016 at 6:21
  • 1
    @unforgettableid You asked what kind of phone to buy, not which exploits were found or patched. Then "your answer doesn't say whether the Nexus 4 got an update for one, some, or all of these vulnerabilities". I listed all of the stagefright related updates Nexus devices got (after you asked for it). And not to metnion that the source I provided is an official list of all Nexus security updates (it's a subthread). And I would like to ask you to clarify your comment on how would I would I improve my answer. I've read through it.
    – jan
    Commented Sep 6, 2016 at 9:43
  • Beside gramatical mistakes (which I did not find, I'm not a native speaker) I don't see how this doesn't answer your question on which phones get security updates for the longest time.
    – jan
    Commented Sep 6, 2016 at 9:44
1

Regarding stock Android, the manufacturers that are currently most vigilant about updating their latest models' OS in a timely manner are Google in its Nexus collaborations and Motorola in its Moto line.

After the manufacturers end their updates, the community continues to produce custom ROMs for popular models. Perhaps the widest set of custom roms, CyanogenMod (CM) still supports old devices such as the Galaxy S2, albeit with some limitation. The ability to support old models depends strongly on the release of the source codes by the manufacturers and (with some exceptions) it seems that source codes of Snapdragon devices are released more often than source codes for Exynos devices.

A list of devices from major vendors supported by the latest CM version (13) can be found here and it can provide you some perspective on how devices are supported by the community in the long term.

Combining these two perspectives I would say that Nexus devices provide the best short term stock support. However, you can often find flagship phones with better specs that will have the same long term community support. You may want to avoid Exynos devices, though.

Improve this answer
1

Go for a flagship device instead of a mid-range or low-range device. Flagships (and some other popular models) generally tend to be supported by the community for a long time. I have a Samsung Galaxy S3 (d2tmo) that came out almost 4.5 years ago and it is still supported by Cyanogenmod. It was released with Icecream Sandwich and now upgraded up to Marshmallow thanks to CM. Ultimately, community support depends on the number of active users.

Improve this answer
1

Google has released a statement somewhere that they will only officially provide support for 2years for their Nexus phones and thats the best you can get with stock.

If you are willing to roll with custom roms. I think that getting a phone that has chipset from a manufacturer with a good track record in providing drivers for a recently released Android version is a good bet. Qualcomm is still providing recent kernel drivers for all Snapdragon 6xx-8xx for Android 6.0 for example, which provides the community like XDA forums to build upon custom roms for all phones sporting the chipset. Also pick a brand/manufacturer that allows bootloader unlocking, e.g Sony, Motorola. Locked bootloader severely impacts the community in making custom roms as forces them to create exploits or workarounds in the device making it potentially unstable to use.

But my advice is, just pick the best phone which fills most of your checkbox and live with it till it breaks. I think Android is pretty secure as is.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .