Why I'm so obsessed with phone updates...
Time after time I hear myself on-air complaining about a late or missing update to a smartphone. In the grand scheme it doesn't matter that much, surely? Why should it matter to a phone user whether their device is on 'March 2023 Android security' or err... 'April'? Or indeed 'February'?
Well, it normally doesn't. Certainly most phone users have no awareness of the security status of their devices.
The security-smart answer is that users need protecting from themselves. All operating systems have some bugs, some vulnerabilities, due to their complexity, and exploiting (and fixing) these is a perpetual game of 'whack a mole' played between hackers and software developers.
But if a serious vulnerability is found in Android OS then simply going to a booby-trapped web page or being tricked into downloading and installing something dodgy, let alone knowingly downloading 'cracked' commercial apps and games from the dark web, then the phone can be massively compromised, data and passwords stolen, and so on.
So users need protecting from themselves, security people (like me) say. And this is absolutely true, though I do wonder in practice how many regular users actually deliberately surf dodgy waters, as it were, and get infected by something.
Unless they're very unlucky in terms of timing, it probably doesn't matter too much whether their phone's security status is bang up to date or just 'within three months of the cutting edge', which is why many companies (Motorola and Fairphone spring to mind, plus Samsung in the last year of a phone's support) are content to issue updates quarterly.
Plus, as Ted Salmon has pointed out, malicious applications are protected against to a decent degree by Google's Play System Updates (in the Store) and these carry on regardless, as they're pushed directly. So this helps too, even when OS security runs out for whatever reason.
I think there's another reason why it's important for a phone manufacturer to stay bang up to date with Android security. It shows that the company CARES. It shows that they still have their finger on the pulse, that they still have a team dedicated to making that phone better, and so on.
The moment updates stop for a phone (often before the originally stated - at launch - support end-of-life) or are delayed significantly, I think 'Uh oh' and fear the worst. For example, the Microsoft Surface Duo is supposed to have support - and thus monthly security updates - until Autumn 2023, but April's is missing in action, it's now mid-May, and there's a serious fear that Microsoft has simply abandoned its (originally £1300 flagship) folding phone.
[Update: 10 May 2023. Sod's law being what it is, Microsoft pushed the delayed April 2023 update for its Duos an hour after I published this article. But it was still weeks late, the future's just as uncertain, and my sentiments still apply!]
There are similar 'lack of care' worries over Motorola phones in our possession too. So broken promises on updates are definitely a 'thing', even if the actual day to day security implications aren't perhaps as drastic as you might think, for a day to day user doing regular day to day things.
And an absence of care from the manufacturer immediately starts to turn me away from using or recommending a certain phone. That's just how it is...
PS. Apple and the iPhone are largely outside this discussion because of the different way updates are rolled out. While manufacturers have to jump through hoops in the Android world, testing and then publishing updates for each device in each region, Apple simply pushes all security updates out to all iPhones when needed, with no schedule and with no other approvals needed. This is possible because only Apple makes the iPhone, of course, the same company behind software and hardware, and refusing to allow networks (carriers) to get too involved or to hold things up. It's a direct company-to-user relationship.