I write a lot about mobile security and privacy issues because I am passionate about it — you do the things you like to do any time you're able. I wish all the bad actors in the world would disappear in a ball of fire, but since that's not going to happen, the next best thing is that we all start to take our privacy and how secure our digital life is a little more seriously.
To be clear, I am not a cybersecurity professional — I'm a former electrical and R&D engineer who now writes words about tech. But I know enough to listen to the people who do this stuff for a living and pay attention to what they have to say about it all. I try to follow their advice, and you should, too.
One of the web's longest-running tech columns, Android & Chill is your Saturday discussion of Android, Google, and all things tech.
One of the things most of us don't take seriously enough, but those security professionals always recommend, is to keep our phones, tablets, and computers updated with the latest security patches. That's great when your device is supported, and you can click or tap a button, and it happens. Eventually, though, the companies who make our gadgets stop caring about them and no longer provide those essential updates.
I got an email from a podcast listener about that this week and realized that it's a thing nobody talks about.
"I currently have a Pixel 5 which will no longer be receiving security updates this fall, and my family members also have Pixel 3a phones that are no longer going to be receiving the security updates soon. What is your advice for these devices? Is it fine to keep using them as long as we keep our apps updated, or is it time to get a new phone?"
There isn't one good answer to this question - there are several, and none of them are really definitive except for one: Stop using it and buy a new phone.
I hate that answer for several reasons. Not everyone is in a financial position to be buying a new phone; if your current phone still works great, sending it to be recycled or to end up as e-waste seems silly, and you can keep using it if you are either very knowledgeable or very careful.
Doing it yourself
Some phones can be completely unlocked so we can install a new operating system on them. Android enthusiasts call these custom ROMs, but they really are a complete OS in their own right — they just happen to (usually) be built using Android as the base.
Nexus phones were basically designed for this, and Pixel phones will work once you've jumped through a few hoops. Other manufacturers make phones that can be unlocked the same way, even Samsung. You can find many good phones for rooting and ROMing.
The problem here is you're still depending on someone else to keep you updated unless you have the knowledge to do this yourself. If you're familiar with writing code or compiling software from source it's not difficult to learn, but for a lot of people, it's a hurdle they can't jump. I get that and won't come out and say how easy it is and you should just go for it. It's not easy for everyone.
Can you be careful enough? (Probably not)
The other alternative is almost as difficult and equally full of unknowns — be careful. This means not clicking links that you can't 100% trust, not installing any apps without getting them from Google Play, staying away from shady websites, and even things like not opening documents or images unless you 100% trust whoever sent them to you.
This really isn't practical, and the only way to have 100% safe habits is to stay offline, which is not very productive and no fun at all. There's no real reason to have a smartphone if you aren't connected.
Technically though, you can do it even if it's not practical and/or fun, so it's another way to keep using a phone that has known exploitable security holes in its software.
It all comes down to one thing — can you take care of the problem yourself? If you can or think you can, either by rolling your own OS with the patches in place or by exercising an appropriate amount of caution (more on that in a bit), you are fine to keep using your gadget until it falls apart.
If you can't, the only real answer is to buy a new one.
How "real" are security issues?
100% real. That doesn't mean what you think it does, though.
Very few people actually get their phones hacked. Security exploits are found by people who get paid to do nothing but look for them or by very smart people who have a keen interest in the subject. Most of the latter are good people who will inform whichever company can fix it so it gets patched in the device software.
They also usually keep it quiet until it gets patched. That means some random idiot who wants to cause trouble has to know how to find this sort of thing on their own. There are a lot of random idiots who are able to find these sorts of issues and are very smart, but the number pales when you compare it to how many gadgets are out there and how many people use the internet.
What I'm saying is they do exist and can be really sneaky, so you'll never know you're being hacked, but you're not very likely to come across them. People trying to phish your Gmail or PayPal password are plentiful because that's easy — make a fake website and send an email to a gazillion people to see who bites. Writing and implementing code exploits is not easy, and that weeds out most of the people who would love to mess with your stuff.
What I do
I've never used a smartphone long enough to reach its end of life, partially because of what I do for a living, but also because most phones aren't designed to be useful for that long. Phone makers build cheap products and software advances so fast that you almost need stronger hardware every two or three years.
That's slowly changing, and my habits are changing along with it. I use a Google Pixel 6 Pro. I like it, and it does everything I want a phone to do, so I don't want to spend hundreds of dollars on a new one. I might have to because the volume button is broken, but if I can fix it, I'll use it until it stops turning on. A Pixel 8 or Galaxy S24 isn't going to offer me anything that I need enough to buy one.
My Pixel 6 Pro will stop getting security updates in October 2026, and then I have to decide what to do. I already know my answer — I'll buy a new phone.
Not because I can't build my own version of Android and update it myself every month. I could do that, but I don't really want to. I also don't want to worry about everything I tap or look at, even though I know the odds of getting hacked are actually pretty slim. I'm cheap and hate spending money, but I'm also too lazy and too busy to futz around building my own OS.
Thankfully, phone makers are wising up and offering to keep their new models updated much longer. When you have to buy a new phone, make sure you check to see how long it's supported.