Too many phones aren’t receiving the updates they need to be secure. Here's what you can do about it.
By Hadyn Green
When a new software security breach is found, there’s a flurry of activity by manufacturers and telcos to update networked devices, including phones and tablets, to keep them safe and secure. However, not all phones are equal when it comes to updates.
While iPhones and new Android devices receive regular and timely updates, others may only get updates months after threats have been identified. And that’s not good enough!
Whenever you buy goods, the Consumer Guarantees Act (CGA) states they must be of acceptable quality – so fit for purpose and last a reasonable time.
Any device sold as new (even if it’s a previous year’s model) that connects to the internet but doesn’t receive security updates isn’t of acceptable quality and should, in our view, be covered by the Consumer Guarantees Act.
Operating system updates
A Consumer member contacted us about a tablet she bought a year ago. It was running Android 5, but hadn’t received an update and would no longer run her banking app. It’s a common problem with devices running old operating systems (OS): apps get updated, but the system running them doesn’t, so they stop working.
Unlike iPhones, where Apple sends out updates to as many models as it can, older Androids don’t get the option to update.
The latest Android OS is version 8, released last year. In an online search we found phones running Android 6 (released in 2015) and, in one case, Android 5 (released in 2014) being sold by telcos and retailers.
The good news is Android devices with old OS can still receive separate security updates. These are more common, with some newer phones receiving them monthly. However, research by Security Research Labs in Germany found a “patch gap”.
“In many cases, certain vendors’ phones would tell users that they had all of Android’s security patches up to a certain date, while in reality they were missing as many as a dozen patches from that period – leaving phones vulnerable to a broad collection of known hacking techniques.”
Google, Samsung and Sony phones were most likely to be up to date.
The problem is, getting updates out is a difficult process to speed up. All updates are created and released by the manufacturers, then tested by the telcos to ensure they are safe to release.
What we’re doing
While speeding up the release of updates would be the best scenario, this is practically impossible owing to how many parties and devices are involved.
We’ve spoken to the major telcos – Spark, Vodafone, and 2degrees – and while all three say they’re committed to helping their customers stay safe, we think there is more that can be done.
We are proposing consumers be told at point of sale if their device is running an older OS, and warned that it may not receive updates. Spark was the only telco to say it had reviewed its devices and was happy to work with us on this issue. We will keep you updated on our progress.
What you can do
Your first, and easiest, step is to update your phone whenever possible. Updates to your phone (or tablet or computer) are essential for the smooth running and security of the device.
To check if an update is available:
Make sure your WiFi is on, in case you need to download a file.
Go to device settings.
Select “System” or “About phone” (this can differ from phone to phone).
Under “Update” or “System update”, you can see if an update is available.
In “About phone” you can check which version of Android (or iOS) you’re running. On Android phones, you should be able to see when the last security update was applied.
If you’re buying a new phone, check which OS it’s running. Remember, older systems might not run the apps you need.
Consumer NZ is non-profit. To help us get a fairer deal for all New Zealand consumers you can make a donation. We’ll use your contribution to investigate consumer issues and work for positive change.