The Mess with Cellphone Security Updates

My then 2 1/2 year old Google Nexus 5 stopped getting security updates last October (2016), but it was not until the recent Broadcom Wi-Fi chipset vulnerability that I got serious about getting a new phone that gets security updates. I am frustrated that I’m replacing functioning hardware because the manufacturer’s (Google) security update policy has made it unsafe to continue to use the device.

In looking for a new phone, I decided that there were a few key requirements:

• Monthly or immediate upon discovery security patches supported by a published policy.
• A price to security update life of less than $150/year.
• Availability of an email client that supports S/MIME for IMAP/SMTP email accounts.
• Availability of an end-to-end encrypted messaging app that is widely used. My preference is Signal, but there are others that meet this requirement.
• Supports Google Authenticator or another authenticator that provides two-factor authentication for Joomla-based web sites.

I ended up getting an iPhone SE, but my research and observations follow.

Alternative Firmware for Nexus 5

There are alternative firmwares available for some Android phones; although the Cyanogen project has collapsed, the follow-on LineageOS project is alive and well, and supports the Nexus 5. I’m comfortable flashing devices, but I do not want to do this for my primary phone. I will flash the Nexus 5, but will only use it as a backup device.

New Phones

I looked at new Android, iPhone and Windows devices; a summary of my research follows.

iPhone

Apple has a very clear hardware support policy and a history of providing security updates for about four years. Assuming three years, most Apple devices get ruled out by the $150/year cost limit that I have imposed, but the smallest (32G) iPhone SE does meet my annual cost requirement and the other requirements. Apple has the best S/MIME support of any vendor by a huge margin, and Signal is available on the iPhone. Two-factor authenticators are available.

Lumia Phones by Microsoft

Microsoft has a clear phone security update policy, and there are several Lumia models that meet my cost requirements. There are secure messaging apps available. Unfortunately, I could not find an S/MIME application. The default email application will do S/MIME when connected to a Microsoft Exchange server, but not for IMAP/SMTP servers. It looks like the Microsoft Authenticator App follows the same standard as the Google Authenticator, but I did not research this conclusively.

I was really frustrated by the lack of an S/MIME email app, as I really like the Windows 10 phone user interface. For most users looking for an inexpensive secure phone, I would strongly consider the inexpensive Lumia models. My requirement for S/MIME was the primary thing that prevented me from getting a Windows phone.

Android Phones

All Android devices meet my requirements for availability of an S/MIME client, secure messaging and Google Authenticator. For Android devices, the manufacter’s security policy and cost were the primary considerations.

Google Pixel

Google has a published security policy and I could probably expect no more than three years of updates, so at $649, the Pixel does not meet my annual cost requirement. There are third-party S/MIME clients available in the Google Play Store and Signal is available on Android.

Motorola G4 and G5

I looked at the Motorola G4 and G5 at Best Buy (which had about 15 unlocked phones), and both had Android 7.0 installed with the December 1, 2016 and January 1, 2017 security updates installed respectively. At $180 and $230, both devices met my cost, S/MIME and messaging requirements. Unfortunately, Motorola does not have a published security update policy that I could find, and does not have a good reputation for security update timeliness.

LG X Power

The LG X Power meets my price and function requirements, but I could not find a published security update policy.

Samsung Phones

Samsung has a published security update policy. Samsung’s flagship S series gets monthly security updates and meets my functional requirements, but it does not meet my $150/year cost requirements. The J series only gets quarterly updates and the J1 at Best Buy was only running Android 5.1.

Phone Security is a Mess

The lack of security awareness of phone manufacturers other than Apple, Google and Microsoft is absolutely disgraceful, especially for low-end devices. For Android devices, you need to pay about $225/year in order to get security updates, and as far as I am concerned, that is too high. My biggest frustration in this research exercise was the difficulty of finding a manufacturer’s security update policy.

If there were a clear security update policy for two or three years for the Motorola G4, that would have been my first choice. If there were a clear security update policy for the LG X Power, it would easily have been my second choice.