Why you should keep updating your phone software

I can already hear the comments on this subject:

• “If you update your phone, it will become slower! Don’t you know that manufacturers do this on purpose, so you must buy a new device?”
• “Why should I update my phone? They’ll just change things and I’ll have to learn how to use it again!”
• “My phone manufacturer / carrier does not release updates.”
• “My phone is too old to get updates and that’s how I like it!”
• “I use the (iPhone or Android). It is secure by default and does not need updates!”

Here is why the above are not good reasons

I think we can all agree that our phones are (for most of us) the most personal computing devices we have. Most of us do not hesitate to install a bunch of apps, customize them to our liking and access things like work, banking, shopping or school from them. We take and store family pictures. Use phones to talk to family and friends.

What other device do you have that does all that? For most of us, our smart phones are the intersection of different parts of our lives, unlike any other device we have.

Are Android / Apple iOS not secure?

Sure… all the operating systems are about as secure as people can make them. But software is made by people. It is also incredibly complex, and many different layers of technology work together to make up what you know as your phone that does all the things it does.

It is all flawed. It has bugs. Some of those bugs are related to broken features (something just not working as it should). Some of them are related to security issues.

As any software or device are released, consider that there are essentially two groups of people who buy them:

• Group A – the larger group by far; users, who want to use the software / device, and just want it to work.
• Group B – threat actors, who want to figure out how to use the device or software in a way that gets them some sort of gain, whether it is in a form of information they can resell, emails they can capture, bank accounts they can empty or contact information they can abuse.

The very minute something comes to the market (for example, a device or software that is used by millions of people) well-funded research into how to exploit vulnerabilities in that software or device starts and keeps going.

It is all part of what is generally known as “Cyber Crime” and it is an incredibly well funded and, in many respects, scarily organized enterprise. It is HUGE!

“But wait… what does this have to do with me? I’m just a phone user!”

Sure, we all read books or saw movies where some sort of hacking is done against some high valuable target’s phone or device. Stuff like this can (and does) happen.

The trouble is – once vulnerabilities are “known”, it may be relatively trivial to use automated means to scan and attack vulnerable devices, without targeting any specific people (rather, casting a ‘wide net’ and seeing what you catch).

Consider that as you walk around your town, your phone connects and disconnects from a variety of networks. There might be a device on one of those networks that is just looking for a specific device to “walk by” and then automatically executes an attack against it. Depending on the vulnerability and how it is exploited, you might never know.

An attacker might send a specifically crafted text message to your device, which runs some code, installs a keylogger (which captures what you type) and deletes any evidence that any of this happened.

Sounds crazy? Well, it happened. I present to you:

• Android phones can be taken over remotely – update when you can
• Apple zero-click iMessage exploit used to infect iPhones with spyware

There is a lot more where that came from…

The above were just examples. There are many, MANY security vulnerabilities. There are so many that pretty much monthly, vendors release updates for their mobile devices.

I invite you to check the following Vulnerability Database, already filtered to mobile operating systems, to give you an idea:

https://vuldb.com/?type.smartphone_operating_system

Not all vulnerabilities are the same. They are ranked by criticality, ease of exploitation etc. But there are enough of them that can be exploited without major difficulties that it should give you pause.

Here are a few articles talking about fixes for Android and iOS vulnerabilities:

Android:

• Android’s March 2024 Update Patches Critical Vulnerabilities
• 94 Vulnerabilities Patched in Android With December 2023 Security Updates

Apple iOS:

• Apple Blunts Zero-Day Attacks With iOS 17.4 Update
• Apple Ships iOS 17.3, Warns of WebKit Zero-Day Exploitation

What can you do?

If there is one thing that you should take away from this article it is: update your phones. My suggestion is to enable automatic updates on your phones and keep them on. On your iPhone, go to Settings > General > Software Update and under Automatic Updates, enable Automatically install for both iOS updates and Security response updates. Just do it on your and your family phones. Give yourself the best chance!

For Android phones, see this.

Summary

• Mobile device operating systems are extremely complex; there are many different security vulnerabilities in them, despite manufacturer’s best efforts.
• It can be trivial for threat actors to attack vulnerable devices just by being in proximity to the device, depending on the vulnerability.
• The best way to protect yourself and your data (all the different types of data on our phones) is to keep your devices up to date!

Go update! ??