[quanticle]

That's a cynical and paranoid mindset. Bloat is a lazy tendency not a malicious evil and developers tend to optimise for the latest and greatest if left unchecked and forced to consider backwards compatibility.

As a user, do I care whether my phone is unusable because the developers wanted specifically to render older hardware unusable or whether it was just through their negligence in failing to consider older devices? Stupidity or malice, the result is the same.

lets just say don't do any financial transactions on the device or appreciate the general openness of your phone to malicious actors who might use it for nefarious purposes.

I keep hearing this, but what's the actual presence of malware on Android? If you're not installing shady apps from the Play Store, what's your actual level of risk? Android, even old versions of Android, are far harder to reliably exploit than say, unpatched Windows. As long as you're not installing free-to-play flashlight apps that require every permission under the sun, I'd say your exposure to malware on Android is far less than it is on PC. For the average user, they're still probably better off conducting financial transactions on their phone than conducting those same transactions on their malware ridden laptops.

[Quarrelsome]

> Stupidity or malice, the result is the same

Yes but whether we attribute the intent to stupidity or malice is important as per the general health of our thought process. Its likely laziness combined with malice when its noted. I imagine a dev getting up in arms about package size and then when the issue is raised its not given high priority because someone twigs the convenient side effect. That's the worst case. Either way the mindset of paranoia is warped and self centred. Its not because they're thinking of forcing you to upgrade its more because they're _not_ thinking of you and instead the wide-eyed new sales opportunities that ship with greater disc space.

> I keep hearing this, but what's the actual presence of malware on Android?

oh wow, you're gonna play this game? I could tell you that its perfectly safe to trace the outline of a cliff with your feet and in many, many cases its going to be absolutely fine until the one case where the earth gives way and its not.

Let me put it this way; when I see the tagline:

> there are over a billion outdated Android devices

my first thought is:

> what's the most effective exploit to tap into that market?

the existence of security flaws encourages action and the hubris of not updating is the clarion call to those that exercise the exploits.

> I'd say your exposure to malware on Android is far less than it is on PC

This. What is this? This is complete conjecture. Get out of here.

[virgilp]

> my first thought is:

> > what's the most effective exploit to tap into that market?

So??? What is it? Do let us know.

I'd venture to say that the fragmentation of that market makes it reasonably secure. Just like how the average router is incredibly insecure, and yet you don't advise people to avoid e-banking and just deal with their money in paper form and through face-to-face contacts.

Yes, you are technically right. But @quanticle is right, in practice: unless those users do some very stupid shit, they're pretty safe doing ebanking on their phones. (and those who do the "very stupid shit" are likely to do it on their computers, too)

[quanticle]

Where are the Android LSASS worms? Or Android SQL Slammer? Or Android ILoveYou? Or Android NotPetya? Or any one of the literally hundreds of well-known malware strains that make the news every time they infect a few million PCs? Malware on Android certainly does exist, but the fact that Android has been out for this long, with this many outdated devices, and we haven't seen a single mass infection yet means that Android isn't as easy to exploit on a mass scale as people make it out to be.

I'm not claiming that Android is safe. Nothing is safe. But it does security professionals no good to be alarmists. If we cry wolf about literally every technology that ordinary people use, the result is not people giving up technology. The result is people ignoring security professionals.

If an ordinary user came to you and asked, "Where should I do my banking? On my phone or on my PC?" what would your answer be?

[viraptor]

> I keep hearing this, but what's the actual presence of malware on Android? If you're not installing shady apps from the Play Store, what's your actual level of risk?

I wish I could quantify that. It's a hard task. But the store is not the only possible vector. On an old Android you're running a very outdated version of Chrome when looking at any pages / ads. That would be the most exposed/insecure element in the system.

[vetinari]

Chrome on Android is updated separately from the OS release. Even old Androids have new Chrome. This is not the Safari-on-iOS situation.

The same is valid for the system WebView, but "only" since Android 4.4. It is updated via Play Store, independently from the base system.

[viraptor]

I was responding in the context of:

> As someone who goes as long as possible without performing updates

I take that to mean without updating the apps either, not just the os. I've seen people reject any kind of upgrades.

[Quarrelsome]

there are bluetooth exploits and network adapter exploits which are for more localised fun.