Hi,
Posting here after a long time. I am using a Nokia G20. This is my first Android phone. I purchased this phone on December 2020. This phone will no longer receive security patches after 2024. As I said this is my first Android phone so basically I tried to implement my knowledge which I have gathered by using Linux for more than a decade.

As soon as a particular release of Ubuntu reaches its EOL I have always replaced it with a new supported release. I am trying to follow the same theory with Android.

Here is the problem. I can't just install a new Android on my phone like I do with my desktop. Unfortunately LineageOS doesn't support my handset.

When I tried to discuss this issue on various Android forums some of the members told me that I am overthinking this and that they use phones which have reached it's EOL.

What's your opinion? Should I continue using this phone after its EOL?

@theFu
Please mention your opinion too.

If you are using your device for communication of non-sensitive data, probably okay to use it beyond the EOL.

If however you use your device to transmit sensitive data, such as credit card, or on-line banking or shopping or paying bills - I would not use a device that no longer receives security patches.

Just like BBQdave stated. It all depends on what you are using your phone for and what your expectations are for security.

The biggest thing is lack of android security patches. Really not much different than using an old version of windows with no more windows updates.

I'm concerned about your email being hacked. If someone gets your email password they can reset passwords on other accounts you have by selecting "Forgot Password".

For that reason I use a gmail address on my android phone that isn't associated with any other meaningful accounts, nor is it the recovery email for the email addresses that are.
(So I have to have at least three email addresses: one that is associated with accounts eg for password reset, one that is the recovery email for the first email, and one that is just used for the android phone.)
I have no financial or other security/privacy significant apps on my phone, and don't use it for payment.
This position is getting more difficult to sustain though. Financial institutions who you would think would have account security as a priority are increasingly moving features onto phone apps.

All of the above replies are essentially saying: "no, it's not safe". They are all correct. Anything out of support is essentially asking for trouble.

The problem is that these devices are so convenient that they seduce us into insecure behaviour. How often do we forget that they are out of support and install something on them anyway? Why does Google continue offering apps for Android versions that are years past EoL? How sporadic are your phone's updates even when the phone is technically still supported? An Android exploit is uncovered practically every week. My phone gets an update twice a year (if that). The exploits that accumulate over that 6 month period are enough to put us at risk even for supported gear.

The mobile market is driven entirely by short term profit, not by security. This is just as true of Apple as it is of Android. I would argue that Apple is worse because they promote a false sense of security.

So, it doesn't matter that your phone is still being "supported". Doing anything that requires security over your phone is just... virtual Russian Roulette.

I would also add that those people on Android forums telling you that you are "overthinking" things are foolishly naive and grossly negligent. They are also typical of the computing public. They don't really know what they are talking about but delude themselves into thinking that they do.

You've asked some penetrating questions about security on these forums over the years and have implemented very good safeguards in your Linux boxes. You can account yourself a seasoned user by now. Android is no different than any other OS. In fact, it is not as natively "safe" as mainline Linux because its hidden-source "just trust us" business model leaves so many dark dank places for vermin to hide. In matters of security, I suspect that you are more knowledgeable than most of those Android forum participants. Trust your own instincts.

Thanks everyone for the replies. So basically I got no choice but to buy a new phone next year. I find two problems with most Android phones. (1)Most brands offer a max of 4 years of security patches and (2) this 4 year period starts from the date the handset is launched on the market. What I mean is suppose you buy a phone one year after its launched you get only three years of security patches.


You mentioned the risk of my email getting hacked. I have enabled 2 factor authentication for both my Android account and main Gmail account and not only that I have enabled 2 factor authentication for my Facebook and Instagram account too.

Still I understand that using an unpatched phone is not an option.

Thanks everyone for the replies. So basically I got no choice but to buy a new phone next year. I find two problems with most Android phones. (1)Most brands offer a max of 4 years of security patches and (2) this 4 year period starts from the date the handset is launched on the market. What I mean is suppose you buy a phone one year after its launched you get only three years of security patches.


You mentioned the risk of my email getting hacked. I have enabled 2 factor authentication for both my Android account and main Gmail account and not only that I have enabled 2 factor authentication for my Facebook and Instagram account too.

Still I understand that using an unpatched phone is not an option.

In the past week alone:
https://nakedsecurity.sophos.com/2023/03/17/dangerous-android-phone-0-day-bugs-revealed-patch-or-work-around-them-now/
https://nakedsecurity.sophos.com/2023/03/21/google-pixel-phones-had-a-serious-data-leakage-bug-heres-what-to-do/
2FA is a good start, but it's just a start. Patching is as important as it ever was. The lousy patching frequency of most OEMs is unconscionable.

Yes, the smartphone industry is a racket. This cannot be helped. Had initiatives like Unity Mobile been successful, we might now have alternatives, but it wasn't so we don't. C'est la Vie. Welcome to the smartphone churn mill and planned obsolescence. You can research Android OEMs who offer longer term support or you can buy Pinephones or similar. But there's no ideal solution—yet.

Guess I'll throw in a plug for Pixel phones. They get regular monthly updates and are supported for 5 years if you get a Pixel 6 or 6a or later.

https://support.google.com/nexus/answer/4457705?hl=en#zippy=

This has nothing to do with "safe", but the entire system is switching to 4GLTE voice and 5G data. There are plenty of inexpensive (cheap) ways to get this but the EOL phones may not do the job. My Moto G Pure Tracfone automatically switched to 5G data and I didn't even know it was capable until it switched on the local network this past weekend. It is possible though that it is a 5G data at 4G speed. Either way is is really fast. My Moto Pure isn't EOL but this is what the older phones will need to deal with.
PS: In addition to the above. The CDMA protocol has been discontinued and all new phones regardless of the carrier is now GSM. If the CDMA support hasn't been discontinued it soon will be. It will never be part of 5G.

A good summary of pure Linux (not Android) phones on this website: https://bytexd.com/hardware/best-linux-phones/

No idea of how long each of these pure Linux smartphone OEMs support their gear. You must research that on your own.

It's a fair and balanced article, but do note that pure Linux phones are limited devices that most people would find restrictive due to lack of apps that they are used to. I don't find them limiting because I avoid most apps anyway. I substitute the platform's browser interface that I turn into a form of app by bookmarking to my home screen. Then, it's just making sure that I have the browser extensions that allow me to control the scripts that run and thereby confine what gets reported back to each platform's mothership. I find it far easier to confine one browser than every individual app, so I get a double benefit from not installing apps.

I suggest you buy a pixel phone and install Grapheneos on it :)

IMHO the phone is never "safe" since the user has very little control. I won't do anything that might require security on the phone. I wouldn't do online banking on the phone for example (I do it on my Ubuntu laptop), it is ok to use the phone for pay transaction as long as it is a standalone account has a fixed limited fund and doesn't tie to the bank account. I don't even use my real email account on the phone, I set up a dedicated account just for accessing google's service but it has no real use (A Linux phone is too crippled and you may as well have a flap phone)

Guess I'll throw in a plug for Pixel phones. They get regular monthly updates and are supported for 5 years if you get a Pixel 6 or 6a or later.

I've got the Pixel 5a, security patches for 5 years. I tested (Google) Project Fi, and it worked great. So I put my whole family (four of us) on Project Fi, which transitioned out of beta into Google Fi.

I do not know if this offer extends to all on Google Fi or those of us that have been on it awhile, but the entry level Motorola phones are no cost. Which brings up the choice of buying a Pixel Phone (on sale) for 5 years of use, or go with the Motorola phone (free) with 2 years of use.

For my basic use, mostly vanilla Google Fi install (I add Spotify and my kids' school app) there is little difference between Pixel and Motorola. I do not like throwing a perfectly good Motorola phone away every two years because no more security patches, but free is free. And I'll have to make a choice when the 5a is EOL.