Mobile phone retailers are selling devices that could lose vital security updates before pay monthly contracts have finished, as the short shelf life of phones supplied by manufacturers leaves owners more exposed to hacking attacks by cyber criminals, a Which? investigation has revealed.
The consumer champion looked at mobile phone contract deals across a range of retailers and found that 48 per cent of the dozens of phones available could lose security support before the end of contract period.
The amount of data held on phones is a goldmine for criminals and a lack of updates potentially leaves them vulnerable to attacks that allow hackers to take complete control over the phone, steal personal information and could even leave phone owners facing bills of hundreds of pounds for services that they have not used themselves.
The retailer with the highest proportion of devices that could lose update support was O2 – due to the fact that its contracts can last up to 36 months. Three-quarters (73%) will potentially be left unsupported at the end of the three years, and a fifth (21%) could lose support less than a year into the contract.
Across its investigation, Which? researchers came across a number of popular handsets due to run out of support less than a year into the contract including:
Motorola G8 Power – sold by mobiles.co.uk and Vodafone
Oppo Find X2 Lite – sold by EE, Mobile Phones Direct, mobiles.co.uk, O2 and Vodafone
Samsung Galaxy S9 – sold by Vodafone and recently having lost its Which? Best Buy status because it could have less than a year of support left.
All were available despite no indication to consumers that they would soon pose a security risk through a lack of updates.
Across the board, mobile phone retailers were selling a whole host of devices that could lose security support before contracts ended. In addition to O2, the proportion of contract phones on sale where there were similar problems were Carphone Warehouse (52%), Mobiles.co.uk (50%), Vodafone (50%), Three (40%), Mobile Phones Direct (38%) and EE (33%).
Mobiles.co.uk (19%) and Carphone Warehouse (18%) also closely followed O2 in the proportion of phones being sold that could lose support in only the first year of the contract – meaning consumers would potentially be using an unsupported device for more than a year before the contract ends.
A lack of transparency around important updates is a big part of the problem. Four in 10 (40%) smartphone owners think that if they buy a phone on contract it will receive security updates throughout the contract period, according to a Which? survey. It is also clearly an issue that matters to consumers – seven in 10 (69%) said that they would be concerned if their phone was no longer receiving security updates.
EE and Three disputed some of the mobile phone models included in Which?’s analysis – and said that these phones would be supported until the end of contracts. Vodafone said that “support generally extends beyond the timeframe you reference.” However, Which? believes these phones could be out of support before the end of contracts, according to its research.
Which? is removing its Which? Best Buy recommendation from any phone with less than a year of support remaining and has also added a security warning banner to its reviews of any affected devices.
Which? believes it is unacceptable that some mobile brands only provide security updates for a little over two years from the point of release and is calling for this to change to five years minimum for all manufacturers so that consumers are better protected, regardless of device cost or popularity. A lack of support can mean phones end up with needlessly short lifespans that could mean phones are discarded earlier than they should be or end up in landfill. It can also lead to insecure phones being sold second-hand.
The consumer champion is also calling for manufacturers and retailers to be far clearer with consumers about how long phones are going to be supported with security updates so they can make more informed choices and protect themselves against these security risks.
The government recently announced that mobile phones will be included within the scope of its proposed Product Security and Telecommunications Infrastructure Bill. Which? is calling for the bill to be clear and unequivocal in requiring manufacturers and retailers to state what date a device will be supported until. However, the bill is not set to specify how long manufacturers should support phones and Which? is calling for a minimum support period of five years from release.
In the meantime, consumers should visit the Which? phone support calculator to find out how long phones are likely to be supported for.
Kate Bevan, Which? Computing Editor, said:
“Mobile phones without the latest security support could leave consumers vulnerable to hackers, so it is important that manufacturers supply these defences for longer and that retailers are clearer with people about the risks posed by phones that will not receive vital updates for the duration of contracts.
“The government’s Product Security Bill needs to ensure that manufacturers state the date a device will be supported until – and that this information is clearly displayed on retailers’ websites. Devices need to be supported for five years minimum across all manufacturers so that consumers are better protected.”
Notes to editors
Which? estimates when a phone is likely to lose support by using its launch date, knowledge of brands’ official update policies and the support cycles of older handsets. In its investigation, w/c 14th June, it matched this information with 50 contracts provided by Carphone Warehouse, 42 by EE, 62 by Mobiles.co.uk, 48 by Mobile Phones Direct, 73 by O2, 50 by Three and 66 by Vodafone.
Yonder, on behalf of Which?, surveyed 2,084 UK adults online between 11th and 13th June 2021. Data was weighted to be representative of the UK population by age, gender, region, social grade, tenure and work status. Of this sample 1,985 people owned a smartphone and answered the survey questions.
Video available for use: https://www.youtube.com/watch?
Advice to consumers on how to manage security on a smartphone:
There is work to be done across the board to improve update support periods and transparency with mobile phones – but there are things you can do to help ensure you are not left out in the cold by the manufacturer.
Check support periods before you buy. Some Android phones can lose update support in a little over two years from launch, Apple iPhones last more than five. Use Which?’s phone support calculator to see how long a phone has left, and remember support starts from the launch of the phone, not when you buy it.
Avoid downloading apps from third party app stores. Stick to official app stores, where apps have undergone checks to make sure they are legitimate. This does not guarantee an app is safe, but vastly reduces the risk. This is especially important if your phone is no longer supported.
Check permissions. When you install an app, check what permissions it is asking for, and think twice if some seem unusual. Make use of Apple and Android permission control options too, such as choosing that an app can only access your location when it is being used.
Keep devices updated. Download any security patches as soon as they are available, or if there is an option to download and install automatically, make sure it is turned on.
Typically, phone manufacturers offer a minimum support period of two to five years for their handsets. Below is a general picture of how long phones by certain brands are likely to typically receive security updates for:
Five years – Apple leads the way on software support with five or six years. Fairphone also offers five years, backing up the brand’s eco credentials.
Four years – Samsung has recently announced that several of its phones, including some very cheap handsets, will get four years of updates from launch. Use Which?’s tool to double check your model though, as some of its older phones have had just two.
Three years – Google smartphones get three years, as do most of Nokia and OnePlus’ models, though some cheaper phones will get just two.
Two years – Most cheaper brands typically offer just two years of support, including Motorola, Realme and Xiaomi. Most Oppo handsets have two, though its 2021 Find X3 range will be supported for three years.
For more information visit: Which mobile phone brands offer the best security support?
Why are security updates important?
Phones are designed to keep our personal information safe. Brands do this by sending out updates for you to download on to your handset. These often contain usability improvements and, more importantly, security patches, which fix any holes in the software that can be exploited by hackers.
Manufacturers do not send this out indefinitely though, and some only support phones for two years after they launch. Once you are out of support, it is time to start thinking about upgrading. Your phone is not automatically insecure overnight, but the risks do increase the longer you wait.
Manufacturers could patch older phones, and often do, but it is not always clear whether this will happen or not.
Rights of reply
Dixons Carphone (owner of both Carphone Warehouse and Mobiles.co.uk)
“We offer our customers an extensive range of mobile phone models on either extended contracts or to buy outright depending on their individual budgets and needs. We aim to provide our customers with the latest most innovative tech but we also offer some mobile phone models further along the product lifecycle to meet the demands of customers looking for affordable options. We would welcome manufacturers providing us with clearer communications around mobile phone security update policies to pass on to our customers.”
EE engaged with Which? on its findings but did not provide a comment.
EE disputed seven of the phone models Which? included as part of its analysis and said manufacturers had stated support for at least the next two years.
Mobile Phones Direct
A Mobile Phones Direct spokesperson said:
“We will continue to work closely with our handset manufacturer partners to ensure customers know they need to adopt the latest software updates throughout their contract period.”
A spokesperson said: “Manufacturers set the security patch lifespan of their devices, covering around 3 to 4 years for newer models. O2 customers can choose tariffs up to 3 years in length with our O2 Refresh plans, customisable between 3 and 36 months. We are proud to have led the industry here, as by splitting airtime and device costs customers have true flexibility over how they pay for their mobile phone. However customer security is an absolute priority, so should manufacturers advise that one-off security updates are required outside of their set lifespan, we would work closely with them to ensure customers receive the updates needed.”
A Three spokesperson said: “Software updates are managed by device manufacturers and Three customers are provided with the updates for as long as the manufacturers release them.”
Three disputed eight of the phone models Which? included as part of its analysis and said that they will still be receiving security updates for at least two years from now.
“Vodafone works closely with its suppliers to ensure that the devices it provides to customers are supported with OS and security updates. Though there may be some variance to the lifecycle support duration depending on the device and its manufacturer, in practice this support generally extends beyond the timeframe you reference. In general, we see that the length of support has become longer over the years.”
“Motorola is committed to bringing intuitive software experiences to our consumers, there are no clunky software skins, no duplicate apps. When it comes to software upgrades, we’re constantly working with partners and our internal teams to ensure consumers have the latest and best technology on their Motorola devices. Motorola is also committed to regular and timely security upgrades as recommended by Google/Android. While phones cannot be upgraded indefinitely, we provide security upgrades within the industry standard on both our regular and our Android One devices. Google and Motorola intend to keep expanding the apps that are Playstore updatable, which allows us to update essential apps like camera, UI, Moto Experiences, and messaging apps much quicker than a yearly OS upgrade.”
Oppo said it did not wish to comment.
“At Samsung, customer satisfaction is core to our business and we aim to deliver the best possible experience. Regarding security updates, in order to ensure the highest level of protection possible, Samsung releases security updates onto Samsung Galaxy S9 on a quarterly basis. For more information please visit https://security.
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at firstname.lastname@example.org.