For an older Android phone, what "security" hazards do we REALLY face?
In a recent thread, some of us were discussing our "security" situation.
Newsgroups: comp.mobile.android
Subject: Re: What is the history of Galaxy S-series & Pixel full support?
Date: Sun, 19 Apr 2026 05:33:34 -0000 (UTC)
Message-ID: <10s1pfd$3ot6t$1@dont-email.me>
I'm not an expert in security threats, but in general, I'm not worried
about them, but maybe I should be worried about them. Dunno. Do you?
I assume many CVEs are specialized situations.
I assume some (probably few though) are zero-click situations.
I assume many use web links.
I assume some use downloaded files (zero click or otherwise).
But I've never really worried about it (although my phone is set up for privacy so it also probably as a bit of extra security by accident).
What do others feel about not having fully patched phones?
Q: What threats do we really face when our phones are not fully patched?
A: ?
Carlos E.R. wrote:
Q: What threats do we really face when our phones are not fully patched? >>> A: ?
Impossible to know unless you read all the CVEs. You can not assume they
are irrelevant.
This is probably the most sensibly stated assessment of the threats we face when our phones aren't updated to the latest set of score 8 to 10 CVEs.
What might be nice to keep track of are URLs of where we find CVE data.
I don't know how to use this site, yet. Does anyone out there know?
<https://www.cve.org>
<https://nvd.nist.gov>
I do know how to use the CISA CEV exploit data, but it's a small subset.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
I don't yet know how best to use Android Security Bulletins though:
<https://source.android.com/docs/security/bulletin>
And those of us on Samsung can add their device-specific security bulletin:
<https://security.samsungmobile.com/securityUpdate.smsb>
Similarly, those of us on both platforms can use Apple's security bulletin:
<https://support.apple.com/en-us/100100>
There may be useful information in a vulnerability search page:
<https://nvd.nist.gov/vuln/search#/nvd/home?resultType=records>
What we need, I guess, is a "process" to make what Carlos suggested, something that we can practically do when we find out about CVEs.
We'd check the CVE against how we use our own unpatched devices, I guess.
Carlos E.R. wrote:
What we need, I guess, is a "process" to make what Carlos suggested,
something that we can practically do when we find out about CVEs.
Nope. We need a person, or a publication, that does that analysis job.
I think differently, but I get where you're coming from.
I'd like to have a chauffeur, but since I don't, I drive myself.
That means I have to do all the thinking and navigation myself.
Sure, it would be nice to have a chauffeur that does it for me.
But I'm on my own.
Same here with the CVE's.
I can easily come up with a system to check things periodically.
I haven't thought about it though, until today.
It's not something I'm gonna do right away.
But it seems easily enough a task to do monthly.
But I could be wrong. As I haven't done it.
But it is a good idea nonetheless, no matter who does it.
So maybe we'll find something online that does it for us.
We would input our phone specs.
And it would output what CVEs we're vulnerable to.
Does that exist?
Dunno. Haven't looked yet.
But it's an idea.
On 2026-04-22 09:15, Maria Sophia wrote:
Carlos E.R. wrote:
What we need, I guess, is a "process" to make what Carlos suggested,
something that we can practically do when we find out about CVEs.
Nope. We need a person, or a publication, that does that analysis job.
I think differently, but I get where you're coming from.
I'd like to have a chauffeur, but since I don't, I drive myself.
That means I have to do all the thinking and navigation myself.
Sure, it would be nice to have a chauffeur that does it for me.
But I'm on my own.
Same here with the CVE's.
I can easily come up with a system to check things periodically.
I haven't thought about it though, until today.
It's not something I'm gonna do right away.
But it seems easily enough a task to do monthly.
But I could be wrong. As I haven't done it.
But it is a good idea nonetheless, no matter who does it.
So maybe we'll find something online that does it for us.
We would input our phone specs.
And it would output what CVEs we're vulnerable to.
Does that exist?
Dunno. Haven't looked yet.
But it's an idea.
No, I do not want a chauffeur. I simply want somebody that has the
expertise to analyze CVEs and translate them for common people, telling
me the summary and what I should really care about.
I can not learn everything, I don't have that kind of time nor inclination.
On 4/22/26 2:45 AM, Carlos E.R. wrote:
On 2026-04-22 09:15, Maria Sophia wrote:
Carlos E.R. wrote:
No, I do not want a chauffeur. I simply want somebody that has
the expertise to analyze CVEs and translate them for common
people, telling me the summary and what I should really care
about.
Yup. I Googled Galaxy S10+ CVE and found what I (a common people?)
was already pretty sure of:
<https://www.androidauthority.com/samsung-exynos-vulnerability- attack-3494479/>
And that was just the first try. Bet there's lots more. So
confirmation that my old phone's definately not good for sensitive
stuff. Give it a try Frank...
Carlos E.R. wrote:
What we need, I guess, is a "process" to make what Carlos suggested,
something that we can practically do when we find out about CVEs.
Nope. We need a person, or a publication, that does that analysis job.
I think differently, but I get where you're coming from.
I'd like to have a chauffeur, but since I don't, I drive myself.
That means I have to do all the thinking and navigation myself.
Sure, it would be nice to have a chauffeur that does it for me.
But I'm on my own.
Same here with the CVE's.
I can easily come up with a system to check things periodically.
I haven't thought about it though, until today.
It's not something I'm gonna do right away.
But it seems easily enough a task to do monthly.
But I could be wrong. As I haven't done it.
But it is a good idea nonetheless, no matter who does it.
So maybe we'll find something online that does it for us.
We would input our phone specs.
And it would output what CVEs we're vulnerable to.
Does that exist?
Dunno. Haven't looked yet.
But it's an idea.
On 2026-04-22 17:55, AJL wrote:
On 4/22/26 2:45 AM, Carlos E.R. wrote:
On 2026-04-22 09:15, Maria Sophia wrote:
Carlos E.R. wrote:
No, I do not want a chauffeur. I simply want somebody that has
the expertise to analyze CVEs and translate them for common
people, telling me the summary and what I should really care
about.
Yup. I Googled Galaxy S10+ CVE and found what I (a common people?)
was already pretty sure of:
<https://www.androidauthority.com/samsung-exynos-vulnerability-
attack-3494479/>
And that was just the first try. Bet there's lots more. So
confirmation that my old phone's definately not good for sensitive
stuff. Give it a try Frank...
I know that there are flaws in Bluetooth that allow a passerby to get >entrance into a phone. They recommend people to disable BT, but that is
not feasible.
But I don't know what the exact vulnerabilities and dangers are.
On 4/22/26 10:17 AM, Carlos E.R. wrote:
On 2026-04-22 17:55, AJL wrote:
On 4/22/26 2:45 AM, Carlos E.R. wrote:
On 2026-04-22 09:15, Maria Sophia wrote:
Carlos E.R. wrote:
No, I do not want a chauffeur. I simply want somebody that has
the expertise to analyze CVEs and translate them for common
people, telling me the summary and what I should really care
about.
Yup. I Googled Galaxy S10+ CVE and found what I (a common people?)
was already pretty sure of:
<https://www.androidauthority.com/samsung-exynos-vulnerability-
attack-3494479/>
And that was just the first try. Bet there's lots more. So
confirmation that my old phone's definately not good for sensitive
stuff. Give it a try Frank...
I know that there are flaws in Bluetooth that allow a passerby to get
entrance into a phone. They recommend people to disable BT, but that is
not feasible.
I do have a Bluetooth on/off switch on my Galaxy S10+. I think it's been
off
since the beginning but not for security but more likely because I just didn't use it. Also perhaps to save some battery? I just don't remember.
Gets worse with age...
AJL wrote:
I know that there are flaws in Bluetooth that allow a passerby to get entrance into a phone. They recommend people to disable BT, but that is
not feasible.
I do have a Bluetooth on/off switch on my Galaxy S10+. I think it's been
off
since the beginning but not for security but more likely because I just
didn't use it. Also perhaps to save some battery? I just don't remember.
But I do use it. My car connects to it automatically before displaying
the map. My watch connects to it. I need it always on.
Carlos E.R. wrote:
AJL wrote:
I know that there are flaws in Bluetooth that allow a passerby to get
entrance into a phone. They recommend people to disable BT, but that is
not feasible.
I do have a Bluetooth on/off switch on my Galaxy S10+. I think it's
been off
since the beginning but not for security but more likely because I just
didn't use it. Also perhaps to save some battery? I just don't remember.
But I do use it. My car connects to it automatically before displaying
the map. My watch connects to it. I need it always on.
Ah. I misunderstood. I thought you couldn't turn off Bluetooth not that you didn't want to. Well let's just hope your car doesn't leave unexpectedly or your watch makes you late...ÿ 8-O
BTW I think I'm pretty safe because my trusty $6 (US) Amazon watch is guaranteed not to talk to bad guys...
Carlos E.R. wrote:
BTW I think I'm pretty safe because my trusty $6 (US) Amazon watch is
guaranteed not to talk to bad guys...
My point is that security guys are crying wolf every day saying that BT
is dangerous, and that we must turn it off till the moment we need it.
But that's impossible, many things require BT to be constantly on.
Hi Carlos,
We posted at the same time, where my hearing aids are bluetooth, and, of course, in a car, bluetooth is fantastic, but I turn off BT all the time.
My point though, is that each of our susceptibility to CVE's is different.
If there is a BT CVE, it won't affect me in the least, most likely.
And yet, it may affect you a lot.
What I'm bringing up that is on topic is that the threats are dependent
on our phone, it's patch level, and more than anything, on what we do.
Another example is someone clicking on a link inside of an SMS message.
I don't think I've ever done that (unless it's from my wife or kids).
So a serious CVE based on someone clicking a link isn't my concern.
Carlos E.R. wrote:
Another example is someone clicking on a link inside of an SMS message.
I don't think I've ever done that (unless it's from my wife or kids).
So a serious CVE based on someone clicking a link isn't my concern.
I do it often. It is required to sign contracts, for example.
I've had to sign paperwork with secure esign where I would never think of doing that on a phone, for a huge variety of reasons (not the least of
which is how puny a phone is for reading fine print).
I do that on the PC and even then, since my PC is hardened, it's a bitch.
But this fact that each of us is different underlays my rationale that a simple looooooooooooooong list of CVEs isn't all that useful for any of us.
What we need is a list of CVEs that
a. Affect only our devices
b. And are based on actions that we do
Of course, zero-click CVEs are the exception.
I think it's possible, and, in fact, since I have solved some of the most difficult problems on earth when I was working in Silicon Valley, I could certainly solve it, but it's not something I will be spending energy on.
Since I'm not likely going to invest energy solving it, I'm assuming
someone else already did, but we have to find that particular site.
Too-simply stated, it would, IMHO, ask for how we use the phone.
And then it would show us the CVE's that are unpatched that affect us.
On 2026-04-22 20:32, AJL wrote:
I think I'm pretty safe because my trusty $6 (US) Amazon watch is
guaranteed not to talk to bad guys...
My point is that security guys are crying wolf every day saying that BT
is dangerous, and that we must turn it off till the moment we need it.
But that's impossible, many things require BT to be constantly on.
On 4/22/26 12:18 PM, Carlos E.R. wrote:
On 2026-04-22 20:32, AJL wrote:
I think I'm pretty safe because my trusty $6 (US) Amazon watch is
guaranteed not to talk to bad guys...
My point is that security guys are crying wolf every day saying that
BT is dangerous, and that we must turn it off till the moment we need it.
But maybe they're not crying wolf. Maybe you've been lucky?
But that's impossible, many things require BT to be constantly on.
My cars came with built in maps and direction capabilities. So no BT
needed.
As always YMMV...
On 4/22/26 2:45 AM, Carlos E.R. wrote:[...]
No, I do not want a chauffeur. I simply want somebody that has the >expertise to analyze CVEs and translate them for common people, telling
me the summary and what I should really care about.
Yup. I Googled Galaxy S10+ CVE and found what I (a common people?) was
already pretty sure of:
<https://www.androidauthority.com/samsung-exynos-vulnerability-attack-3494479/>
And that was just the first try. Bet there's lots more. So confirmation that
my old phone's definately not good for sensitive stuff. Give it a try
Frank...
On 4/22/26 12:18 PM, Carlos E.R. wrote:
On 2026-04-22 20:32, AJL wrote:
I think I'm pretty safe because my trusty $6 (US) Amazon watch is
guaranteed not to talk to bad guys...
My point is that security guys are crying wolf every day saying that BT
is dangerous, and that we must turn it off till the moment we need it.
But maybe they're not crying wolf. Maybe you've been lucky?
But that's impossible, many things require BT to be constantly on.
My cars came with built in maps and direction capabilities. So no BT needed.
As always YMMV...
AJL wrote:
My cars came with built in maps and direction capabilities. So no BT
needed.
As always YMMV...
I find most built-in satnavs are poor compared to Waze/Google.
There is also the smart watch. It needs BT.
So, I should, in theory, make sure that my phone is security up to date.
as I (think I) mentioned before, that the *device*/*OS* has
outstanding non-fixed vulnerabilities, does not mean that an *app* on
such a device can not be secure (provided the device's biomaterics, etc.
are not compromised).
That said, most 'banking' I do on my phone [1] is *reading* (past >transactions, etc.), not performing transactions. Most, if not all, >transactions are done on my (probably totally insecure :-)) laptop, in
the privacy of my (probably totally insecure :-)) home.
I use Bluetooth for Android Auto in rental cars, much easier to use a >navigation app which I know, than to try to figure out how the heck the >built-in (if any) navigation system works.
Like Carlos, I also need Bluetooth for my watch/activity-tracker.
And I need Bluetooth for the Quick Share file transfers from my laptop
to my phone and vice versa. Of course I could switch on/off Bluetooth on
both devices before/after use, but that is way too cumbersome.
And last but not least, as Bluetooth is a Dutch invention, I must have
it on all the time! :-)
On 4/23/26 7:49 AM, Frank Slootweg wrote:
as I (think I) mentioned before, that the *device*/*OS* has
outstanding non-fixed vulnerabilities, does not mean that an *app* on
such a device can not be secure (provided the device's biomaterics, etc.
are not compromised).
Agreed. The problem is how to KNOW FOR SURE that the app is safe. I use
many
apps on my phone (like this PhoNews newsreader), but not sensitive apps
(like my banking apps). I think that is just common sense on an old no
longer security updated phone like mine.
That said, most 'banking' I do on my phone [1] is *reading* (past
transactions, etc.), not performing transactions. Most, if not all,
transactions are done on my (probably totally insecure :-)) laptop, in
the privacy of my (probably totally insecure :-)) home.
My banking, investment, etc, apps all require a password to read past transactions. And once in they require nothing further for new transactions such as transferring out money to a perps account. Since I have no NEED of those apps on my security challenged phone, why take a chance...
On 4/23/26 7:49 AM, Frank Slootweg wrote:
as I (think I) mentioned before, that the *device*/*OS* has
outstanding non-fixed vulnerabilities, does not mean that an *app* on
such a device can not be secure (provided the device's biomaterics, etc. >are not compromised).
Agreed. The problem is how to KNOW FOR SURE that the app is safe. I use many
apps on my phone (like this PhoNews newsreader), but not sensitive apps
(like my banking apps). I think that is just common sense on an old no
longer security updated phone like mine.
That said, most 'banking' I do on my phone [1] is *reading* (past >transactions, etc.), not performing transactions. Most, if not all, >transactions are done on my (probably totally insecure :-)) laptop, in
the privacy of my (probably totally insecure :-)) home.
My banking, investment, etc, apps all require a password to read past
transactions. And once in they require nothing further for new transactions
such as transferring out money to a perps account. Since I have no NEED of
those apps on my security challenged phone, why take a chance...
On 4/23/26 8:08 AM, Frank Slootweg wrote:
I use Bluetooth for Android Auto in rental cars, much easier to use a >navigation app which I know, than to try to figure out how the heck the >built-in (if any) navigation system works.
Like Carlos, I also need Bluetooth for my watch/activity-tracker.
And I need Bluetooth for the Quick Share file transfers from my laptop
to my phone and vice versa. Of course I could switch on/off Bluetooth on >both devices before/after use, but that is way too cumbersome.
And last but not least, as Bluetooth is a Dutch invention, I must have
it on all the time! :-)
I suspect that you and Carlos are like 99% of the population. An Apple Watch
(gasp) even lives in my house. Dunno if it uses BT or not. Probably does.
Heck when the wife has a problem with her iPad/iWatch she's on her own. I
don't have a clue. Fortunately grandkids come in handy for fixing
electronic toys like that...
On 2026-04-23 19:57, AJL wrote:[...]
My banking, investment, etc, apps all require a password to read past transactions. And once in they require nothing further for new transactions such as transferring out money to a perps account. Since I have no NEED of those apps on my security challenged phone, why take a chance...
Banks here demand you confirm the password using the phone, the computer
is not enough anymore.
On 2026-04-23 19:57, AJL wrote:
My banking, investment, etc, apps all require a password to read past
transactions. And once in they require nothing further for new transactions >> such as transferring out money to a perps account. Since I have no NEED of >> those apps on my security challenged phone, why take a chance...
Banks here demand you confirm the password using the phone, the computer
is not enough anymore.
Carlos E.R. <robin_listas@es.invalid> wrote:
On 2026-04-23 19:57, AJL wrote:[...]
My banking, investment, etc, apps all require a password to read past
transactions. And once in they require nothing further for new transactions >>> such as transferring out money to a perps account. Since I have no NEED of >>> those apps on my security challenged phone, why take a chance...
Banks here demand you confirm the password using the phone, the computer
is not enough anymore.
For our banks we can still use a bank-supplied hardware device which
reads your card, needs your card PIN and then generates a TOTP code. We
have had those devices for eons, before smartphones even existed and
they will probably be around for a long time for elderly people (like
me! :-)).
AJL <noemail@none.com> wrote:
My banking, investment, etc, apps all require a password to read past
transactions. And once in they require nothing further for new transactions >> such as transferring out money to a perps account. Since I have no NEED of >> those apps on my security challenged phone, why take a chance...
That is indeed not very secure.
Ours (can) use biometrics like
fingerprint (which is what we use) and face recognition to get in *and*
to approve transactions
to get in *and*
to approve transactions. They can use PIN instead of biometrics, but I
don't consider that secure enough.
[1] <https://en.wikipedia.org/wiki/DigiD>
On 4/23/26 12:54 PM, Frank Slootweg wrote:
AJL <noemail@none.com> wrote:
My banking, investment, etc, apps all require a password to read past
transactions. And once in they require nothing further for new transactions
such as transferring out money to a perps account. Since I have no NEED of >> those apps on my security challenged phone, why take a chance...
That is indeed not very secure.
With 2FA it is reasonably secure. And security is in entering the app/site
securely on a secure device, not the capabilities offered once inside.
[...]Ours (can) use biometrics like
fingerprint (which is what we use) and face recognition to get in *and*
to approve transactions
to get in *and*
to approve transactions. They can use PIN instead of biometrics, but I >don't consider that secure enough.
So you consider your not up to date phone safe for some apps but worry about
a pin?
Perhaps you should use more than a one digit pin... ;)
AJL <noemail@none.com> wrote:
On 4/23/26 12:54 PM, Frank Slootweg wrote:
AJL <noemail@none.com> wrote:
So you consider your not up to date phone safe for some apps but worry about >> a pin?
We can get into the *phone* with a fingerprint or a PIN (can choose
which one when you want to unlock the phone), but for the *banking
apps*, it's (configurable) fingerprint *or* PIN. I.e. if you have
configured for fingerprint, you can't get in with a PIN and vice versa.
| Sysop: | Jacob Catayoc |
|---|---|
| Location: | Pasay City, Metro Manila, Philippines |
| Users: | 5 |
| Nodes: | 4 (0 / 4) |
| Uptime: | 493844:54:35 |
| Calls: | 146 |
| Files: | 547 |
| D/L today: |
6 files (97K bytes) |
| Messages: | 76,691 |