Consumers love new technology. New iterations of iPhones or brand-specific Androids are embraced by devotees looking to analyze the latest features, dissect any potential flaws and conduct entirely biased comparisons to determine which device is best.

Beyond the high-profile advertising that accompanies emerging tech, however, is the underlying software update that typically addresses issues such as system performance, stability and security. But what does this mean for users who can’t or refuse to shell out for the latest versions of their devices? Is the increasingly rapid technology upgrade pace putting money-conscious consumers at risk?

The Device Decision

Five years ago, every new iPhone model came with a host of new features, such as Siri or the front-facing camera for selfies. Android manufacturers, meanwhile, developed their own specializations and began offering niche devices depending on user preferences. Some opted for high-end screens and resolutions, while others moved toward more rugged functionality and lower costs. But the evolution of technology has now caught up with consumer appetite, forcing device manufacturers to streamline their offerings and focus on smaller, quality-of-life improvements over flashy revelations.

While improved security doesn’t top the list of must-have user features, it has become a critical part of the mobile device discussion, especially as malware-makers improve their attacks and find new routes into victims’ smartphones and tablets. As a result, many companies are building in better security software to minimize the risk of compromise.

But users aren’t keeping pace. As noted by The Wall Street Journal, the device replacement cycle is lengthening. Owners are no longer looking to replace their smartphone in 12 to 18 months, instead opting for a two-and-a-half year turnaround. Lack of significant feature updates is one key reason for this shift, but cost also plays a factor, since many devices retail for $500 to $700 upfront if users want to avoid a contract. Add in the demise of the two-year phone agreement, and it’s no surprise that consumers with perfectly serviceable smartphones aren’t beating down the doors to grab the latest edition.

Even Apple’s move to a 12-month upgrade plan that saw customers leasing their phones directly from the tech manufacturer fell flat, since more than 75 percent of device owners now purchase their phones directly from wireless carriers. For these reasons, older smartphones are active longer as users wait for big upgrades and better deals.

Touchy Subject

The slower rate of replacement, however, does come with concerns beyond the bottom line of manufacturers. Most mobile producers roll out new software when they release new devices. This software often comes with a host of security tweaks and features. Some of these tweaks may be critical, but it is mostly a hodgepodge of potential vulnerabilities collected throughout the life cycle of the next most recent device. Does fewer users opting for upgrades mean reduced overall security?

Consider the recent addition of the press-to-unlock feature in iOS 10. As noted by CNET, traditional swiping left-to-right on the lock screen will only bring up cameras and widgets instead of activating TouchID or the PIN code screen. Now, users must hold down the home button — not too long or they’ll start a conversation with Siri, but just long enough for the device to scan a fingerprint and unlock.

Older versions of the OS don’t support this feature, meaning they’re out of sync with the most recent updates. In fact, very old iterations don’t support TouchID at all. What’s more, many users hate the new press-to-unlock feature, opting instead for the rest-to-wake alternative, which can be activated via the Settings menu. The result is a kind of fractured security experience: Some users have tapped the latest offering, some have modified it to suit their needs and others have opted to steer clear of the OS altogether.

The Android Alternative

Android, meanwhile, has its own set of issues. As noted by Recode, the use of Android OS versions supplied by chip manufacturers rather than Google itself has left some devices vulnerable to flaws such as Quadrooter. Meanwhile, Computerworld pointed out that the sheer number of device manufacturers in the Android space — there are more than 3,700 individual Android products available on the market — makes it difficult for companies to rein in security threats in a bring-your-own-device (BYOD) environment.

Android’s biggest security problems stem from platform variations. According to the official Android developer blog, just over 26 percent of devices were running the second-newest OS iteration, Marshmallow, as of Dec. 5, 2016. More than 30 percent still use some form of its predecessor, Lollipop, while 24 percent use the older KitKat version and upwards of 10 percent are running Jelly Bean from three software releases back. As a result, the task of pushing out security updates becomes a serious headache. Most won’t work across all versions, leaving entire subsets of the userbase without any way to reliably update and secure their devices.

Don’t Dodge the Latest Technology Upgrade

Historically the desire for newer, faster and flashier devices drove consumers to purchase mobile tech on a short cycle, making it easier for companies to roll out improved features and security. But with consumers now passing on the latest technology upgrade to save money or avoid specific changes — such as Apple’s unpopular press-to-unlock alteration — it’s harder to push out broad security updates. Simply put, sales no longer boost security, and efforts to force users to adopt mandatory updates haven’t gone over well.

Ultimately, there’s no easy solution here. Smartphones have reached parity across the board, and users are more critical of new offerings than ever before. It’s time for device manufacturers to make software more compelling. If newer versions are tied to the latest and greatest devices and offer a transformative user experience, consumers might be persuaded to upgrade more frequently.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read