To keep users secure, vendors should unlock abandoned devices

The rapid pace of new releases had led to many products being prematurely abandoned by vendors, with users losing out on security. James Sanders makes the case for requiring bootloader unlocking.

Image: iStockphoto/jgroup

Sometimes, products just don't work out. Not everything can succeed, and this is normal. Some gadgets are simply ahead of their time, and their features are refined and reintroduced in new, more successful products.

The problem then becomes what to do with the hardware that is now unsupported. Early adopters assume some risk when buying products, but leaving users without security updates, or the means to update devices themselves, is untenable.

Why is this suddenly a problem?

Previous devices were not nearly as locked down as modern smartphones, tablets, and other connected gadgets. With such restrictions as locked bootloaders and UEFI, devices now have a shorter shelf life after official support ends.

Early tablets that ran Windows—like the Fujitsu Stylistic ST4000—were not particularly successful, but users would not be affected by their discontinuation, as the software was still upgradable for the normal lifetime of the device.

In contrast, tablets running the now-discontinued Windows RT like the Nokia Lumia 2520 and Microsoft Surface won't receive Windows 10. With an unlocked bootloader, users could install alternative operating systems that are still in active development—as was the case when the abruptly-discontinued HP TouchPad received Android via Cyanogenmod.

With the always-connected nature of phones (and, practically everything else now), the importance of vigilance in security is higher than ever. Google recently revised the update process for Android, providing monthly security updates in the wake of high-profile issues such as Stagefright, which required an OS-level patch that could not be delivered by the Play Store. Considering the extent to which smartphones are an integral part of social and work life, having proper security on a device that won't be prematurely abandoned is vital.

In the world of Android, the extent to which the update process is broken is immense. Mobile carriers charge phone vendors non-trivial amounts of money to test and deploy software updates, often adding non-removable bloatware in the process. As a result, it is commonplace to own several devices with completely different versions of Android because of issues with carrier update delays and manufacturers prematurely abandoning support for devices. The problem is compounded when manufacturers fail to provide updates on certain carriers, while other carriers and unlocked phones receive updates.

A reasonable expectation of a product lifecycle

The 2nd generation Moto X was released on September 5, 2014, with Android 4.4.4. At present, that makes it about 15 months old. All models of the phone received an update to 5.0, which was released about a month after launch, and 5.1. Motorola is a well-established company, and following their internal reorganization after their acquisition by Google and subsequent sale to Lenovo, had developed a reputation for rapid and prompt software updates.

However, with the announcement of Android 6.0 ("Marshmallow"), this reputation has been jeopardized due to the erratic way in which updates are offered. Unlocked versions of the Moto X ("Pure Edition"), as well as carrier-branded versions for U.S. Cellular and international versions of the phone, receive the update to Marshmallow, but users on AT&T and Verizon will not receive the update, despite owning the same phone. In response, Motorola has provided the option for Verizon users to unlock their bootloaders, but AT&T users are simply stuck with outdated software and, by extension, weakened security.

The update situation is not entirely the fault of carriers, however. The 2015 Moto E, an entry-level smartphone released on February 25, received one update to Android 5.1. With Motorola's initial announcement of phones to receive 6.0, the phone was omitted from the list—just seven months after its launch. This is par for the course with lesser Android OEMs, though Motorola claimed to be different, with their President and COO Rick Osterloh claiming in a promotional video that: "We're also providing great customer service and software upgrades that continue long after you buy the phone." After a public outcry, Motorola reversed course and announced plans to update the 2015 Moto E, but only in Latin America, Canada, Europe, and Asia (excluding China), but not in the United States.

To their credit, you can unlock the bootloader, and with Cyanogenmod, you can update your 2015 Moto E or 2014 Moto X to Android 6.0, keeping you up to date on security. This is more than can be said for most OEMs, and most devices. It shouldn't be necessary but, at a minimum, it provides users with an option.

Security and the enterprise angle

Whether with BYOD policies or corporate device deployment, coordinating security measures is challenging under normal circumstances—doubly so for Android. With unlocked bootloaders, enterprise IT shops are able to deploy internal ROMs to extend support for devices abandoned by their manufacturers, using projects like Cyanogenmod as a base. Granted, it is not an optimal solution, but it is a preferable alternative to running insecure, outdated software.

What's your view?

Have you been disappointed by the lack of manufacturer support for your phone, tablet, or other device? Do you run a custom ROM on your Android device? Are you still using something long discontinued? Share your thoughts in the comments.

Also see


James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox