How to make your old Android phone secure against Meltdown and Spectre vulnerabilities

Worried about the Meltdown and Spectre security flaws, but not ready to buy a new phone just yet? You're not alone and there are a few things you can do to keep "safer" from exploits on the phone you love (and already paid for).

The first thing you need to know is that both Meltdown and Spectre aren't anything that has been seen outside of a Google research lab. They're fairly serious bugs, so you shouldn't ignore them, but you do need to remember that they were found, patched and then announced by the Project Zero team at Google and not something anyone found through suspicious activity or others using them to hack any data.

Of course, that doesn't mean nobody will try to use the flaws to hack others, so due diligence is still required.

A software update is the only real fix

Unfortunately, the only way to make your phone inherently secure against side-channel memory exploits is with an operating system update.

Not everyone is ready to install an unofficial OS on their phone, and that's OK.

For some phones, that's just not going to happen. Even for phones that were well supported when it came to updates and security patches — once they reach what's called end-of-life no more are going to come. For Google's phones that means anything older than the Nexus 6P or Nexus 5X aren't going to get a patched version of Android. Other companies will have different policies here, and you should check with the company who made your phone if you think it's new enough to still be supported.

There are other options, though. If your phone has an unlocked bootloader and you're feeling a bit adventurous you might find a community-built open-source version of Android made for your phone. Nexus phones and Samsung phones are popular models with "good hackers" and oftentimes community software is just as stable and feature-rich as the factory version. Once in a while, even more so.

We're not going to suggest that everyone try to load an alternative OS onto a phone. but if you have the basic computer know-how to give it a shot head to XDA developers and search to see what might be available.

Search for your phone at XDA Developers' forums

You'll find plenty of phones from Google, LG, Samsung, OnePlus, and more listed, and there's a good chance you'll find a new OS to install that is patched against Meltdown and Spectre.

The common sense approach

For most people, this is the way to go. Both Meltdown and Spectre are native exploits against computer hardware (remember, your phone is a tiny computer!), but both still require some sort of malware to be installed to do anything.

Thankfully, keeping yourself malware-free isn't nearly as difficult as some would want you to believe. Make sure you have a lock screen and encryption enabled on your phone so apps can't do anything while the screen is off, then follow three simple rules:

  • Only install software from Google Play
  • Read and understand any permissions an app asks for
  • Only use a web browser you can trust when it comes to security

The first is easy — stick to Google Play for all your apps. There are plenty of other trusted places to get Android apps, but when it comes to keeping safe from a security issue that's in the spotlight sticking with Google is the easy way to do it. And while every now and then you'll hear stories of apps slipping through official app stores from Apple and Google, these are rare instances and don't discredit the advice that sticking with those official stores is still the best practice. Sticking to Google means you have their tools in your corner, and things like Play Protect are nothing to sneeze at.

App permissions often don't make sense without some background information. Ask someone to be sure.

Permissions can be a bit more tricky. Apps written for phones running Android Marshmallow or newer will ask you for permissions before they do anything and your phone has a spot in the settings where you can grant or block any app permissions. Software written for older versions will ask you before you install the app, but once you say yes and install it assumes you really meant it and the app can do everything it asked to do (because you said it could!). If you see anything that looks strange when it comes to an app asking to do something on your phone, ask someone why before you say yes. An ounce of prevention and all that ...

There's no easy way to say a web browser is secure when it comes to internet malware. As people learn newer tricks to try and mine your data, web browsers might need to be updated to prevent it. That means the web browser that came with your phone might not cut the mustard here. This is important always, but the side-channel memory exploits used for Meltdown and Spectre could be embedded in a script you run through your browser.

Google and Mozilla are both in front of the Meltdown and Spectre exploits and doing all they can to keep you safe.

We can recommend both Chrome and Firefox for anyone looking for a secure browser that is still feature-rich. Chrome goes the extra step of using Google's safe-browsing service to filter out any websites that contain malware so you won't even visit them. Both Chrome and Firefox have announced that they are doing all they can to protect users against Meltdown and Spectre, and the companies behind them — Google and Mozilla — are great at minding the store here.

There are plenty of other web browsers available in Google Play and both user feedback and company announcements can help you see which are ready to protect you against web malware.

Like all things when it comes to security on our phones and connected gadgets, the user is the most important and most vulnerable part of the picture.

In an ideal world, companies would spend the money and update all of their products whenever something like this happens, but that's just not going to happen. At least not without some stricter consumer protection laws when it comes to technology. And not everyone can afford to, or even wants to, run out and buy the new thing every year. That means it's on us once the company who got our money is done supporting a product.

Be mindful of what you install and follow a few sane practices while you use your phone and you'll be doing all you can to stay safe!

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.