The Biggest Risks in Procrastinating on iPhone, Android Software Updates

Regis Duvignau | Reuters
  • Apple and Google, as well as phone manufacturers including Samsung, release software updates to patch security issues and other operating system bugs in iOS and Android code.
  • Delaying the latest software update puts phone users at greater risk of personal information being hacked.
  • Once a new OS software update is available, installing it on a device should never occur any later than a few days to a week after release, say cybersecurity experts.

That screen-blocking software update notification that keeps coming back may be annoying to a phone user, but ignoring it for too long is a mistake.

Many consumers opt to not have phones set to automatic update. Once the day begins, these notifications can pop up at inconvenient and distracted times — while you're rushing to make a call or send an email or text — but smartphone software updates are primarily designed for your benefit.

Companies including Apple and Samsung, as well as Alphabet's Google which makes the Android OS, are constantly working on security and user experience features in annual updates and more periodic updates to fix newly discovered bugs.

Apple's current operating system iOS 16 launched this past September, and it boasts many new features: the ability to edit and unsend messages; set multiple lock screens and set Focus filters to limit who you receive notifications from; privacy and security updates like Safety Check so victims of domestic or intimate partner violence can reset access that they've granted to others; and Lockdown Mode, a method of extreme protection against cyberattacks.

Samsung's Android 13 One UI 5.0 lets users customize their lock screen, create stickers from any photo and open apps in split screen, along with security updates like warnings when sharing personal information, and a security dashboard in settings to check for and fix security issues.

Not all software updates offer an array of new features, but when they do it can feel like you are getting a new phone without added cost. Yet, many users still do whatever they can to put off the 30 minutes that a software update can take.

Where human procrastination meets technology

It's a phenomenon that's been studied by researchers and termed "adoption procrastination."

Researchers at the University of Tennessee and University of Munich identify this "deliberate delay" as a coping strategy that digital product users implement to counteract the negative emotions that arise when software updates are released. Discomfort often stems from the perception that software updates will require users to relearn how to use certain features on their device and threatens their current habits. Annoyance is a factor, too, and the assumption that current functionality of their phone is optimal, so a software update would only disrupt their devices' usability.

But there is also more basic human psychology.

"I think some of it is just the nature, 'I'll get around to it, when I get around to it,'" said Dr. Richard Forno, University of Maryland Baltimore County's director of the Cybersecurity Graduate Program and assistant director of the school's Center for Cybersecurity.

He recommends setting up a phone to automatically download and install the updates overnight when you're sleeping (as long as Airplane mode is not set). "That's a feature that a lot of people could and should enable, so they don't have to worry about it," Forno said.

Apple, Google update options

Apple allows users to decide whether they want their phone to automatically download and install the newest iOS update, or if they prefer to manually update it. Android users can choose between three local system update policies, including automatic, windowed and postponed updates — all of these policies eventually result in a device automatically updating. The automatic system policy installs as soon as a new update becomes available; the windowed system policy installs updates during a daily maintenance window that the user gets to choose; the postponed option delays installing an update for 30 days. When 30 days have passed, the system then prompts the user to install the system update.

While it's offered, cybersecurity experts don't recommend waiting 30 days. "For the normal user, within a few days to a week is likely fine," said Justin Cappos, associate professor of Computer Science and Engineering at New York University Tandon School of Engineering and a member of New York University's Center for Cybersecurity. There are certain users who are at a greater risk if they choose to put off or ignore these notifications. "If you are a dissident who is possibly being targeted by a nation-state actor, you should update right away," he said.

When a major security update comes out, everyone should act relatively fast.

Hackers will target the flaws you don't update

Big annual OS updates may have the flashier and more reported on new features, but security protection is a major reason why users should download all new software updates available for their phone. Smaller, incremental updates, are released primarily to fix bugs and ensure users greater protection. It's as simple as knowing that Apple or Samsung, or any other phone maker, is indicating that your current operating system is not the safest anymore, and it is sending that message out into the world. That's not just good for you, but for hackers looking to exploit users who don't get the message.

"You're leaving yourself vulnerable to attacks. Once a vulnerability has been announced and a patch has been released, attackers quickly grab that information and create exploits for those specific vulnerabilities," said Kathleen Moriarty, chief technology officer at the Center for Internet Security.

Without the latest security patches, every piece of information on your phone is open to attack, from social media accounts to banking information to text messages.

"If you reuse passwords in different places, and they're able to capture a password that is stored on your phone, they might be able to gain access to other applications," Moriarty said.

Reuse of passwords across accounts is bad cybersecurity practice to begin with and can become even worse when the personal phone security lapse is used to gain access to an employer's network.

"Hopefully, you're not using those across boundaries because this is one area of attack that has been used where, let's say an administrator for an organization is targeted specifically through their personal accounts and that personal account access is used to gain corporate access," Moriarty said.

If malware gets through an outdated OS, tricking you to click on a link or download something, it can gain access to your personal information, cause your battery to drain faster and reduce overall performance.

Performance fears overstated, patches better and quicker

Years ago, software updates were much larger and infrequent, which made these updates themselves more susceptible to hacking issues and bugs. For example, Apple found a major operating flaw after its 2017 release of MacOS High Sierra that enabled anyone to enter your computer without needing a password.

However, as Apple and Samsung have shifted toward releasing smaller software updates and patches more frequently, it minimizes the impact on devices and improves testing.  

"I have a higher trust level because of the newer processes in place. There are far fewer problems that happen with software updates now than five or 10 years ago," Moriarty said.

Companies also have developed software updates that can occur behind the scenes on a phone without a user having to download them. In Apple's release of iOS 16.2, the operating system is now able to push out security updates between the incremental updates with a new feature called "Rapid Security Response."

Back in 2019, Google's Project Mainline was introduced in Android 10 and implemented this process of mobile updating without requiring user involvement or a system reboot. While this system can't do an entire software update in the background through Google Play, it can install critical operating system patches without having to wait on the user or phone maker.

"They can push out security updates pretty much as they need to without requiring the phone to be rebooted and disrupt a person's life, which is a good thing, because it's transparent to the end user, but they're getting the updates they need. So that's a win for security," Forno said.

Nowadays, there's less reason to be worried when it comes to software updates, but the internet is also a good tool to quickly see how any recent update is working for other users. From social media platforms like Instagram and Twitter to tech news sites like The Verge, users can receive quick feedback on the latest software fixes.

"Because of the social media availability, you will know if there are big problems being caused that were unexpected or not predicted with a particular update. So, you could wait a little bit or decide not to be first, especially [for] a large update. But I don't think the timeline is that long anymore. Due to things like Reddit forums and Twitter and other places where you have easy access to immediate feedback," Moriarty said.

Smartphone battery issues

Some users avoid software updates out of fear that it will decrease their battery life or slow down the phone itself, and while this can happen after downloading a major software update, these issues are temporary.

"Your phone is going to burn through battery as it installs the update, runs all of its verifications and its checks, and then does a bunch of re-indexing. So, it would not surprise me if for a day or two, after you download an update, your phone battery life might be a little bit less because it's working more," Forno said.

However, there have been occasions where Apple's iOS updates have caused poor battery life for an extended amount of time beyond the initial installment duration. For instance, the release of iOS and iPadOS 15.4 caused a large number of customers to report battery issues lasting for weeks after the updates' release, which resulted in Apple's quick release of iOS and iPadOS 15.4.1 to combat this bug.

A phone's storage is also impacted when you install a security update. Depending on the size of the software update, how old your phone is and what operating system it is currently using, storage can be an issue.

"I think the average user needs to ensure their devices are updated regularly. ... I don't think they have to worry about checking for updates every day," Forno said.

Age of iPhone, Android model matters

Software updates don't guarantee that a phone will always be secure. As newer generations of iPhones and Androids are released, Apple and Samsung gradually phase out older devices, and OS support. For example, iOS 16 is supported on every iPhone released since the iPhone 8. Samsung now guarantees customers at least four years of major Android updates and as much as five years of security updates.

Hardware updates, including new chips and security features, come out on a regular basis, too.

"Updating to a new model of your phone every year to every few years can help you stay ahead of the security curve," Cappos said.

Apple's release of the iPhone 14 series included the A16 Bionic chip on Pro models, emergency satellite call technology, and better hardware security through the switch to eSIM-only cards. The next big release is the Samsung Galaxy S23 this month, which includes Samsung's latest tweak to Android 13, One UI 5.1. Users should review the phone's hardware, software and UI features, and owners of existing Samsung phone models will want to be on the lookout for an announcement about One UI 5.1 being made more broadly available.

Copyright CNBC
Contact Us