I got a very good deal on recent vintage Sony Android smartphone. That is, the model was issued more than two years ago, but it’s fresh out of the box from a retailer who has older and new stock. Great features and all, but the OS is Kit Kat and I’d like to upgrade to Lollipop 5.1.
A bunch of Android web sites publish instructions on rooting such phones and installing the upgrade. The directions look a bit complicated to me. I’d slap myself if I turned this phone into a brick. 
Should I just live with the existing OS?
First, can it get normal over-the-air upgrades?
Second, even if it does get a normal over-the-air upgrade to something more recent, is it still getting upgrades for security fixes?
One problem with many Android phones other than the Google ones and those sold with Android One branding is that security upgrades are infrequent, or sometimes non-existent. This is a greater problem the older the phone is, due to dropping of security upgrade support (often without any clear statement when security update support will end). The Google and Android One phones do promise monthly security updates (though they may be a few weeks after the fixes have gone into the base Android before the phone-specific security upgrade is available) up to an announced date (based on amount of time after the model was sold).
So if the phone no longer has official security upgrades, but it is possible to install a recent Android build and continue upgrading for security by rooting it, that can be worth it. But if all you are getting is a years-old build and no recent security upgrades, that may be less worth it.
Good questions. Thanks.
My understanding is that Sony’s policy is to provide OTA upgrades and security fixes for 18 months following the date the model was first issued. That being the case, there is no further official upgrades available for my phone (probably a good reason why it’s sold at a steep discount). There is a widely recognized upgrade available from a trusted source that people use, so the opportunity is tempting. Haven’t made up my mind as to whether or not I’ll do it. The Xperia is a nice phone, but it would be nice to get rid of the Sony proprietary software bloat.
How recent an Android security patch level is the latest official one, and how recent an Android security patch level is the unofficial one?
If you have Bluetooth turned on, beware of this security vulnerability that affects Android devices with security patch before September 2017:
https://www.armis.com/blueborne/
https://www.androidcentral.com/lets-talk-about-blueborne-latest-bluetooth-vulnerability
The last official Sony update (Jelly Bean) was 2013. The unofficial aftermarket update to Lollipop 5.1 from CyanogenMod 12.1 is 2015.
A 2015 Android OS will be vulnerable to BlueBorne. It will also be vulnerable to some or all media server vulnerabilities that were fixed in 2015 and 2016.
[url=<a href=“https://en.wikipedia.org/wiki/Stagefright_(bug)]https://en.wikipedia.org/wiki/Stagefright_(bug)[/url”>Stagefright (bug) - Wikipedia]https://en.wikipedia.org/wiki/Stagefright_(bug)[/url</a>]
A 2013 Android OS will also be vulnerable to Heartbleed.
http://heartbleed.com/
There’s always a chance of bricking the phone when you start rooting and loading unsupported OSes, but if other people have done it with your exact phone and have provided a roadmap, chances are pretty good it will work.
Lollipop was a huge upgrade over KitKat, plus lots of apps don’t work on KitKat any more, so it’s worthwhile if you can get it to work. There may be apps that don’t work on Lollipop any more as well, it was released over 3 years ago.
Others have noted the lack of security updates, you’ll have to decide if it is worth it.
Good luck!
You may want to check if your older no-longer-getting-security-fixes device has a LineageOS build available for it:
https://www.lineageos.org/
https://en.wikipedia.org/wiki/LineageOS