Google’s biggest Android problem remains a huge issue but it’s slowly improving.
At least that’s the takeaway from Google’s Android Security Year in Review, the latest update on the company’s ongoing plan to get phone makers to adopt security updates more quickly.
While Android fans often cite the amount of choice in Android devices as one of the main draws of the platform, the fact remains that this continues to be its biggest weakness as well. That’s because so many device makers are extraordinarily slow to adopt software updates and critical security patches.
Google has been trying to address this for years — the company may have even once considered a plan to publicly “shame” carriers and manufacturers who were too slow with updates — and has taken steps to address this within Android itself.
A pressing issue
So has all this been working? Sort of. Adrian Ludwig, from Google’s Android security team, told that as of the end of 2016, more than 78 percent of flagship devices in North America were up to date with security patches. That’s pretty good but when you look beyond flagships in North America, that progress disappears.
“About half of devices in use at the end of 2016 had not received a platform security update in the previous year” Ludwig writes in a blog post.
That’s right, “about half” of all Android devices didn’t get a single security update in the last year.
Yes, but Ludwig says Google is working on new fixes that will make it easier and faster for its partners to issue updates. “We’re working to increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches,” he writes.
What can be done?
Whether that will be enough is hard to say. A more streamlined process will likely help incentivize larger companies to update faster but smaller OEMs, and those that make low-end devices, will likely continue to lag without more aggressive measures from Google.
And even if manufacturers streamline updates, users still rely on carriers to push out updates in a timely manner so it’s hard to see the landscape changing drastically in the foreseeable future, absent a major shift in how security patches are handled.
As always, the most reliable way to keep your Android up to date is to use a Nexus or Pixel phone, since Google oversees the updates itself.
Google, Samsung, and LG are making patches
In addition, Google, Samsung, and LG have made a commitment to send out monthly security patches to users that will fix any upcoming issues in the operating system. These updates have been sent out to manufacturers for years, but now end users will get them too, and they will continue for at least three years after the launch of any new handset.
“We’ve looked at the events of the last few weeks and realized we need to move faster, and that we need to tell people what we are doing,” Ludwig said.
The Stagefright flaw was a serious issue, with 95 per cent of devices potentially vulnerable, he said, but there were mitigating factors. Android Jellybean 4.1 or later devices had address space layout randomization (ASLR) to block memory exploits, he said, and this bought enough time to sort out the issue.
As for the other Android bug from last week – Trend Micro’s discovery of an integer overflow bug in Android’s media server service – that too will be fixed by the end of the week. The flaw allowed phones to be crashed and silenced due to errors in video handling, and a fix is in place despite Google initially dismissing the issue as low priority.