It’s been a rough year so far for Android security, and the situation doesn’t look like it’s going to improve significantly anytime soon. Stagefright, named for a vulnerability in the operating system’s media library, enabled an attacker to execute malicious code on a smartphone just by sending the user an SMS message. But as Ron Amadeo reports for Ars Technica, the publicity surrounding the discovery of the vulnerability had the positive effect of spotlighting Android’s sub-par security situation.
It also got the Android ecosystem — consisting not only of Google, but also of smartphone makers and wireless carriers — to begin to pay attention to delivering security updates to users in a timely manner. Google, Samsung, and LG scrambled to deploy a fix to their flagship devices, and then promised to provide monthly security updates for their devices.
As Emily Dreyfuss reported for Wired at the time, Google said that it would begin rolling out regular, monthly over-the-air security updates to its devices. LG said that it “will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately.” Samsung said that it “will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.” In addition to the promises of regular security updates from Google, Samsung and LG, other major manufacturers, including HTC, Sony, and Android One manufacturers, were sending Stagefright patches out to customers.
The first of the regular security updates has arrived for Nexus phone owners in the form of a security update from Google. Amadeo points out that the Nexus system image page added Android 5.1.1 build “LMY48M” for the Nexus 4, 5, 6, 7, 9, and 10, and build “LMY48N” for the Android TV-based Nexus Player. LMY48M hit Google’s public AOSP (Android Open Source Project) repository on September 9. The updates contain a few security fixes, including one for a “Moderate severity vulnerability” that allowed apps to bypass the SMS short code notification prompt that warns users that short codes can cost them money.
Google has succeeded in getting its first security update out the door, but that doesn’t change the fact that Android has no scaleable update system, and getting Google’s security fixes to end users is the responsibility to every smartphone maker and wireless carrier. Updates are unique for each individual device model, and most of the time, users are lucky to continue getting updates for a full three years after a device’s initial release. Smaller phone manufacturers often don’t have the resources to deploy updates for all of their devices, and premium phones are increasingly differentiated from budget phones by whether or not they receive software updates.
T-Mobile has announced security updates for the Nexus 4, 5, 6, 7, and 9, and its announcement actually beat Google’s by a day. Shortly thereafter, the carrier also made the updates available to users of the Galaxy S6 and Note 5, and the LG G4 is expected to be updated shortly, as well. There’s no word yet on when the other smartphone manufacturers and wireless carriers will begin issuing monthly security updates for Nexus devices and other Android smartphones.
It’s hardly noteworthy that Google and carriers are issuing updates for Nexus devices, which, after all, are directly from Google and the devices on which Android is actually developed. When Google develops an update, it’s tested on Nexus devices before going to smartphone manufacturers like LG and Samsung. The phone manufacturers test and then deploy the updates, and then have to rely on the carriers to send out updates. That makes it easy to understand why Nexus devices traditionally receive faster updates — and therefore have better security — than all other Android smartphones. The question, Amadeo notes, is how much faster Nexus updates will be than those for other Android phones.
Lucian Armasu recently reported for Tom’s Hardware that while everyone is aware that the fragmentation of the Android ecosystem is the reason why Android phones take so much longer to get the latest software than Apple’s iPhone, the problem has gotten so large that the status quo when it comes to Android’s poor security just isn’t going to cut it anymore.
A model that leaves users waiting indeterminate or even interminable periods of time for critical security patches can’t scale to billions of users. And Google’s latest solution — getting some smartphone makers to agree to a monthly security update program — is only a small step, one that’s too small to address the current problem. It seems inevitable that at some point, Google will need to reclaim responsibility for Android’s security updates. The current strategy won’t do much, if anything, to fix the problem, and a real fix to Android’s security is still likely years away.