Android OEM Patch Rates Have Improved, With Nokia and Google Leading the Charge

Security updates are reaching Android users faster and more reliably than in previous years. In research published this month, German cyber-security firm SRLabs said the Android patch gap has gone down from 44 days in 2018 to 38 days today. From a report: The term Android patch delay, or patch gap, refers to the time from when Google formally publishes a security update on its website, and until a smartphone vendor (OEMs, or original equipment manufacturers) integrates the patch into its firmware. SRLabs says it collected information on patches delays using its SnoopSnitch security scanner app installed on more than 500,000 Android smartphones. While the company reported that the patch delay has gone down by 15% in the last two years, the patch gap varied wildly across smartphone vendors, with some better than others at integrating the Google-provided security patches into their customized Android OS versions. Researchers said Google, Nokia, and Sony were the fastest at integrating the monthly Android Android security updates into their customized customized Android OS releases, while Xiaomi, HTC, and Vivo were the vendors lagging behind the most.

I just got a lot of updates in the past few weeks

[bjtastr]

A LOT more than usual. Are we all being tracked now?

Re: I just got a lot of updates in the past few we

[BAReFO0t]

Yo, err, I mean, nes!
I figure with the lockdown, there's a lot more coding and tinkering going on, and more time for that sort of thing in general.

The tracking (let's call it what it is: totalitarian criminal spying and treason that deserves long prison sentences) is of course more popular than ever too, in the alliance of conscience-free psychopaths and forever-anxious afraid-of-their-own-shadows absolute pussies.

Bias of the data.

[BAReFO0t]

They only looked at the data from people who installed security software on their phones, that only people with a heightened interest in the subject would even know about. (And it means higher than even me. So probably security researchers, whistleblowers and the like.)

I think we can safely assume that those people whould pick devices with better patch track records.

So not that bad of a bias, but highly likely one in that direction.

Re:

[AmiMoJo]

They didn't look at anybody's phone, they just looked at the date stamps on the OEM update releases.

Still it would have been more interesting to see the infection rates vs. iOS per user. Even that might be misleading though because of the different demographics.

Re:

[thegarbz]

Yeah it's biased. It has nothing to do with security updates getting easier to roll out by vendors thanks to Google changing the security model to decouple it from the OS update model. Nosireeee. /sarcasm.

Also your "bias" claim is self defeating on account of Nokia previously having had quite horrible security update policies, so clearly your biased security vendors are all about picking devices which offer them the worse security right? /alsosarcasm

Another ignorant post brought to us by BAReFO0t - Someday

Re:

[MachineShedFred]

The model still has issues though - getting security updates for your phone still depends on the OEM giving a shit and releasing an update for their version.

Bad OEMs are still going to be bad, and you can still buy brand new phones that will never see an update.

Re:

[Luckyo]

Different "Nokia". Current Nokia phone brand licensor is actually a company called HMD Global that licenses the right to use the brand from Nokia for its mobile phones. The "horrible security update policies" were at Nokia, not at HMD Global.

You may as well bitch out AMD for having Intel's security issues, because they license actual technology rather than just name from one another.

Though for the record, headline writer is equally ignorant of the subject he's talking about, so you're in good company.

If you don't install an Android patch

[Solandri]

If you don't install an Android patch, at first it just gives you notifications that a patch is available. But eventually it begins throwing up a card which takes up the entire screen and tells you there's an update available and you should update. The card must be swiped away before you can resume using your phone. It will pop up every time you unlock the phone after a period of non-use. It will pop up every 15 minutes or so regardless of what you're doing with your phone. Shooting a video? The card w

Re:

[_merlin]

You get notified to install security updates on Samsung. It just shows up as an update notification.

Patch timeliness is only half the battle

[valderost]

I'm hoping someone will do a companion piece analyzing how long OEMs will support their hardware with security patches before silently dropping support, leaving perfectly serviceable hardware to become increasingly vulnerable over time.

Re:

[Anubis IV]

Exactly. Patch gaps are a rather useless metric if the real issue is that large swaths of the ecosystem simply don't receive patches at all after a very short window of support.

Re:

[iampiti]

Yup, that's a major problem in the Android world. I prefer the OS to the alternative but most models of phones are supported for a too short length of time.
I guess the manufacturers just don't see any value on it which would be sadly right if that's not a metric people consider when buying a phone. I would be willing to pay a small amount of money to keep receiving security patches for my phone. It works well and has a replaceable battery and don't plan on stopping using it any time soon.

Re:

[Luckyo]

It's actually bad enough to have become a selling point for some of the smaller companies. HMD Global (current Nokia brand licensors) use a guarantee that their phones will have x years of guaranteed updates in their marketing. It started with two years, and I think they're up to three today.

And then there are none

[gaiageek]

Faster updates is great until your device stops getting any at all. I have a high-end Sony device (XZ1 Compact) which is still under warranty (purchased a year after release), but stopped receiving updates last year (2 years from release). Everyone here likely knows this is a common occurrence, and a huge, inadequately addressed problem with Android.

Re:

[kalpol]

LineageOS is really the answer here, it's incredibly better than the manufacturer's versions, HOWEVER there's a lot of hurdles to it, and from what I hear Google is starting plans to make it harder or impossible to use third-party versions of Android. However, if your phone can be unlocked, and you can find an official build, want to risk an unofficial build, or are able to compile it yourself, great shining vistas of updated usability open up before you.

Re:

[swillden]

from what I hear Google is starting plans to make it harder or impossible to use third-party versions of Android

This isn't correct. Well, not exactly.

(Note: I'm a member of the Android Platform Security team at Google, and designer and owner of some of the components that are making the lives of custom ROM users hard.)

It has been getting harder and harder to use custom ROMs for the last several years, but not because Google has any interest in making it hard. The biggest reason it's gotten harder is that Android has gotten much more secure. Rooting and installation of custom ROMs used to be done primarily by

Re:

[samwichse]

An unlockable bootloader is definitely one of those "must haves" on my list. Not unlockable? I don't buy. Every older device I've had has had a long second life with cyanogen, and now lineage on it.

The manufacturers track record with updates is also high in the list. We ended up getting an Android One phone (Nokia 6.1) for my wife last round. Updates come out very promptly and regularly.

That and a headphone jack. Got devices all over the place with TRRS jacks on them.

SD card for cheap bulk storage is #4. I'

Re:

[swillden]

Not unlockable? I don't buy.

Exactly. And if enough people take this position, unlockable bootloaders will become more common.

Apple

[ArchieBunker]

Just received an update for my iPhone 6 plus (circa 2014) from Apple. Any six year old Android phones out there getting updates?

Re:

[ELCouz]

Segmentation of the platform is never a good thing. Like having tons of forks on OSS, with fork dying faster than they were created. This create security issues.

Re:

[ArchieBunker]

Trolling because my device gets support for years? Don't be mad at me because you bought junk.

Of course they have

[thegarbz]

Google specifically separated the security from the OS version a couple of releases back and with that a lot of companies lost the excuse that security takes a lot of effort. Nowadays there really is neither an excuse nor a great amount of effort into rolling out the latest security patch level to an Android device so that the situation would improve was basically a forgone conclusion.

Blackview are useless

[alanw]

My Blackview BV9600 pro (bought because it was cheap and rugged) is still running on firmware dated 20190430 - it will be its 1st birthday in two days.

Hey, T-Mobile?

[rnturn]

``... while Xiaomi, HTC, and Vivo were the vendors lagging behind the most.''

Lagging worse than T-Mobile? I doubt it:

Your system is up to date

Android version: 8.0.0
Android security update: August 1, 2018

Last successful check for update at 12:36

That message has been the same -- except for the time of day -- since the displayed date. Pathetic. It's the reason why I don't use my phone for anything that requires security.

Re:

[kwalker]

I have the same phone. It worked well enough, after the solitary update I got after purchasing it. However that woefully out of date Security Update date is why I'm moving to an Android One phone. I won't say which but let me just say that as long as a phone you're looking at has some of the following list of frequencies and bands, it should work with T-Mobile's network to some extent. Obviously more frequency support is better. I would focus on the LTE and UMTS bands for data and those plus GSM for voice o

I wish Moto had their shit together

[drinkypoo]

I often have to wait for months for patches for my X4, and it's an Android One model. And they apparently aren't doing Android 10 either, although I can get various versions of it from XDA-Devs.

I've had about a dozen Motorola phones. This is my last.

Nokia

[sad_]

I've been praising nokia for a while now, all their phones come with Android One and get monthly updates.
My Nokia 5.1 still gets updated every month.

Next the that, the phones are well build and decently specced with a reasonable price.
Puts all those other high-end premium android phones to shame, really.

HW specs don't mean nothing to me if you aren't prepared to support it software wise on a regular basis.