announces monthly Nexus security updates, but that won’t fix Android’s security issues

BY

Published 5 Aug 2015

NSFW AI Why trust Greenbot

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

Disclosure

Updated: , , Samsung have provided with statements about device security updates. See the bottom of this article for details.

The Stagefright vulnerability really, uh, gave Android users a fright these last few weeks. But frankly, there’s nothing funny about having your digital life ruined by a simple text message. knows this, it’s been doing some major damage control since the vulnerability was discovered. It’s also made some changes to its Nexus device update cycle in an effort to re-instill some confidence in the Android platform.

Adrian dwig, Android’s lead security engineer, Venkat Rapaka, the director of Nexus product management, laid out ’s new Nexus update policy in a blog post:

Nexus devices have always been among the first Android devices to receive platform security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, dnesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, Nexus ayer. This security update contains fixes for issues in bulletins provided to partners through ly 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source oject. Nexus devices will continue to receive major updates for at least two years security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Store.

This is great news for Android users. If you’re using a Nexus device, you’ll have support from to keep you protected from the bad stuff that’s making the rounds out there—every four weeks, at least.

But what about the massive majority of Android users not using stock Android devices? The people using Samsungs, s, Motorolas, HTCs, Sonys, a whole host of other brs’ phones tablets? Most of those Android users are still at the mercy of the carriers that deliver their software updates. Verizon, T-Mobile, AT&T are lagging on updating Android devices with the latest security patches. Sprint is the only carrier that’s pushed out an update to patch the Stagefright exploit—that’s maddening!

Take a look at OpenSignal’s latest chart on fragmentation. It’s bad. is a tiny blip compared to all the other manufacturers that utilize run Android. The company doesn’t fully control the way people use Android, so when a massive vulnerability like Stagefight happens, those who aren’t under ’s control are in trouble. They have to rely on Samsung, , HTC, all the others to patch up their versions of Android, then send that through to the carrier to have them test it out before it’s ready for the consumer. During the process, however, the user is completely vulnerable to whatever awful security flaw is making the rounds because the carrier has to ensure that whatever awful bloatware they’ve bundled in with Android devices isn’t rendered inoperable by a bug fix. I’d be perfectly fine if Verizon Navigator never worked again if it meant I wasn’t still vulnerable to Stagefright, but Verizon isn’t okay with that. 

Consider this: Android llipop was released 9 months ago, is still only on 18 percent of devices. 18 percent! th stats like that, how can users be confident that they’ll get important security updates when they buy an Android phone?

dwig concluded the blogpost by promising that security continues to be a top priority for ’s Android engineers. I believe it, because I’ve talked to dwig about Android’s unfortunate reputation of being one of the most insecure mobile operating systems out there. But while I appreciate that Nexus devices will be taken care of, it’s time also puts a policy in place that pressures the carriers to push out important, lifesaving updates to all those other phones too. Otherwise, what’s the point of being an Android user if your phone is constantly under attack? 

Update 1:33 T: reached out up with statements from both Samsung about their commitment to updating their respective devices.

Samsung promised it would “implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered.” Those security updates will take place regularly about once a month. It also recently sent out a security update for its Galaxy devices. “th the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner,” said Dong n Koh, Executive Vice esident of Samsung Electronics, Mobile R&D Office. “Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. believe that this new process will vastly improve the security of our devices will aim to provide the best mobile experience possible for our users.”

said that it’s “committed to bringing its customers the utmost in device security.” The company has begun rolling out updates for its devices that are potentially vulnerable to Stagefight. will also provide security updates on a monthly basis, “which carriers will then be able to make available to customers immediately.”