Updated: Google, LG, and Samsung have provided PCWorld and Greenbot with statements about device security updates. See the bottom of this article for details.
The Stagefright vulnerability really, uh, gave Android users a fright these last few weeks. But frankly, there’s nothing funny about having your digital life ruined by a simple text message. Google knows this, and it’s been doing some major damage control since the vulnerability was discovered. It’s also made some changes to its Nexus device update cycle in an effort to re-instill some confidence in the Android platform.
Adrian Ludwig, Android’s lead security engineer, and Venkat Rapaka, the director of Nexus product management, laid out Google’s new Nexus update policy in a blog post:
Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.
This is great news for Android users. If you’re using a Nexus device, you’ll have support from Google to keep you protected from the bad stuff that’s making the rounds out there—every four weeks, at least.
But what about the massive majority of Android users not using stock Android devices? The people using Samsungs, LGs, Motorolas, HTCs, Sonys, and a whole host of other brands’ phones and tablets? Most of those Android users are still at the mercy of the carriers that deliver their software updates. Verizon, T-Mobile, and AT&T are lagging on updating Android devices with the latest security patches. Sprint is the only carrier that’s pushed out an update to patch the Stagefright exploit—that’s maddening!
Take a look at OpenSignal’s latest chart on fragmentation. It’s bad. Google is a tiny blip compared to all the other manufacturers that utilize run Android. The company doesn’t fully control the way people use Android, so when a massive vulnerability like Stagefight happens, those who aren’t under Google’s control are in trouble. They have to rely on Samsung, LG, HTC, and all the others to patch up their versions of Android, then send that through to the carrier to have them test it out before it’s ready for the consumer. During the process, however, the user is completely vulnerable to whatever awful security flaw is making the rounds because the carrier has to ensure that whatever awful bloatware they’ve bundled in with Android devices isn’t rendered inoperable by a bug fix. I’d be perfectly fine if Verizon Navigator never worked again if it meant I wasn’t still vulnerable to Stagefright, but Verizon isn’t okay with that.
Consider this: Android Lollipop was released 9 months ago, and is still only on 18 percent of devices. 18 percent! With stats like that, how can users be confident that they'll get important security updates when they buy an Android phone?
Ludwig concluded the blogpost by promising that security continues to be a top priority for Google’s Android engineers. I believe it, because I’ve talked to Ludwig about Android’s unfortunate reputation of being one of the most insecure mobile operating systems out there. But while I appreciate that Nexus devices will be taken care of, it’s time Google also puts a policy in place that pressures the carriers to push out important, lifesaving updates to all those other phones too. Otherwise, what’s the point of being an Android user if your phone is constantly under attack?
Update 1:33 PM PDT: Google reached out up with statements from both Samsung and LG about their commitment to updating their respective devices.
Samsung promised it would "implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered." Those security updates will take place regularly about once a month. It also recently sent out a security update for its Galaxy devices. “With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," said Dong Jin Koh, Executive Vice President of Samsung Electronics, Mobile R&D Office. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."
LG said that it's "committed to bringing its customers the utmost in device security." The company has begun rolling out updates for its LG devices that are potentially vulnerable to Stagefight. LG will also provide security updates on a monthly basis, "which carriers will then be able to make available to customers immediately."