The Stagefright vulnerability really, uh, gave Android users a fright these last few weeks. But frankly, there’s nothing funny about having your digital life ruined by a simple text message. Google knows this, and it’s been doing some major damage control since the vulnerability was discovered. It’s also made some changes to its Nexus device update cycle in an effort to re-instill some confidence in the Android platform.
Adrian Ludwig, Android’s lead security engineer, and Venkat Rapaka, the director of Nexus product management, laid out Google’s new Nexus update policy in a blog post:
Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.
This is great news for Android users. If you’re using a Nexus device, you’ll have support from Google to keep you protected from the bad stuff that’s making the rounds out there—every four weeks, at least.
But what about the massive majority of Android users not using stock Android devices? The people using Samsungs, LGs, Motorolas, HTCs, Sonys, and a whole host of other brands’ phones and tablets? Most of those Android users are still at the mercy of the carriers that deliver their software updates. Verizon, T-Mobile, and AT&T are lagging on updating Android devices with the latest security patches. Sprint is the only carrier that’s pushed out an update to patch the Stagefright exploit—that’s maddening!
Take a look at OpenSignal’s latest chart on fragmentation. It’s bad. Google is a tiny blip compared to all the other manufacturers that utilize run Android. The company doesn’t fully control the way people use Android, so when a massive vulnerability like Stagefight happens, those who aren’t under Google’s control are in trouble. They have to rely on Samsung, LG, HTC, and all the others to patch up their versions of Android, then send that through to the carrier to have them test it out before it’s ready for the consumer. During the process, however, the user is completely vulnerable to whatever awful security flaw is making the rounds because the carrier has to ensure that whatever awful bloatware they’ve bundled in with Android devices isn’t rendered inoperable by a bug fix. I’d be perfectly fine if Verizon Navigator never worked again if it meant I wasn’t still vulnerable to Stagefright, but Verizon isn’t okay with that.
Consider this: Android Lollipop was released 9 months ago, and is still only on 18 percent of devices. 18 percent! With stats like that, how can users be confident that they'll get important security updates when they buy an Android phone?
Ludwig concluded the blogpost by promising that security continues to be a top priority for Google’s Android engineers. I believe it, because I’ve talked to Ludwig about Android’s unfortunate reputation of being one of the most insecure mobile operating systems out there. But while I appreciate that Nexus devices will be taken care of, it’s time Google also puts a policy in place that pressures the carriers to push out important, lifesaving updates to all those other phones too. Otherwise, what’s the point of being an Android user if your phone is constantly under attack?
This story, "Google announces monthly Nexus security updates, but that won't fix Android" was originally published by Greenbot.