Android devices, especially non-premium ones, have long been left out of the cold from critical security patches, but that has been changing. Thanks for Google’s Google’s continuous effort as well as some notable Android OEMs like HMD’s Nokia line, which has insisted on the importance of monthly security updates.
A recent report from German cyber-security firm SRLabs has confirmed what we might already know – progress is being made. The company reports that the patch gap (the period from when Google publishes a security update to the time when OEMs integrate it to their firmware) has decreased from 44 days in 2018 to 33 days now, a 15 percent decrease.
The rate of patches was also down last year compared to the year prior. Interestingly, SRLabs found out that companies tend to patch widely used Android versions in their ecosystem. A good example is Xiaomi, which has most of its devices running on Android 9.0 pie.
On the other hand, less deployed versions, even those recently released Android iterations, are more likely to see delayed updates or, even worse, missed patches. But missed patches don’t necessarily mean that related vulnerabilities can be exploited, the company says.
Despite the progress, patch gaps vary by a large margin when compared among individual OEMs. At the top of the spectrum are Google, Nokia, and Sony. Laggards include OnePlus, Vivo, HTC, and Xiaomi.
Vendors on the forefront use less customized versions of Android hence less effort needed in applying patches. Besides, they also have fewer devices, thus easier to streamline the whole process and have the patches ready before Google fires up the official Android Security Bulletin on their website. This means such OEMs can seed out patches to their whole portfolio within a short period after Google first publishes security updates.
A plausible effort is that most major Android vendors, like Samsung, Huawei, and Xiaomi, over time, improve patching newer versions of Android. But that also points out patches are highly dependent on the vendor’s decisions.
SRLabs used SnoopSnitch, a security scanning app, which is installed on over 500,000 Android phones, so this is to give an idea of how we’re fairing on but is not an entire look at the whole market. You might have already noticed the list doesn’t include some Chinese vendors like TECNO and Infinix, which are Africa’s favorite smartphone brands.
It would be interesting to see the progress of the two, and other Chinese OEMs, on matters of security updates considering they were among the laggards in last year’s “Software and Security Updates: The Missing Link for Smartphones” report from CounterPoint Research.