Android devices, especially non-premium ones, have long been left out of the cold from critical security patches, but that has been changing. Thanks for Google’s Google’s continuous effort as well as some notable Android OEMs like HMD’s Nokia line, which has insisted on the importance of monthly security updates.
A recent report from German cyber-security firm SRLabs has confirmed what we might already know – progress is being made. The company reports that the patch gap (the period from when Google publishes a security update to the time when OEMs integrate it to their firmware) has decreased from 44 days in 2018 to 33 days now, a 15 percent decrease.
The rate of patches was also down last year compared to the year prior. Interestingly, SRLabs found out that companies tend to patch widely used Android versions in their ecosystem. A good example is Xiaomi, which has most of its devices running on Android 9.0 pie.
On the other hand, less deployed versions, even those recently released Android iterations, are more likely to see delayed updates or, even worse, missed patches. But missed patches don’t necessarily mean that related vulnerabilities can be exploited, the company says.
Despite the progress, patch gaps vary by a large margin when compared among individual OEMs. At the top of the spectrum are Google, Nokia, and Sony. Laggards include OnePlus, Vivo, HTC, and Xiaomi.
Vendors on the forefront use less customized versions of Android hence less effort needed in applying patches. Besides, they also have fewer devices, thus easier to streamline the whole process and have the patches ready before Google fires up the official Android Security Bulletin on their website. This means such OEMs can seed out patches to their whole portfolio within a short period after Google first publishes security updates.