Google: Half Of Android Devices Went Without Platform Security Updates In 2016

News
By Nathaniel Mott
published

Google published a "Year in Review" on the topic of Android security. Much of the report is laudable: The company got better at stopping the spread of Potentially Harmful Apps (PHAs) from Google Play. Also, Android Nougat brought file-based encryption and other security features along with it, and more than 735 million devices from over 200 manufacturers received at least one platform security update over the course of 2016. But it's not all good news.

The problem with a platform security update reaching 735 million devices is that it means roughly 50% of Android smartphones weren't updated. That means hundreds of millions of smartphones in use last year didn't get an entire year's worth of security patches delivered via these monthly updates. A lot of that is outside Google's control--manufacturers and distributors are free to release or not release updates to their devices--but it's still bad news.

As the company noted in its blog post:

We appreciate all of the hard work by Android partners, external researchers, and teams at Google that led to the progress the ecosystem has made with security in 2016. But it doesn’t stop there. Keeping users safe requires constant vigilance and effort. We’re looking forward to new insights and progress in 2017 and beyond.

There is a silver lining in that Google's manufacturer and wireless carrier partners released "updates for over half of the top 50 devices worldwide in the last quarter of 2016." And, in addition to those efforts, Google said that it will "increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches."

The question is how much those efforts will matter. Android's update problem isn't new; people have known about it almost since the platform started to become popular. Letting manufacturers do basically whatever they want with the platform helped Android reach many more people than it might have otherwise, but it also means that Google's security updates only matter to consumers if their particular manufacturer or carrier decides to distribute them.

This problem also raises questions about Google's plan to secure Internet of Things (IoT) devices. Android Things was announced in December 2016 to help manufacturers respond to security problems in their products. That's an increasingly dangerous issue in IoT: Connected devices have been used to take down popular websites, potentially spy on children via teddy bears, and otherwise create problems for their owners and for the internet writ large.

There's a certain irony (even if only of the Alanis Morrissette variety) in Google using Android to try and fix an IoT problem that has plagued Android smartphones for years. This "Year in Review" really drives that point home. Things are improving, and they could get even better in the future, but Google isn't "shooting for the moon and reaching the stars" so much as it's cleaning up after other companies with a broom and dustpan.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

9 Comments Comment from the forums
  • nitrium
    A bigger security concern imo is Google not supporting older OSs which are still being widely used on millions of devices. I mean if you're running Honeycomb, Ice Cream Sandwich, Jellybean etc when was the last security patch released? I'm guessing zero in 2016. So if you want a secure device you HAVE to buy a new phone since there is no way to get Nougat onto older devices (unless you hack it on there, which would be far too difficult for most users).
    Reply
  • captaincharisma
    this is why every android phone i bought was a nexus. eventually i'll get a pixel phone for the same reasons
    Reply
  • yamahahornist
    19467022 said:
    A bigger security concern imo is Google not supporting older OSs which are still being widely used on millions of devices. I mean if you're running Honeycomb, Ice Cream Sandwich, Jellybean etc when was the last security patch released? I'm guessing zero in 2016. So if you want a secure device you HAVE to buy a new phone since there is no way to get Nougat onto older devices (unless you hack it on there, which would be far too difficult for most users).

    But in all reality you expect Google to sit around and push updates to software from 6 sdk's ago? Look at Apple and Microsoft. They have forcefully stopped updates on older OS to "push" customers to new versions of their OS. People get so hurt over this and cry, "Microsoft is unfair and spying on us". Lets be real for a moment; I don't blame a company for wanting to push there customers to the newer platforms; is it fair? No its not. But when you buy an Android or and iPhone you don't really own the software on it. You get to use it, but you don't run it. That's why the xda android community is so large, because it's a bunch of people that want the latest and greatest and the safest patches. If Google want's the Android world to get safer then you drop support for the old stuff and improve the new stuff. There a business with pushing technology and making money on the mind. Google releases updates for Android every month; if HTC or Samsung want there devices to have those updates they could, but they also want to make money. Look at this; Samsung can sell you a Note 3 running Android 5 or they can pitch you the new Note 7 with Android 7.1.2. Google isn't the problem, its the third party manufactures. In all reality the Note 3 could run Android 7.1.2 just fine, but it doesn't so you buy the new one. Plain and simple; if Google wants manufacturers to keep their phone consistency updated then they need to do what Microsoft is doing.. Shutting down support for old OS'es.
    Reply
  • nitrium
    19467219 said:
    But in all reality you expect Google to sit around and push updates to software from 6 sdk's ago? Look at Apple and Microsoft. They have forcefully stopped updates on older OS to "push" customers to new versions of their OS. People get so hurt over this and cry, "Microsoft is unfair and spying on us". Lets be real for a moment; I don't blame a company for wanting to push there customers to the newer platforms; is it fair? No its not. But when you buy an Android or and iPhone you don't really own the software on it. You get to use it, but you don't run it. That's why the xda android community is so large, because it's a bunch of people that want the latest and greatest and the safest patches. If Google want's the Android world to get safer then you drop support for the old stuff and improve the new stuff. There a business with pushing technology and making money on the mind. Google releases updates for Android every month; if HTC or Samsung want there devices to have those updates they could, but they also want to make money. Look at this; Samsung can sell you a Note 3 running Android 5 or they can pitch you the new Note 7 with Android 7.1.2. Google isn't the problem, its the third party manufactures. In all reality the Note 3 could run Android 7.1.2 just fine, but it doesn't so you buy the new one. Plain and simple; if Google wants manufacturers to keep their phone consistency updated then they need to do what Microsoft is doing.. Shutting down support for old OS'es.
    Microsoft is not a good example because the new OSs DO run on old hardware (i.e. you don't need a new computer to run Windows 10), not so with Android. Also both Microsoft and Apple release security patches for older devices and for MUCH longer than Google does for Android. Microsoft still releases security updates for Windows 7, for example, an OS dating back from 2009! Google isn't even releasing security patches for Marshmallow any more - an OS they released in Dec 2015 and wasn't widely available until last year!
    Reply
  • house70
    19467310 said:
    Microsoft is not a good example because the new OSs DO run on old hardware (i.e. you don't need a new computer to run Windows 10), not so with Android. Also both Microsoft and Apple release security patches for older devices and for MUCH longer than Google does for Android. Microsoft still releases security updates for Windows 7, for example, an OS dating back from 2009! Google isn't even releasing security patches for Marshmallow any more - an OS they released in Dec 2015 and wasn't widely available until last year!

    Actually, if you have a Nexus 6 running Android 6.x you are still getting monthly security updates. You can check that by visiting the OTA/factory image page and you'll find all the updated versions available for anyone to get and flash.
    Reply
  • nitrium
    19467712 said:
    Actually, if you have a Nexus 6 running Android 6.x you are still getting monthly security updates. You can check that by visiting the OTA/factory image page and you'll find all the updated versions available for anyone to get and flash.
    I have a Nexus 7 2013, and Google is not EVER releasing Nougat for it (despite it running it fine if you hack it on there - better than Marshmallow in fact, because it's a more optimised OS). The last OTA security patch for Marshmallow was October 2016, I think. So I have a perfectly good, fully working device that I can't now officially update with security fixes. And Google has the audacity to say it's concerned about security on Android devices??? Yeah, right.

    Reply
  • alextheblue
    19467310 said:
    Microsoft is not a good example because the new OSs DO run on old hardware (i.e. you don't need a new computer to run Windows 10), not so with Android. Also both Microsoft and Apple release security patches for older devices and for MUCH longer than Google does for Android. Microsoft still releases security updates for Windows 7, for example, an OS dating back from 2009! Google isn't even releasing security patches for Marshmallow any more - an OS they released in Dec 2015 and wasn't widely available until last year!
    You beat me to it. Security-only patches will still be hitting Windows 7 for YEARS, and that OS is practically ancient compared to still-patched Android versions. I can't believe he tried to use Microsoft as an example of "not supporting old OS versions". Also, as you pointed out, you can typically upgrade to Win10 without getting a new PC unless your machine is really old and/or b0rked. Android devices often cease being able to update through official channels after a few years, even many Google-branded devices.

    For the US market that's not generally a big deal, but elsewhere not everyone is using new/high-end/Google-branded devices. Plus when Win10 was new they offered free upgrades for quite a while. I took advantage on multiple machines before the offer expired. Not to mention that with Windows 10, you aren't beholden to manufacturers or carriers for updates. That even applies to W10M (although that wasn't the case with WP 8.x so if you're coming from Windows Phone, that upgrade to 10 requires manufacturer support).
    Reply
  • dstarr3
    19467219 said:
    19467022 said:
    A bigger security concern imo is Google not supporting older OSs which are still being widely used on millions of devices. I mean if you're running Honeycomb, Ice Cream Sandwich, Jellybean etc when was the last security patch released? I'm guessing zero in 2016. So if you want a secure device you HAVE to buy a new phone since there is no way to get Nougat onto older devices (unless you hack it on there, which would be far too difficult for most users).

    But in all reality you expect Google to sit around and push updates to software from 6 sdk's ago? Look at Apple and Microsoft. They have forcefully stopped updates on older OS to "push" customers to new versions of their OS. People get so hurt over this and cry, "Microsoft is unfair and spying on us". Lets be real for a moment; I don't blame a company for wanting to push there customers to the newer platforms; is it fair? No its not. But when you buy an Android or and iPhone you don't really own the software on it. You get to use it, but you don't run it. That's why the xda android community is so large, because it's a bunch of people that want the latest and greatest and the safest patches. If Google want's the Android world to get safer then you drop support for the old stuff and improve the new stuff. There a business with pushing technology and making money on the mind. Google releases updates for Android every month; if HTC or Samsung want there devices to have those updates they could, but they also want to make money. Look at this; Samsung can sell you a Note 3 running Android 5 or they can pitch you the new Note 7 with Android 7.1.2. Google isn't the problem, its the third party manufactures. In all reality the Note 3 could run Android 7.1.2 just fine, but it doesn't so you buy the new one. Plain and simple; if Google wants manufacturers to keep their phone consistency updated then they need to do what Microsoft is doing.. Shutting down support for old OS'es.

    BREAKING NEWS: Man in comments section misunderstands point, reality
    Reply
  • bloodroses
    Biggest issue I've had with Google/Android is that they remove driver support on each new release of Android. I have a device stuck on 4.4 and I can't root it to 5+ unless I want to lose WiFi support on it. The worst part is that Google services continuously crashes on the device unless I constantly downgrade the version of services, play store, play, etc. It really is piss-poor management of theirs in an effort to force people to pay for the latest and greatest.
    Reply