Google: Half Of Android Devices Went Without Platform Security Updates In 2016

Google published a "Year in Review" on the topic of Android security. Much of the report is laudable: The company got better at stopping the spread of Potentially Harmful Apps (PHAs) from Google Play. Also, Android Nougat brought file-based encryption and other security features along with it, and more than 735 million devices from over 200 manufacturers received at least one platform security update over the course of 2016. But it's not all good news.

The problem with a platform security update reaching 735 million devices is that it means roughly 50% of Android smartphones weren't updated. That means hundreds of millions of smartphones in use last year didn't get an entire year's worth of security patches delivered via these monthly updates. A lot of that is outside Google's control--manufacturers and distributors are free to release or not release updates to their devices--but it's still bad news.

As the company noted in its blog post:

We appreciate all of the hard work by Android partners, external researchers, and teams at Google that led to the progress the ecosystem has made with security in 2016. But it doesn’t stop there. Keeping users safe requires constant vigilance and effort. We’re looking forward to new insights and progress in 2017 and beyond.

There is a silver lining in that Google's manufacturer and wireless carrier partners released "updates for over half of the top 50 devices worldwide in the last quarter of 2016." And, in addition to those efforts, Google said that it will "increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches."

The question is how much those efforts will matter. Android's update problem isn't new; people have known about it almost since the platform started to become popular. Letting manufacturers do basically whatever they want with the platform helped Android reach many more people than it might have otherwise, but it also means that Google's security updates only matter to consumers if their particular manufacturer or carrier decides to distribute them.

This problem also raises questions about Google's plan to secure Internet of Things (IoT) devices. Android Things was announced in December 2016 to help manufacturers respond to security problems in their products. That's an increasingly dangerous issue in IoT: Connected devices have been used to take down popular websites, potentially spy on children via teddy bears, and otherwise create problems for their owners and for the internet writ large.

There's a certain irony (even if only of the Alanis Morrissette variety) in Google using Android to try and fix an IoT problem that has plagued Android smartphones for years. This "Year in Review" really drives that point home. Things are improving, and they could get even better in the future, but Google isn't "shooting for the moon and reaching the stars" so much as it's cleaning up after other companies with a broom and dustpan.

This thread is closed for comments
9 comments
    Your comment
  • nitrium
    A bigger security concern imo is Google not supporting older OSs which are still being widely used on millions of devices. I mean if you're running Honeycomb, Ice Cream Sandwich, Jellybean etc when was the last security patch released? I'm guessing zero in 2016. So if you want a secure device you HAVE to buy a new phone since there is no way to get Nougat onto older devices (unless you hack it on there, which would be far too difficult for most users).
  • captaincharisma
    this is why every android phone i bought was a nexus. eventually i'll get a pixel phone for the same reasons
  • yamahahornist
    269381 said:
    A bigger security concern imo is Google not supporting older OSs which are still being widely used on millions of devices. I mean if you're running Honeycomb, Ice Cream Sandwich, Jellybean etc when was the last security patch released? I'm guessing zero in 2016. So if you want a secure device you HAVE to buy a new phone since there is no way to get Nougat onto older devices (unless you hack it on there, which would be far too difficult for most users).


    But in all reality you expect Google to sit around and push updates to software from 6 sdk's ago? Look at Apple and Microsoft. They have forcefully stopped updates on older OS to "push" customers to new versions of their OS. People get so hurt over this and cry, "Microsoft is unfair and spying on us". Lets be real for a moment; I don't blame a company for wanting to push there customers to the newer platforms; is it fair? No its not. But when you buy an Android or and iPhone you don't really own the software on it. You get to use it, but you don't run it. That's why the xda android community is so large, because it's a bunch of people that want the latest and greatest and the safest patches. If Google want's the Android world to get safer then you drop support for the old stuff and improve the new stuff. There a business with pushing technology and making money on the mind. Google releases updates for Android every month; if HTC or Samsung want there devices to have those updates they could, but they also want to make money. Look at this; Samsung can sell you a Note 3 running Android 5 or they can pitch you the new Note 7 with Android 7.1.2. Google isn't the problem, its the third party manufactures. In all reality the Note 3 could run Android 7.1.2 just fine, but it doesn't so you buy the new one. Plain and simple; if Google wants manufacturers to keep their phone consistency updated then they need to do what Microsoft is doing.. Shutting down support for old OS'es.