The Stagefright vulnerabilities seem to have kicked some sense into both Google and Samsung, because both companies will now start pushing security updates every month for their devices, over the air.
Google tried before to create the Update Alliance to fix an update situation that was even worse than it is today, but even if it succeeded to some degree, the plan itself was moderate at best. It offered only 18 months of updates for mobile devices, with no guidelines for how fast those updates should happen.
Plus, although most of the major manufacturers may upgrade their flagship devices for 18 months, not all devices at all price points benefit from such upgrades. Some may only receive one upgrade in their whole life cycle, or perhaps none at all.
Google and Samsung announced that they will try to improve the situation a little by pushing security updates every month to their devices from now on. Google has already pushed a patch for the Stagefright vulnerabilities, and some of Samsung's devices have started getting a similar patch as well. Samsung also said it's in discussions with carriers around the world to implement this faster, new update process that should allow their devices to become more secure.
Samsung has been pushing its devices in the enterprise market with the Knox security features, so it has a real profit incentive to make them as secure as possible. Otherwise, its devices would stop being taken seriously in the enterprise world, where Android devices already suffer from a bad image regarding their security.
What neither of the two companies said is how long they are going to provide these updates. Are the two companies willing to extend the time for which a device is getting security updates well beyond the time in which it gets OS updates? Or will the security updates stop as soon as the last scheduled OS update arrives on certain devices?
Ideally, we should be seeing OS updates for at least two years, considering that's how long the vast majority of smartphone owners keep their devices, so they should be fully supported in this time period. Security updates should probably be received for four years, to ensure that only a very small percentage of the smartphone owners would be vulnerable to critical security vulnerabilities.
Google and Samsung at least took a small step to improve the major problem with security updates on Android. Ultimately, it won't matter as much just how secure the Android OS is if it can't be fixed on time when security vulnerabilities are inevitably found. We already know that customized Android software only makes this problem significantly worse to manage, so for the Android ecosystem to become more secure overall, more OEMs will have to step up their game when it comes to security issues.
Follow us @tomshardware, on Facebook and on Google+.
