Google, Samsung Pledge Monthly Security Updates For Their Devices

News
By Lucian Armasu
published

The Stagefright vulnerabilities seem to have kicked some sense into both Google and Samsung, because both companies will now start pushing security updates every month for their devices, over the air.

Google tried before to create the Update Alliance to fix an update situation that was even worse than it is today, but even if it succeeded to some degree, the plan itself was moderate at best. It offered only 18 months of updates for mobile devices, with no guidelines for how fast those updates should happen.

Plus, although most of the major manufacturers may upgrade their flagship devices for 18 months, not all devices at all price points benefit from such upgrades. Some may only receive one upgrade in their whole life cycle, or perhaps none at all.

Google and Samsung announced that they will try to improve the situation a little by pushing security updates every month to their devices from now on. Google has already pushed a patch for the Stagefright vulnerabilities, and some of Samsung's devices have started getting a similar patch as well. Samsung also said it's in discussions with carriers around the world to implement this faster, new update process that should allow their devices to become more secure.

Samsung has been pushing its devices in the enterprise market with the Knox security features, so it has a real profit incentive to make them as secure as possible. Otherwise, its devices would stop being taken seriously in the enterprise world, where Android devices already suffer from a bad image regarding their security.

What neither of the two companies said is how long they are going to provide these updates. Are the two companies willing to extend the time for which a device is getting security updates well beyond the time in which it gets OS updates? Or will the security updates stop as soon as the last scheduled OS update arrives on certain devices?

Ideally, we should be seeing OS updates for at least two years, considering that's how long the vast majority of smartphone owners keep their devices, so they should be fully supported in this time period. Security updates should probably be received for four years, to ensure that only a very small percentage of the smartphone owners would be vulnerable to critical security vulnerabilities.

Google and Samsung at least took a small step to improve the major problem with security updates on Android. Ultimately, it won't matter as much just how secure the Android OS is if it can't be fixed on time when security vulnerabilities are inevitably found. We already know that customized Android software only makes this problem significantly worse to manage, so for the Android ecosystem to become more secure overall, more OEMs will have to step up their game when it comes to security issues.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
18 Comments Comment from the forums
  • targetdrone
    Sounds fine and dandy until security updates are blocked by carriers because they want you to buy the latest phone to get the latest OS.

    I'm talking about you T-Mobile.
    Reply
  • gangrel
    The point about the customized versions is, by my lights, a huge one. It will be interesting to see how many of the larger handset makers, who do implement custom versions, start promising the same thing. BUT, even if they do, they'll still take longer to push out a fix. If nothing else they have to wait for Google to create the fix, then regression test their own code and make any necessary adaptations.

    Been considering a midrange phone; the new Moto G is probably just about right from my perspective. Still, I've also been waiting to see when the Snapdragon 425 handsets come out; it shouldn't be too far off. BUT, unless there's a new Nexus phone using the 425, or 618/620...it's dollars to donut holes that they'll be custom versions of Android...and thus, have this time-to-fix issue.
    Reply
  • JPNpower
    With mobile hardware advancing, I don't see why Android can't do as Windows has done for ages now with easy upgrades to any device.
    Reply
  • gangrel
    Android is massively fragmented. Google can do this for stock Android, ergo Nexus and Motorola, and maybe some others. They can't do it for the heavily skinned versions, like Samsung and Sony; the changes Google makes, may break the extensions to the core products that those developers made.

    Now...why can't stock Android improve its update pulls? I believe Windows Update supports both push and pull; Android's "check for updates" looks like a pull request, but Google blocks it. I just tried to get the Stagefright patch for my Nexus 9. It does exist...but the response was "no updates available." THIS is where improvements can be made. Microsoft managed a massive, MASSIVE rollout with Win 10, that I daresay was orders of magnitude larger than the Stagefright patch, in terms of overall bandwidth and server requirements. OK, I can side-load the file...I ultimately did this with Android 5.0 for my Nexus 7...but that requires rooting it, and that's a poor choice.
    Reply
  • heffeque
    Sounds fine and dandy until security updates are blocked by carriers because they want you to buy the latest phone to get the latest OS.

    I'm talking about you T-Mobile.
    It's as easy as buying your own phone instead of buying crap-ware riddled T-Mobile phones.
    Reply
  • targetdrone
    Sounds fine and dandy until security updates are blocked by carriers because they want you to buy the latest phone to get the latest OS.

    I'm talking about you T-Mobile.
    It's as easy as buying your own phone instead of buying crap-ware riddled T-Mobile phones.

    Who else makes a Galaxy Note that supports all of the T-Mobile LTE bands and doesn't lock the boot loader?
    Reply
  • heffeque
    16411880 said:
    Sounds fine and dandy until security updates are blocked by carriers because they want you to buy the latest phone to get the latest OS.

    I'm talking about you T-Mobile.
    It's as easy as buying your own phone instead of buying crap-ware riddled T-Mobile phones.

    Who else makes a Galaxy Note that supports all of the T-Mobile LTE bands and doesn't lock the boot loader?
    Why not buy your own phone and use a cell phone company that uses common international LTE bands? And if the boot loader is locked... unlock it.
    People just love to complicate their lives...
    Reply
  • gangrel
    Why not buy your own phone and use a cell phone company that uses common international LTE bands?

    1. Then you're paying full-bore retail. The days of phone subsidies may be coming to an end...but they're not over. The providers didn't give you a discount for BYOD, so you're getting stuck paying the price of the phone, AND the markup built into the plan to pay for the phone subsidy. This argument will probably become moot in a few years as subsidies disappear.

    2. I don't think most phones actually handled that many different bands until fairly recently...and generally, I suspect those are the higher-end phones.

    And if the boot loader is locked... unlock it.

    This voids warranties.

    And you're talking the techno-geek solutions. Joe Q. Salesman doesn't know the difference between CDMA and GSM, and doesn't care about LTE bands. He wants to know: is this going to work where I have to travel? Can it give me my high-speed data? And what about service? If the phone doesn't work...if you got it from your carrier, it's at least theoretically possible to swap it out at their phone store.

    People just love to complicate their lives...

    WRONG. Most people want SIMPLE SOLUTIONS all handed to them. They want to use their phone without thinking about it. What you're suggesting is great for the cognoscenti, but not the plebes. And as always, the latter, in numbers, overwhelmingly dominate.
    Reply
  • heffeque
    16421409 said:
    Why not buy your own phone and use a cell phone company that uses common international LTE bands?

    1. Then you're paying full-bore retail. The days of phone subsidies may be coming to an end...but they're not over. The providers didn't give you a discount for BYOD, so you're getting stuck paying the price of the phone, AND the markup built into the plan to pay for the phone subsidy. This argument will probably become moot in a few years as subsidies disappear.

    2. I don't think most phones actually handled that many different bands until fairly recently...and generally, I suspect those are the higher-end phones.

    And if the boot loader is locked... unlock it.

    This voids warranties.

    And you're talking the techno-geek solutions. Joe Q. Salesman doesn't know the difference between CDMA and GSM, and doesn't care about LTE bands. He wants to know: is this going to work where I have to travel? Can it give me my high-speed data? And what about service? If the phone doesn't work...if you got it from your carrier, it's at least theoretically possible to swap it out at their phone store.

    People just love to complicate their lives...

    WRONG. Most people want SIMPLE SOLUTIONS all handed to them. They want to use their phone without thinking about it. What you're suggesting is great for the cognoscenti, but not the plebes. And as always, the latter, in numbers, overwhelmingly dominate.

    1. There are alternatives without subsidies that are cheaper than with subsidies. Perfect for people that have their own phone.

    2. I don't see your point.

    3. My father just bought a Motorola E and got a more or less good deal on the minutes+data (cheaper than with subsidies). No weird solutions.
    Reply
  • gangrel
    I'm not saying people *can't* go this route...do your device research, do research on your MVNOs. I'm saying that a lot of people don't want do, at best, and a significant fraction of those would get confused if they tried to work through all the details.
    Reply