Google’s Android operating system powers over 2 billion smartphones worldwide. While Google engineers are at the forefront releasing updates and patches for vulnerabilities discovered by security researchers, it is generally found that the end user is left in a hopeless position. Not because of Google but because of smartphone manufacturers who are little careless about releasing these updates to their respective customers.
Smartphone manufacturers like Samsung and LG, though slow in releasing patches, are at least releasing them but there are several fly-by-night smartphone manufacturers who just sell the Android run smartphone and forget about it. So far there has never been any detailed study of how Android smartphone manufacturers are lethargic to releasing updates as soon as Google releases them. Now a chart released by @SecX13 does the very thing that is so important for any Android smartphone owner.
SecX13 has compared the frequency with which smartphone manufacturers release security updates and patches to the end user. As said above, the SecX14 also finds Samsung as leading Android phone manufacturer providing security updates to its patches but it is found to be little lethargic. Samsung is found to release the patches many days after Google’s first rollout. Support timelines for Samsung phones range from 1-2.5 years, depending on the model of phone.
The chart also includes iPhones as well as smartphones sold by Nokia. Apple is very particular about the releasing the updates partly because of vulnerabilities but mostly due to the fear that its iOS can be broken by hackers to create jailbreak versions which are harmful to Apple’s App store business.
Nokia, though a new entrant in Android smartphone business, is another smartphone maker which makes the update available to its users immediately after Google release within a period of 2 weeks. Apple provides the longest support for security updates at five years (excluding the iPhone 5C, which received 4), though this is not without problems.
Google-branded devices such as the Pixel and Pixel 2 top the list to receive updates almost immediately. So much so that Pixel users complaint about receiving an update every week.
Blackberry is ranked third among Android device manufacturers in the chart, with security updates available weeks after their publication, across different models. Blackberry is susceptible to delays from carriers, though the company honors their guarantee of two years of security updates.
Sony lags in providing updates regularly. While Sony is a major smartphone player in Japan and Europe, the company has had difficulty making a meaningful impact in the US market due to difficulties working with carriers, and an unexplained problem that prevented the company from shipping phones with fingerprint sensors (though they can be enabled by flashing a different region ROM to the phone.)
HTC and Huawei, which do manage timely security updates on limited phones in specific circumstances.
While the report specifically addresses security updates, the difficulty of building updates, in general, is one that Google has sought to fix with the release of Android 8.0 (Oreo). Devices that ship with Oreo or higher are obligated to support Project Treble out of the box, which will allow device manufacturers to streamline the update process, as the overhead of building updates is lessened.