One of the interesting and odd thing Google does is roast itself (and others) over security issues. In this year’s Year in Review of 0-days exploited in-the-wild, Google took particular aim at the Android ecosystem for being so bad at getting patches on users’ devices that Android doesn’t even need 0-days to be exploited in the first place.
These gaps between upstream vendors and downstream manufacturers allow n-days – vulnerabilities that are publicly known – to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device. While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android.
This is a great case for attackers. Attackers can use the known n-day bug, but have it operationally function as a 0-day since it will work on all affected devices.
The Android update problems are not just limited to devices not receiving updates to new major Android versions – it also extends to the monthly Android security patches that somehow need to make it to users’ devices. My Galaxy S21 has been getting these updates consistently, sometimes even before Pixel devices get them, but many, many devices never get these at all, or only sporadically.
The Android update problem is by far the biggest problem in the Android ecosystem, and despite Google and OEMs promising to do better every year, we’re still far, far from where we should be.
Thom Holwerda,
Where we should be is users downloading updates for android from google themselves in the exact same way that users download updates for windows from microsoft themselves. These android OEMs are unnecessary software middle men. They only get in the way of maintaining the OS and most of our issues would go away if we could just take these middle men out of the loop.
I predict these problems will never go away for as long as OEMs are responsible for the OS.
The problem is there’s no ARM platform.
Each Android smartphone is a very unique device only its vendor is capable of maintaining. As a result only the vendor can release updates/patches and all of them would love not to do that that as much as possible as it’s not a source of profits.
I talked about that probably a decade ago, nothing has really changed ever since.
With x86 we have the luxury of running any x86 compatible OS. With ARM? Nope, not going to happen any time soon.
Artem S. Tashkinov,
I agree with this, the lack of platform standards has been a huge problem with ARM devices.
I think most OEMs prefer differentiating their products, they’re scared of becoming generic hardware vendors. Ironically though many consumers prefer vanilla android.
Yep, I don’t believe they’re going to change either. We should expect this long term. OEMs don’t want to fix it and unfortunately the status quo has been good for planned obsolescence. For their part google haven’t shown much interest in mandating standards like UEFI like microsoft does.
We are very fortunate that x86 got standardized. This wouldn’t happen again under today’s norms.
If web integrity API wasn’t just a malicious power grab and they actually cared about the health of the net, they would patch Android phones that are more than 5 years old. Also, many (most?) mainstream websites now run Javascript where they collect all of your movement in real-time, as in, mouse x/y movement, characters typed even if you don’t submit them, etc. They could even feed this data into a program and have it create a movie of the user’s behavior while on a website, analogous to feeding game engine demos into the game and producing conventional movie files from the result. No average user understands this, and none of them would consent to it if they did. This intrusive violation of privacy could also be used to determine machines from bots; but that’s not the point of WEI. Even when WEI is completely implemented, all a malicious actor has to do, is connect their evil bot computer to their industry-trusted computer sitting right next to it by way of USB human interface protocols.
as a Motorola user , they use to send monthly updates without problem, but they are one of the few who don´t put too much stuff inside their Android version, it´s almost Vanilla
Same here, this is why I abandoned samsung…. 6mo to a year for updates.
While most companies that stay mostly vanilla get monthly updates or so.
Huh? This thread makes no sense. Lenovo is well known to be poor with updates while Samsung is best in class with Android updates and security updates rivaling Google’s Pixel phones.
https://www.androidauthority.com/phone-update-policies-1658633/
For example, Samsung flagship devices get 4 Android updates and monthly security updates while Lenovo flagship phones get two Android updates and bi-monthy security updates.
incorrect, in the case of Motorola (i know, they belong to Lenovo, but their management is a little different) depends on the model, not all models are the same for them, if you have a cheap variant (low grade Moto G, or E or C) yes, it´s a little bit messy, but if you are using a Moto Edge you have good patches and continuity. I don´t think it´s the best strategy (they sell a lot of Moto G), but i´m not comparing to Samsung (that wasn´t me), just i receive updates and not too old. The Zero Day issue is still there because there´s no apt-get update 😉
What’s Incorrect? I gave you an link that you can read and Lenovo’s actual policy for FLAGSHIP devices (not their budget line) is two Android updates and bi-monthly updates. I know you didn’t compare them to Samsung (didn’t reply directly to you) but OK? Who are you comparing them to than? Oppo? LOL “Vanilla” Android does not guarantee good software support.