The variegated state of the Android ecosystem has always been a problem for users seeking to ensure their smartphone is patched up to date against the latest publicly disclosed cybersecurity flaws — and new figures show it’s still a huge issue, despite some progress.
Updates produced by Android have to be customized by the handset manufacturer. Samsung alone offers 13 models of Android phone, each one sold by up to 200 different telecom carriers, all of whom customize their operating system to different degrees — meaning they might have to tweak the updates as well, before finally distributing them to phone users. The users, of course, then have to install them.
Figures released by Google’s Android last week suggest that more users are getting regular updates than ever before — but still show only half of the 1.4 billion Android devices in circulation got an update of any kind during 2016.
Updates are crucial because researchers are constantly discovering bugs, flaws and security holes in software packages and operating systems. The Stagefright vulnerability helped highlight security problems for the Android ecosystem in 2015. Since then, Android has been providing security updates every month and for Google’s own Nexus and Pixel phones, they are sent out as soon as they become available. A number of other handset manufacturers, including Samsung and LG “regularly deliver security updates to flagship devices on the same day as Google’s updates to Nexus and Pixel devices,” according to Android’s head of security Adrian Ludwig.
But other manufacturers, especially at the low cost end of the spectrum, often aren’t so quick to push out updates, and users sometimes don’t bother to install them.
“The delivery of software updates to Android devices that aren’t directly controlled by Google is a major issue,”Nathalie Maréchal, senior fellow with Ranking Digital Rights, told Consumer Reports.
Ranking Digital Rights last week published its 2017 Corporate Accountability Index, evaluating 22 of “the world’s most powerful telecommunications, internet, and mobile companies on their public commitments and disclosed policies affecting users’ freedom of expression and privacy.”
Marechal added that the update issue was especially important because it helped underpin inequality in security. “Low-income, minority and other marginalized users are most likely to use cheaper, older devices that no longer get security updates, or only do so with a significant delay,” she said.
Worldwide, almost 15 percent of Android devices are using a version of the OS that is no longer updated at all. Android offers security updates for all versions 4.4 and up — i.e. for phones released in June 2014 and since. That covers more than 86 percent of all devices running the OS, according to Android.
And of the three wireless manufacturers evaluated by Ranking Digital Rights — Apple, Google, and Samsung — only Google provides a guaranteed timeline for continued updates to its device software. In the case of Pixel and Nexus devices, users will get updates and patches for at least three years from when the device first became available, or at least 18 months from when the Google Store last sold the device, whichever is longer.
And, in the Android ecosystem, even those devices for which updates are made regularly available are dependent on the manufacturers to customize the updates and the telecom carriers to make them available over the network.
But of course, even once the update is available, the users still have to install it. Samsung says about 15 percent of its users don’t bother. Survey data collected last year by the Pew Center found that a large majority of American smartphone users, 75 percent, fall into a middle range when it comes to mobile security. “This group includes smartphone owners who … users, only update their phone’s apps and operating system when it’s convenient for them to do so,” Pew states.