It is time for Google to fix its Android Security Update Problem
If the largest, richest OEM does a terrible job and gets away with it, how can we expect any better of the rest of them?
Samsung makes pretty good phones–great ones, even. They are also one of the few OEMs that actually profit on their device sales, and one of only two to make a sizable profit. People like their phones, in part because are reliable, have features users enjoy, and lately they have vastly improved their software. To our surprise, they’ve even killed off some of their annoying duplicate services and bloatware… anyone else remember Milk Music? In my eyes, they’ve come a long way, which should be exciting for all Android users too as they are one of the platform’s standard-bearers. But despite all of this, Samsung still cannot get their act together when it comes to security updates in particular, highlighting an industry-wide problem. If Samsung can’t do so, despite their tremendous investment in enterprise and software security, it’s not unexpected to see others will have an even tougher time. This is why it’s time for Google to finally step in on the situation.
Android Security, a Never-Ending Controversy
When I bought my Galaxy S9+ I was excited for many reasons. After testing the Note8 Oreo update for months, I could without a doubt say that Samsung had improved their software offerings quite a bit. It felt faster, smoother, more performant over the weeks (and not just right after flashing) than prior Nougat based builds, which was quite refreshing. They also were very quick on their security updates. Samsung would regularly have their Oreo beta builds running the most current security patches usually pushed within a week of Google announcing the bulletin. OEMs are often notified and ready to act a month ahead of the announcement, to give them time to have day one updates ready something most do not achieve. Samsung had also just finished changing their flagships to a more unified model and SKU scheme. Instead of the G965T, G965A, G965V, and so-on for every individual carrier, Samsung produces a singular base model G965U for the Snapdragon variant and G965F for Exynos. There still are other models like the N and FD variants and each carrier does get its own specific software revision, but the important thing is that generally speaking, I can install the unlock carrier variant software to my T-Mobile phone with no issues (Knox failing, or otherwise). Back in the old days, your options were more limited (T-mobile Note 4 users might recall having to flash the Canadian variant images for access to faster updates). Streamlining models is actually something many OEMs have done over the past few years, as seeing devices with specific hardware for a single carrier or market is less common.
This should have been a solid move in the right direction in terms of software updates seeing that they would no longer have to support individual SKUs but instead differentiate the phones in software for each carrier, and this software could actually be kept separate from the updated system files. Solid system on paper, but it has fallen flat on its face in real-world application. While having the latest and greatest Android version is good, it is not what I consider truly important. What I feel is truly important is staying current in terms of security updates–many IT departments who require these updates for BOYD feel the same way, and Samsung just has not delivered. Neither has LG, neither has Motorola, neither has HTC, and neither have most others. I mainly focus on Samsung because they are the largest player, with the most resources to set a solid example for the rest of the market, but nearly every OEM partner has failed to maintain continuous security updates for the life of their devices. Further, pushing from lazy software support to outright deceit, just a few weeks ago a large investigation showed that even when Android OEM’s did update their devices, they sometimes would not actually contain the updates they claimed to deliver. Sadly though, Android security breaches are nearly an every week occurrence resulting in a huge list of devices that go unpatched even if Google had already been notified, pushed updates to partners, updated their Pixel devices, and notified the public. It is important to recall as well why we even have security patches in the first place: Stagefright.
The Stagefright vulnerability was one of the largest ever discovered, spanning nearly all Android devices at the time. This became public at the end of July 2015 and within a month Google announced their Android Security Bulletin program and has done so every month since that time. Through the nearly three years of bulletins security vulnerabilities have been handled ahead of time, and before they became massive embarrassing news pieces highlighting the millions of exposed Android devices, so Google with their partners deserve some credit for maintaining this system. But simply having the system in place is not enough when partners are taking multiple months to push patches out, giving malicious individuals time to develop, implement, and attack even brand-new devices through these security flaws. My Galaxy S9+ is missing dozens of security patches and while most of them may not apply to my device, and may be for older SOCs or hardware, there is not a single month that goes by that does not have a patch my phone could benefit from. Many times we like to blame carriers, especially in the US, for slow or absent updates, but Samsung is not keeping carrier unlocked versions of their phones up to date either. This is a major problem Samsung… This is a solvable problem, Google.
This is the part of the story where we put blame where it belongs, and for as bad as Samsung is, Google holds the ultimate reigns of responsibility here, because frankly, they aren’t being responsible in how they let other companies manage their brand. There are good partners out there like Essential, and even Razer who have done a solid job supporting their few thousand users and single model structure… Now before you throw Pixel Pixel Pixel in my face, hear this: Google has an obligation to ensure that their Android brand is well-represented, and brand new flagship devices running nearly three months of updates behind are not doing so properly. Why hasn’t Google stepped up and forced partners’ hands is anyone’s guess, especially given that Android has suffered one disastrous security issue after another. It could be that they are afraid of the Samsung’s and Huawei’s moving to their own forks, with their own App Stores, but I don’t think that is a valid concern. While these partners could do their own deal, the Google Play Store has more recognition, applications, and the ultimate user base splitting up would be detrimental to the end user and then these partners. There is a more sinister motive that could be at play though, one where Google simply doesn’t care, and their behavior of letting Android OEMs do their own thing with weakly or unenforced standards does lend itself to this argument. Their end goal could be to simply have more users, field and harness more data, and making the bar of entry nearly non-existent gets partners on board, especially those who have no plans for supporting the trash they sell. Ultimately, it gets Google the data they desire. Regardless of the reasons, Google has to hold their partners to acceptable levels of standards and one of which should be security updates go out on time, every month for all currently maintained devices. There should be a standard all OEM partners to maintain current security patches or risk losing their CTS validation for future devices.
The Pixel brand is good and is Google’s way of establishing a benchmark for partners in regards to timely updates, but the Pixel brand is still quite niche, and Samsung is unlikely to relinquish their control of the Android market share any time soon. However, putting software aside for a moment, the Pixel phones have been relatively inferior to similarly priced devices on the market. Be it a late adoption of 18:9 or water resistance last year, or LG being a terrible hardware partner this year, the Pixel phones are, in at least some ways, a step down in terms of the hardware offered for the price compared to other flagships that can be bought. Samsung sells more flagship phones in the first month than Google hopes to sell altogether–brand recognition, marketing and hardware or software features all play a role, but the result is what ultimately counts. The Pixel brand’s impact on the market and mind-share is small and ultimately, when people think of Android, they think of the Samsung, LG, and Huawei devices of the world: all of which fail to properly maintain even their flagship devices.
The Android brand has been lambasted time and time again for its security flaws and slow updates, in great part thanks to these OEM partners. It is finally time for Google to take control and hold these partners responsible for their behavior, and establish requirements and rules to ensure all Android devices are as secure as they should be. Google has left it to manufacturers to manage the level of software support themselves for years no,w and all Google has been left with is a harsh tarnishing of their brand and image, resulting in damage that may never be undone.