New Phones with Old Android Versions: Why Security Patches & Feature Updates Lessen the Downsides
They say two things are inevitable, death and taxes; for us Android enthusiasts there is a third thing, and that’s reading debates and complaints about OS updates… or lack thereof.
With billions of devices spanning the entire price spectrum, from hundreds of manufacturers in dozens of countries, it would come as no surprise that keeping such a large and diverse fleet of devices updated would be difficult — every company targets different audiences, with different means and resources, by offering different hardware configurations. This problem is compounded when large OEM’s like Samsung and Huawei down to small ones like BLU and UMi seem dead-set on layering Android with added features that delay development of updates; even when OEMs decide to slim down their ROMs to allegedly speed up the process, manufacturers often fail to deliver on their promises. This has even caused newly announced devices to be launched with seemingly “out of date” Android versions, which immediately sets the user behind the curve and waiting for months to receive the latest and greatest. Sometimes this means waiting for half a year (like with the Honor 5X and Marshmallow) or a mere few months (as was the case with the original Moto G and KitKat). But should this really be a major cause of concern, or make us write off an entire device – and the hardware we ultimate most of the price for – because it isn’t running the latest and greatest in terms features and software?
In the beginning of 2015 there was one surefire method of tracking updates across all OEMs, and that was the Android OS update version. Didn’t have the most current release of Android, but wanted to know if you were secure? Well you were out of luck, as tracking the releases for security patches was all but impossible — some OEMs didn’t update at all, and the ones that had minor updates (infrequently) didn’t exactly detail what changed and for which reasons in terms of security. Release notes: Bug Fixes… This all changed in late 2015 following a series of massive security flaws and exploits that affected a significant proportion of Android devices in some shape or form, including the infamous “Stagefright”, and these ultimately prompted Google and committed OEMs to deliver monthly security patches to address the biggest vulnerabilities.
Google took security seriously and began the Android Security Bulletin that has been putting out updates since August of 2015. The real benefit of these bulletins and the security patch system are threefold. Firstly, it allows users to see how updated they are through the settings menu, instead of a largely ambiguous OS version which meant little to the actual security level. Second, it holds OEMs accountable to the user by not allowing them to hide behind the OS version or their own confusing particular patch numbers. Finally, it made security patches easier to push out by streamlining their release, making them more transparent, and also patching them on older Android releases — users no longer needed to be on the latest version of Android to get the latest protections, and prompting OEMs to keep track of devices regardless of whether they were running the newest OS enhanced users’ prospects as well . These security patches have greatly improved Android, helping the brand itself alleviate the constant assault it suffered for flaws like Stagefright or the WebView vulnerabilities found by Metasploit. While the road was tough in the beginning, many OEMs are now pushing updates out for older devices at a fairly steady rate and many new devices launched with what could be considered an “outdated OS” are relatively current in terms of security.
As recent as a year ago a device getting an update that was not fixing a glaring user-facing issue or a major OS release was a rare sight; but today such updates are commonplace most often coming in sub-100MB patches. As OEM’s push these updates to their devices there may also being device enhancing features such as the FM radio patch that T-Mobile Galaxy S7’s saw early last year. What’s more, even carriers are complying with these security patches. Bugs get squashed, features get added, and even battery improvements have all been seen coming with these security updates. Some OEMs running their own ROMs, such as EMUI or MIUI, can have their devices get the latest features in feature updates without necessarily upgrading the Android OS version, too. In terms of both features and security, jumping to a new Android dessert is no longer an absolute necessity.
So what am I saying? Are major feature releases suddenly less important and we shouldn’t focus on these why buying a new phone or recommending one? In the past one of the primary reasons for obtaining OS updates was the enhanced security they brought. While major OS releases like Nougat and Marshmallow do have enhancements and benefits that cannot be brought to older OS releases by nature, the core of security improvements are available on older releases. Also too, many of the improvements and features brought to devices via major OS releases have been found in OEM skins in one shape or another, even if they might have been poorly implemented, and other UI improvements are superseded by OEM UI changes anyway. Night mode, display-size tuners, custom quick settings, multi-window and double tap to switch apps were seen in older releases brought by skins like TouchWiz or EMUI.
Not every phone is a Pixel, and not every user is an enthusiast. As an enthusiast group though, we demand the latest and greatest software and features, or we find ways of obtaining it ourselves (which is why we care so much about open bootloaders, but that’s another story). But we are a very small piece of the market, and the mainstream market would rather have something that works than one that doesn’t, but that runs the very latest software. Just ask Note 4 owners how rough those initial Lollipop updates went, or iPhone 4S owners running iOS9. A major benefit to security patches is that OS version updates to aging devices may negatively impact the user experience whereas security updates only stand to improve the safety and security with little in the way of negative side effects.
A year and a half ago, before Android Security Bulletins, OEMs needed to update their devices to provide the most updated security benefits so major OS versions were the end-all be-all. Today though, the Security Patch version should be more important to the end user than the OS version because even if you are running the latest OS, you aren’t necessarily running the latest Security Patch. Instead of mocking OEMs for slow major feature releases or launching a device on a perceived “outdated OS”, many OEMs should be commended for keeping devices on relatively current patch versions and in some cases rolling out patches before Google does. That’s not to defend the skins or ROMs OEMs use (personally I’m not a fan) instead it is merely giving credit where credit is due. We could argue all day whether Samsung’s vision of Android is superior to Huawei’s, OnePlus’s, or Google’s, and there would be no clear winner.
Like it or not people like these OEMs’ stock ROMs enough to continually purchase their products, and the discussion of these slowing down feature updates is a larger debate for another day. People who buy a device from the Galaxy S or Huawei Mate series are familiar with the look and feel of those respective brands, and our beloved AOSP feels alien to them. Fortunately, with the advent of security patches, users are no longer forced to live with an insecure OS to use what they really want… After all isn’t Android’s tag line, “Be Together Not The Same”.