Google breaks down security patches for Android
Google published monthly security updates for Android for about a year which manufacturers get in advance to push out to their devices after integrating and testing the patches.
While some manufacturers are quick to integrate new security patches, others are not so much.
My Xiaomi Mi4c phone is stuck on the July patch level for instance, which means that it has not received the August nor the recently released September patches yet.
Tip: you can check the patch level of your Android device in the following way: open the Settings application on your device and find the about link on the page. There you should find information about the Android security patch level.
Android Central reports that Google has broken down security patches for Android this month instead of shipping all patches in a single package.
Google released three patches this month for Android that fix various security related issues for all devices running the operating system.
- 2016-09-01 — patches for a pair of Critical remote code execution vulnerabilities, many serious Elevation of Privilege vulnerabilities, several Information Disclosure vulnerabilities, and a pair of Denial of Service vulnerabilities all within Android itself.
- 2016-09-05 — Everything in the 2016-09-01 patch, as well as patches for several kernel related Elevation of Privilege vulnerabilities, many Qualcomm driver-related vulnerabilities, and Elevation of privilege vulnerabilities found in other third-party drivers.
- 2016-09-06 — Everything in the 2016-09-01 and 2016-09-05 patches, as well as a fix for a Critical Elevation of Privilege vulnerability in the kernel shared memory subsystem and a fix for a vulnerability in a Qualcomm networking component.
The third patch, released on September 6, includes the patches released on September 1 and 5. If it is installed, it makes the device the securest.
While Google has not revealed why it changed how Android patches are provided to manufacturers, it appears that this is done for a number of reasons.
First, it provides manufacturers with options to prioritize patches and deliver some to their Android user base faster. Manufacturers may pick high priority patches over others, or speed up the process of updating devices by pushing out patches individually instead of in one large package.
Google too may provide manufacturers with patches faster. This becomes evident when you look at the different release dates for the September patches. The first set was released on September 1, the last on September 6.
Still, with all that said, it is still up to the manufacturer of the device to push out security patches in a reasonable time frame after they become available (that is 30 days before release).
Closing Words
While I really like my Xiaomi Mi4c phone, I won't purchase another device from the company because of the slow release of security patches and updates to newer Android versions.
The device is still stuck on Android 5.x (which it shipped with), while it is capable of running Android 7.x.
Unless manufacturers change their stance on providing updates for their devices, compartmentalizing security patches won't probably have a noticeable effect on the state of Android security.
Now You: What's the patch level of your Android device?
What interests me in all of this, is that you people seem completely unaware that Google works with corrupt so-called “national security agencies” like the CIA, Mossad, and MI6 to keep tabs on your whereabouts AND sharing ANY information they can glean from your phone about you. I wouldn’t trust Google or any other entity with my info so freely and I wouldn’t put it past them to assist these corrupt agencies to ILLEGALLY or otherwise step all over your right to PRIVACY. In other words, these so-called “security updates” may in fact be “updating ” your security by actually making it EASIER for your privacy to be breached by these corrupt agencies. Am I the only one concerned about the legitimacy of Google?
Don’t buy any Motorola phones. The company refuses to release monthly security updates. My own phone is still stuck on 1 January 2016.
Arstechnica has an article on the subject: http://arstechnica.co.uk/gadgets/2016/07/motorola-moto-g-z-monthly-updates/
Motorola was acquired from Google – who were only interested in their patents – by Lenovo so it’s not as if they’re running out of cash.
I am from Croatia. I would like to buy a Nexus phone. Where to buy it and get a waranty.
Nexus phones won’t become available in Croatia until Google open a Play Store there I’m afraid.
You might be able to buy one online from another country, but the warranty will only be valid in that country, not in Croatia.
“While I really like my Xiaomi Mi4c phone, I won’t purchase another device from the company because of the slow release of security patches and updates to newer Android versions.”
___________________
You are being overly dramatic with this.
There isn’t a Android OEM on the planet which is even close to Xiaomi in regards to OS Update cycle. NONE.
They are supporting their budget devices from 3 years back and high-end devices from 4 years back, with Software base parity compared to devices launched weeks/months ago.
NOT A SINGLE OEM does this.
As for Sept updates, they have already been outed for many Xiaomi devices, it just so happens that sometimes this update cycle for Xiaomi is staggered across devices.
In fact many times Xiaomi’s security release cycle is faster than even Nexus devices which is insane.
https://www.reddit.com/r/Android/comments/4yj5bh/latest_miui_update_adds_september_security_patch/
If someone treats Security Updates as a non-negotiable pre-requite and deal breaker in buying a phone, there is only 1 option for these people, get a Nexus, Period.
Otherwise to treat other OEM’s into a flawed ranking is being disingenuous because Xiaomi is one company which actually does this the best. Moto in fact has given up all together on this. Samsung doesn’t update their 4 year old devices. Same with Sony, HTC and LG.
Moto G 3d gen. (2015) Android 6.0.1 patched March 1. I bought this thing because it was advertised everywhere that it will get the latest Android updates blaaaa blaaaa..sure it did get Marshmallow eventually, faster than most I think, but it seems it just gets the OS and then they leave it at that. Oh and updating from 5 to 6 wiped my contacts from my SIM card so I had nothing left, that was a nice bonus..plus the 6 update totally screwed up my SD card storage, can’t access anything on the card via phoneattachedtopcwithcable, the phones internal file manager sees all files fine.. So yeah updating is JOLLY GOOD FUN TOO ! Hopefully things change when N comes along, but I have my doubts. Time to look for a new clean updated Android for me then..BLEHHH..
A “new, updated” android phone will make you jump through hoops just the same.
I believe it is time to take a firm stance on boycott towards manufacturers who lock their phone or even organize the slightest obstacle to free bootloaders, rooting or stock android support.
As it always was, the way to go is free software, which android is. If and when it is not anymore, then some free alternative will have to take its place.
In the meantime, if a device offers less than transparent android support, i.e if its manufacturer blocks drivers or specs release, making custom ROM’s difficult, that should be enough reason to look somewhere else.
This certainly will be my first criteria from now on when buying a phone. I will walk away from every manufacturer that shows the slightest reluctance at advertising full phone specs, allowing free software support. Just like I started boycotting Sony after the rootkit affair, I will start boycotting every company that keeps on pushing towards closed source and proprietary: this is the next big threat to our society.
@ archie ……. U can give Sailfish OS smartphones a try. Not sure whether the OS gets regular security updates. Sailfish OS can use Android apps.
This is not new, in about you find ‘Security or ‘Patch’ level since 1 year – started with MM. It’s also in CM 13. The thing is that this is useless since you can’t click on it to get additional infos or a normal user can’t ensure he uses latest versions since you need to do manually research then, which makes it pointless.
Custom Roms are okay as long you choose one which regularly gets updates like CM or any other ROM which are not dropped after 4 months. The important chain is also not the ROM here, more the user and his interests to keep it updated or not.
You can’t force users to update and this is (imho) more dangerous. Imho the ISP should offer a feature to ensure you device gets checked for updates, so that you also get an sms or notification about this. This maybe would help against a lot of malware (of course again the user must agree and install this update).
I will never buy an Android. device Google and your partners rarely update your appliances leaving no bug fixes and several security vulnerabilities.
I gave it some more thoughts, thanks to this blog post; that was useful :)
I decided that the only way to keep on with android is to break ties with the manufacturer. We definitely need to be free of their abuse.
That basically means picking a phone that can easily be rooted and that is supported by a major custom ROM.
I have been avoiding rooting since the galaxy SII. It was too much of a hassle and brought more trouble that anything. Plus Samsung is working very hard to make the process painful and dangerous.
Other brands might be better but they’re all more or less guilty of the same.
In my case, the MOTO G (XT1039) will soon be rooted with a custom bootloader and the stock ROM replaced with Cyanogen. I expect nightly editions to incorporate decently recent patches.
I’d rather fight with unstable nightly versions and have a backup dumbphone than put up any longer with that smartphone nonsense.
Custom roms are definitely one option to stay up to date. Most manufacturers are slow when it come to shipping updates, or don’t ship those updates at all.
One reason for doing so, probably, is that they don’t earn that much money from maintaining old products. Still, they seem to overlook that some users won’t be burned twice by the same manufacturer.
You’re right, there was a paradigm shift : up to a recent point, people felt like there was a contract to keep a product up and running after purchase, this for the expected life expectancy.
Not anymore it seems: critical software updates now belong in the category of unjustified expenses.
It has been a few years, since I started to put up with being burned. By Microsoft, Samsung, Google, Intel, Sony, the phone company or the politician next door or in the capital. obviously, the list has no end.
That means I decided to sleep on it, not that it passed unnoticed. At one point I will be done sleeping and start doing something about it, even at the cost of some pain or discomfort. I suspect many think alike, who are neither extremist or young idealists.
When this category starts to take matters into their own hands, android patches will be the last of the PTB problems…
An overwhelming majority of Android devices in the world are vulnerable to numerous security and privacy exploits… and there are still no patches available to customers to fix those vulnerabilities.
The funny thing is, patches are available to patch those security issues, but manufacturers are slow to integrate them, if at all.
Patch levels does not indicate that a manufacturer has included all the latest patches as shown in the documentation provided by Google. I believe manufacturers can put in whatever “patch date” they like and not implement any/all of the patches according to the patch dates details set by Google. The worse culprit is Xiaomi themselves right here:
http://en.miui.com/thread-346357-1-1.html
Patching is the weak link with Android – or more correctly the devices manufacturer. I recently changed my 4 year old budget Sony Xperia and was ready to move away from Android altogether. I was able to get a Moto4G though for €169 on Amazon . At the moment it is on the May 16 patch – I’ll see how it goes and that will decide me on Android.
When I bought my MOTO G LTE (late 2014), Motorola was a Google company, which was supposed to help with patches.
Now, 2 years later, this perfectly good phone is stuck with Lollipop. April patch.
The recent announcements of several critical security flaws in android, all versions, leaves me 100% positive that I have a 100% unsecured phone, not to be trusted with anything personal. Which is impossible, the phone being a … phone.
I just don’t see a way out. And I’m not in the business of purchasing a new phone twice a year.
It’s looking like Nexus phones are the way to go for security and updates. Nexus always come first with OTA updates from what I’ve seen. It’d be nice to see which of the OEM’s are better than others in this area though.
“While I really like my Xiaomi Mi4c phone, I won’t purchase another device from the company because of the slow release”
this is universal IMHO, unless you go the Nexus route, Anybody care to name an OEM who issues patches, updates in a timely manner.
Not being overly paranoid, ( I use gmail after all ) the prompt updating of software would not determine which pocket mate I carry
>>>>>>>this is universal IMHO, unless you go the Nexus route, Anybody care to name an OEM who issues patches, updates in a timely manner.
Not being overly paranoid, ( I use gmail after all ) the prompt updating of software would not determine which pocket mate I carry
>>>>>>>
I used to think this way. But bigdata and Palladium happened. There is no paranoia here.
We can’t seem to avoid being networked with straight links to our identity, which makes flawless security mandatory.
Saying unpatched android is not 100% secure, is just as correct as saying windows 95 is not.
My plans for the next future seem to be to link my android phone to a shell gmail account and stop using gmail altogether.
LG V20 has been released today. This is the best phone of the world. LG is the ONLY ONE manufacturer who still make fagships with removable battery. Moreover, LG phones have the best camera. I’m glad that V20 has removable back cover instead of the unibody design of G5. This means that 3rd party battery manufacturers can make bigger, higher capacity extended batteries for LG V20.
I hope those crap “seamless updates” (Windows 10 like feature) in Android 7 can be disabled or the customized Android systems that different manufacturers create for their phones (like Samsung, LG) will not have those “seamless updates” at all.
My patch level is “1 June 2016” on my P8. What’s worse, it was stuck in 5.xx until it was finally updated to 6.0 two weeks ago.
I’m using Nexus 5x but I haven’t got the new OS yet.. This is my first Nexus phone, is it normal?
You can enroll in the beta program and get Android 7 and all new patches the moment they are out.
https://www.google.com/android/beta
My brother’s Nexus 5x is also still waiting for Android 7.
On my Mi4i, I have August patch. I have been rather pleased with Mi to provide updates once in a couple months or so because I didn’t see other entry-mid range phones getting quicker updates. Some even get only 1-3 updates during the life time.
“While I really like my Xiaomi Mi4c phone, I won’t purchase another device from the company because of the slow release of security patches and updates to newer Android versions.”
My thoughts exactly regarding my ASUS Zenphone2 (128GB), which is still on Android 5.0 and just got the August patches a few days ago.
“While I really like my Xiaomi Mi4c phone, I won’t purchase another device from the company because of the slow release of security patches and updates to newer Android versions.”
———–
That’s why my last two phones have been Nexus. Security is too important to choose otherwise.
I’m waiting for the next two “Google” devices which should be out soon. Lets see what they bring to the table. I have to do a bit of research on other manufacturers and custom Roms to see which company is equally fast and reliable, if any.
you can flash custom ROM, moreover when you have official release of CM13 available for it
Xiaomi Mi4c
https://www.cmxlog.com/13/cancro/
I would not buy Nexus phone as don’t need latest & greatest spyware…and cheaply built phone (which nexus always is) with on screen buttons
prefer clean Android on drugs, loose of any manufacturer hooks (including those from google) and left of any ‘calling home’ gotchas from the hand of CyanogenMod… updated Marshmallow in their hands is better that Nougat any day (privacy guard, themes, heavy optimization, gazillion fixes and many nice options etc.)
just get yourself OnePlus 3 and don’t believe what Samsung kids say as they are paid to storm internet forums – amazing device and CM also officially available so you don’t need to run their cheap Chinese crap OS
I’d also be very interested in hearing about how quick each manufacturer is with security and OS releases on Android. In a month or two, I’ll be likely switching to Android (from WP) and having timely updates (security and OS) is a big factor to me as well.
Let us know your results