2015 has been an interesting year when it comes to mobile security and Android vulnerabilities. Earlier in the year, the Stagefright vulnerability unsettled the industry. The vulnerability is deep in the Android operating system and allowed a malicious application to silently take control of a particular device through an infected MMS payload. Following the Stagefright vulnerability, Google announced a decision to release monthly security updates to the Android code, which would be pushed out to the Nexus devices. It would be up to individual manufacturers to update their own builds, which may of course need to be checked over by the carriers. Since this time, both LG and Samsung have announced plans to release updates on a monthly basis too, whereas other companies – chiefly HTC – have explained that they believe it "unrealistic" to push updates to devices on a monthly basis. HTC's worry here is that carriers will bog down the process and cause significant delays. This delay appears perfectly legitimate given how long some carriers have taken to approve software updates in the past.
Samsung have started a Security Blog detailing the monthly security software updates for a number of their devices, which include the Samsung Galaxy S family (the S5, S6, S6+, S6 Edge and S6 Edge+), the Galaxy Note 4, Note Edge and Note 5, and the Samsung Galaxy Tab S and Tab S2. The blog website is very simple at the moment, containing very little beyond text information, but still it provides some details as to the various security patches and fixes being applied. There are fourteen issues addressed in the latest patch, which includes those detailed from Google as well as a number of Samsung's own code fixes. These details include fixes for the information screen theft attack on the Galaxy S5, an SBeam fix that prevents hackers from stealing image information, a flaw in the Dalvik VM code that could allow a hacker the ability to copy a log file, plus a fix for the Stagefright issue. However, of the other fixes, Samsung is keeping quiet for the time being. Given that the bugs the updates fix are showing as publicly known, it is entirely possible that Samsung is patching security issues that are not yet in the public domain.
The blog also notes that Samsung is hoping to expand the devices and regions covered by the monthly security update although there is no indication as to the likely devices that will be covered or the regions of the world. Nevertheless, it's a useful start in the process of keeping our devices up to date and secured from malicious attackers. We will let you know if we see Samsung increasing device support or the regions of the world.