2015 was an interesting year for a number of reasons, but one of the more memorable is because the Stagefright critical vulnerability was revealed. The awkwardly named Stagefright system refers to a part of Android designed to handle multimedia content, typically sent to the device via a MMS or as website media content. Stagefright has been included in Android since the days of 2.2 FroYo and this particular vulnerability could potentially allow a hacker to quickly and silently gain deep access to a device – including the ability to root the handset, install third party applications and ultimately gain access to secure areas. The Stagefright vulnerability was discovered around a year ago and given how successful Android has been across the world, this meant that potentially up to a billion devices could be compromised through this security weakness. Google were quickly notified and given a number of weeks to resolve the security vulerability before the discoverer would make the vulnerability public. Last summer, we saw a spate of device security updates being released by manufacturers and carriers designed to patch the weakness – but only for newer smartphone models. Customers with older, unsupported devices have not received security updates and this is a situation that is unlikely to ever be fully resolved, although carriers have put into place various technologies designed to capture malicious incoming MMS attachments.
One of the changes that Google implemented around and about the same time as the Stagefright vulnerability is to introduce regular, monthly software patch releases for supported versions of Android. These security patches are made available to all manufacturers, who are encouraged to apply them to their devices as quickly as possible. Supported Nexus customers are already receiving these security updates and a few manufacturers have agreed to release these patches, such as BlackBerry, LG and Samsung. Unfortunately, the Android update process is convuluted and involves many stages of the code being tested and appraised – where there is a carrier involved, this lengthens the testing process, but we have seen considerable improvement in this respect. This week, AT&T have released the April security patch for the carrier-branded versions of the Samsung Galaxy S7 and Galaxy S7 edge devices. The update weighs in at 173 MB in size and includes the latest security fixes from Google plus some touchscreen and stability fixes, which Samsung have pushed out to the S7 family.
It's encouraging to see the carriers pushing through security patches: customers have had to wait a little longer than other customers using Nexus devices, but the fixes are at least being received. Devices should automatically receive the update, but if you are using the S7 or S7 edge on the AT&T network and have not yet received the update, you can prompt the device by visiting the Settings, About Device, Download Updates menu option instead.