Report: Android OEMs Still Lag Behind On Security Updates

Android check for update AH 01

It’s no secret that Android suffers problems with fragmentation which lead to inconsistent update schedules across the board but a new report from SecurityLab shows that issue may be worse than most would think. In fact, Android ranks dead last in terms of expected security updates in the company’s February 2018 updated Smartphone Security Update Availability Report. That’s compared to iOS, Windows, and even PrivatOS – which technically was only used as an operating system between June 2014 and June 2016. Interestingly enough, the report found that Google doesn’t even rank at the top of Android device providers despite that it effectively owns Android. Several factors are considered to reach that conclusion, ranging from the length of time an OEM’s device can expect to continue seeing security updates to how long it takes for those to be pushed out. The analysts even considered whether or not an OEM remains dependant on a mobile service provider to push the update.

As mentioned already, not all Android manufacturers fail completely when it comes to providing meaningful and regular security updates to their users. In fact, two OEMs stand clearly apart from the rest despite that they still fall well short of devices running different mobile operating systems. At the top of that list, with the best support, is Essential. That shouldn’t be too surprising since the company basically only has one device to support so far. However, it may be a bit strange for the company to top the list since its PH-1 has been plagued with negativity since launch. In any case, the company typically only takes days to get its software updates going after a new version of security patches is announced and it only takes a single day to push the update worldwide. Meanwhile, updates are expected to run for a full three years and the frequency of those across all devices is expected to remain high. However, Essential also depends on mobile carriers to update the handsets on their plans – which adds months to the time delays. Google follows with an exact duplicate of those figures and the distinction that its own updates can take up to two weeks to roll out globally.

The rest of the top Android OEMs actually fair much worse, according to SecurityLab. BlackBerry, FairPhone, HMD’s Nokia, and OnePlus rise above others in various ways but are hardly worthy of praise. Each takes weeks to push out devices to the first handset and months for all supported devices – with the notable exception of OnePlus, which takes months on both fronts. FairPhone and OnePlus stands out as not relying on carriers for updates, but only FairPhone can claim it gets its updates out globally in around a day. OnePlus can take full quarters. BlackBerry takes weeks to roll out updates to all supported devices and to push those worldwide but also depends on carriers for some of those – adding months to the process. Nokia owners are met with a similar time frame that’s made worse by the fact that it can take months for all supported devices to be updated from the first implementation of a security update. Sony, Samsung, LG, Huawei, Asus, and Lenovo-owned Motorola also push updates to the first supported handset at around the same time frame after an update to security is announced by Google. Huawei-owned Honor, HTC, and both of TINNO’s handset companies – Blu and Wiko – take months to begin that process.


That, however, isn’t even the worse of it. While BlackBerry, Nokia, and Sony are expected to offer a “Medium/High” probably of updates to most devices an expected 2 years, every other manufacturer all but fails in those categories – going as low as 1 year of expected updates. Aside from those companies, Essential, or Google, the leading Android OEMs take months to push updates after they are announced and entire quarters to roll out updates globally. That’s almost certainly down to an over-reliance on service providers to deliver updates, which is a completely separate problem in the Android update process, in-and-of-itself. The issue is made all the more potent by the fact that, as mentioned above, a relatively unknown, defunct OS that only operating on a single manufacturer’s devices – PrivatOS on Silent Circle devices – utterly destroys Android OEMs across the board. Despite taking weeks or months to roll out an update, Silent Circle devices receive updates globally within a day, and all devices are supported for updates for 3 years with no carrier intervention.

On the other hand, Microsoft’s Nokia devices and Apple’s iOS devices receive support for security that is comparatively spectacular. Although it may not be surprising since iOS is confined to a single set of walled-garden devices, Apple’s handsets top the list for security updates. The devices, with the exception of the iPhone 5C, are all supported over a 5-year update window from launch. Updates roll out within days on a global scale with no dependence on mobile service providers. Windows matches the update performance of iOS but falls below in a couple of key areas. Namely, they only see updates for four years and that number is up from three years in 2016. That’s ironic, with consideration for the fact that Windows OS mobile devices are all but dead in the world as compared to Android devices and even iOS lags well behind in terms of market share.

Bearing all of that in mind, Google obviously needs to do something to pick up its game and it has finally started to work on that. Whether or not its efforts generate a positive change remains to be seen. It would arguably be unreasonable to expect the company behind an open-source operating system to suddenly seize the reigns and enforce update policies. Instead, the company has started with an Oreo inclusion formally known as Project Treble. The program is effectively built around an internal OS framework meant to make it easier to update apps over a longer period of time and more quickly. Moreover, implementing the framework is effectively a way for OEM’s to commit itself to those updates. Obviously, that won’t solve the other problems associated with Android updates but it is a start. Unfortunately, not every OEM is keen to join in on the program for one reason or another and some of the biggest Android handset-makers are among those, including Samsung and OnePlus. So, for the time being, it appears as those Android users are simply going to have to put up with not always having the most up-to-date security.