Google’s April Security Bulletin for Android is officially live, detailing some of the vulnerability and bug fixes that should be rolling out to users pending finalization and release by OEMs and carriers. As has been the trend over the past several of these updates, the fixes required in the initial security patch appear to be diminished from the early days of the platform. But the same doesn’t hold true for the second monthly patch, aimed more directly at component manufacturers.
For the April 1, 2019 patch level, there are only a total of three fixes in terms of framework and media framework for Android. Those aren’t necessarily “low” on the severity front, with two fixes in the latter category rated at “critical” and applying to every version of Android from 7.0 Nougat through Android 9 Pie. Both of those are listed as being problems potentially allowing for remote code execution too and Google notes they're the worst bug found this time around.
The sole framework vulnerability only needs to patch up Android 8 Oreo and is a high-risk elevation of privileges issue.
At the system level, in the first of the month’s patches, each is rated at a high level of risk and five of the eight patches will apply to versions Android 7.0 Nougat through Android 9 Pie. Three more of those fixes apply only to Android 9 Pie. In terms of categorization, those vulnerabilities are nearly a dead even split -- potentially tying into either an illicit elevation of privileges or information disclosure.
Component OEMs didn't do so well, it seems
While there are only a total of eleven patches in the first of the monthly patches from Google, the second run of patches -- April 5, 2019 -- isn't quite on the same level. These are patches more directly linked to components within a handset such as the underlying software tied to Qualcomm's radios or processors.
In fact, Qualcomm is bearing the brunt of this update with no fewer than 74 fixes being applied across its components. Each of those is rated at a high severity of risk or worse and the majority are found in the company's closed-source components. Of the 44 found on that side of things, six are rated at a critical level.
For Qualcomm components that aren't closed source, all but one of the remaining 30 vulnerabilities has an impact on WLAN components. Just one of those is critical while the only fix left applies to a Qualcomm kernel and is rated at high severity.
The worst vulnerability spotted at the system level for Android and fixed in the second patch each version of Android since Android 7.o Nougat and summarily allowed code to be executed remotely within the context of privileged processes. One high-level vulnerability associated with information disclosure is included for those versions too. The two remaining bugs are related to issues within the context of an elevation of privileges. One applies to Android 8.1 Oreo and Android 9 Pie while the other also applies to Android 8.0 Oreo.
Getting better but still not perfect
Despite that there appear to be a wealth of Qualcomm fixes included in this month's security patches, the security of Android smartphones seems to have been steadily improving over the past several updates. Not only is security itself getting better, as is to be expected from the patches. Most OEMs are additionally getting better about rolling out the updates.
That's arguably thanks to changes in the search giant's policies regarding the use of its mobile OS reported near the end of last year. Although that could always stand to be improved more, the area that seems to need the most attention now may not even be from OEMs but from component makers.