Sorry Google, but far too little *AND* too late. What is needed here is a new requirement that all vendors who want to use the Android moniker and/or the Play Store are required to submit to the same update policy. Anything else is just ridiculous and simply not acceptable.
It should be simple... Want to build an Android-powered device? Want to include Google Services on your device? You must provide security updates for a period of no less than 4 years! If a device can't handle the latest version of Android security patches MUST be patched into older versions to maintain security of those older devices.
We live in a world in which the barbarians are at the gates. Mobile device security must be taken just as seriously as we do on our PCs. These devices are not just phones, they are computers in every way; the only difference is that one is sitting on a desk and the other is being held in a hand. Just like Microsoft pushed security updates on a monthly schedule, so should the Android OEMs be forced to as well. To not be pushing out updates is playing with the security of people's personal data, and that's scary.
Not strong enough. The problem isn't just with the vendors but the carriers as well. I have a Galaxy S4 on tmobile and I'm still waiting for the Lollipop update which came out and was released by samsung nearly a year ago. T-mobile, get your act together. That is the last time I buy any sort of phone from them (and I'm seriously considering ditching them. This is a horrible way to treat your customers).
Nothing new with Samsung's treatment. I was Galaxy S user and they ditched the support to ICS saying the hardware is obsolete but guess what, cyanogenmod can release it. I won't give money to samsung mobile anymore, anything with google UI (AOSP) is the best for me.
The solution there is DO NOT PURCHASE PHONES FROM CARRIERS. Carriers rebranding manufacturers phones as their own is almost unique to the US market. Buy the phone and contract separately and you avoid whole swathes of issues with lock-in and updates.
Yeah, the whole market including consumers shares a wealth of the blame... OEM, carriers, and the consumers that empower them got us to where we are.
At least pricing structure has made it so you don't really need to subsidize a phone to save some money anymore tho, so not buying from a carrier is now not only viable but mildly advantageous in the US at last.
Moto had a good track record for a while but then slowed their roll, I'd be curious to see who's doing best with updates now. I'm sure some of the Android sites cover this but is anyone keeping a solid scoreboard that tallies update progress/timelines across the board?
For me personally, I'd still rather have a Nexus, screw waiting six months for new features. :p
First of all, you can head to sammobile.com and install the latest updates manually with Odin. This should even work for phones with a locked bootloader.
If you have an unlocked bootloader, you can use CM, where you get daily updates, or somne other ROM.
I think that a more effective method would be for the Play Store to report to users whenever the Android version they have is insecure. If a security fix is available, Play Store should offer to apply the latest fix (with a warning that some of the device's functionality may be disabled (eg the custom camera software).
consumers should express the same thing with their spending - only Nexus and Samsung would be viable android purchases (unless/until other OEMs sign on to this cadence of support). I include Samsung because they have made a press release today promising the same monthly patches.
In an ideal world the consumer would indeed vote with their wallet. But in practice there's too little information. And even technically proficient people too often place faith in supposedly premier hardware vendors to support their products security properly. I think until all the big players get on board with timely (within days) OS updates for security flaws, consumers will have to force their hand with class-action lawsuits whenever provable damage is done because of lack of vendor security updates. And hopefully these douchebag marketers who insist on polluting Android with their "value add" will be forced to do so in a way that is at least slipstreamable in an automated way from Googles updates (to prevent vendor lag in rollout of patches)
Samsung's press release is all talk until the carriers actually allow it. Samsung doesn't have the power in that relationship.
Both Google and Samsung's PR announcements don't mean a hill of beans to the actual problem with the Android ecosystem (at least in the US). So what if 0.5% of Android devices can get monthly updates? What about the other 99.5%?
Samsung probably accounts for like 50% of Android devices... And they do have a decent amount of leverage on carriers, they've been building that up year after year and are possibly not getting much credit for it. It was Samsung that initially bucked the trend of custom carrier models as they pushed the Galaxy brand year after year, for self serving reasons of course but still...
Let's be honest, if you care about security to that level, then Android can never be the OS for you, because there are too many players at the table which have to give the OK befor a software update actually hits a device that it's impossible. Google, phone OEM, and wireless carrier all have to say yes in a timely fashion. Both Apple and Microsoft say "Good luck!"
> Let's be honest, if you care about security to that level, then Android can never be the OS for you, because there are too many players at the table which have to give the OK befor a software update actually hits a device that it's impossible. Google, phone OEM, and wireless carrier all have to say yes in a timely fashion.
Nonsense, Google does have very little to nothing to say and the wireless carrier even less: order a noname phone from China, put your SIM card in and you're good to go; your carrier could not care less that you do and whenever the friendly Chinaman is going to provide updated software.
I strongly agree. Considering that they enforced that manufacturers using Android OS needs to have the suite of Google apps, I think they need to enforce mandatory security updates. It is after all their OS.
The only way to ensure that happens is to not buy devices from a manufacturer until they make the same commitment. Based on recent practices, I'm guessing Motorola will jump on this boat, which is why it's either gonna be the next Nexus phone or the Moto X for my next device. Samsung, LG, et al can go kiss my A.
"three years or eighteen months after the device is discontinued on Google Play depending on which is longer."
This is big news especially now we seem to have plateaued when it comes to device performance. Any flagship phone in the last 2-3 years is still extremely viable device for day to day use. Noway could my HTC One X or LG Optimus hold up after 2 years. Slow as a dog.
Article: "...security updates will continue for three years or eighteen months after the device is discontinued on Google Play..."
It should be three years after the device stops being sold; eighteen months is not enough. If the device is too slow for that, it is too slow to be sold as a new phone.
Buyers would legitimately feel betrayed if they bought a device with a built-in security defect that the maker refuses to fix after 18 months given that the fix would cost only a tiny fraction of the cost of the device, and no one else is able to fix it.
I'm hopeful that the 2015 Nexus 5 will be my next phone, if the rumored specs for the device are accurate. 5.2" 1080p display with a very thin bezel + front facing stereo speakers and ~3200 mAh battery (Hey Motorola, can you say Google gets it?). The SOC still seems to be a bit in the air (Snapdragon 620 or 808?) Google could have a real winner on their hands again.
You had me at 5.2" with 3200mAh... They'd have to screw up the rest of the phone pretty badly or price it way too absurdly for me not to be on board with a small (relatively) Nexus model that finally gets great battery life (N5 wasn't terrible mind you, larger flagships with larger batteries just lapped it over the last two years and even within the release year in the form of the G2).
I do wonder if they'll try to sell it thru carriers a la N6 tho, personally I wouldn't mind since I'm still on a plan where I can renew contract for a subsidy... I know I know, but the way my student discount is applied makes this plan more appealing than anything more recent and off contract (never mind the contract expired over a year ago while I rocked a N5 bought on Play)
If you have a Nexus or Android One devices, great, but guess what, they are only available officially in select countries. And guess what, majority of Android users do NOT have those phones. And don't start making a high-nosed comment on how people should have thought better. The point of Android is variety, choice, access, and affordability level. Look at the most popular manufacturer, Xiaomi, where it is still selling phones with KitKat. That's reality. The stage fright vulnerability should be a wake up call.
I am an Android user, and I actually now have to think hard and save money to get an iPhone instead. OS updates for features is one thing, but security issues are critical, and I don't see OEMs and/or carriers will have any incentives to push updates diligently, unless Google changed the whole Android OS concept, or the OEMs/carriers be made liable by laws for any issues that users have due to the unpatched phones.
I had an Android for years and I now have an iPhone 6 Plus. It's just as good, if not better, than any Android device. The software performs better, smoother, and with far less glitches. Apps also seem to be far more polished than their Android cousins.
Sure, I can't customize things on my iPhone but I couldn't do that on my Android phones either. No root, couldn't get root, and on top of that, a locked bootloader. So where's that customization now?
I have had my iPhone for six months now and sure, there are some little things that nag me some times but Android had far more issues than my iPhone has. Everything just works on my iPhone, I can't say that much about the Android devices I used.
No offence but you don't need root for the majority of the customization that most people use.
Things like custom launchers, icons, fonts, browsers and hell even icon positions... None of that needs root.
Root will give you more options and of course custom roms, but if you wanted easy root then you should possibly have done some minimal research (googled for 5 minutes).
That said, I understand why people end up moving to idevices. It takes away the requirement to google for five minutes innit?
Moving to iDevices also provides much more of an assurance that apps you want will run. For example gaming on Android is a bit of hell, apps not available for many devices, or crashing, etc. iOS devices provide more stability. For many people saving hassle is lot more valuable than having more customisation options.
Custom launchers, icons, fonts, and icon positions and things that statistically speaking, no one cares about, are TOTALLY a valid reason to give up the security of your most personal device!
I'd prefer to see a situation where security updates isn't tied to OS updates.
This gets partially there, allowing security issues to get addressed without being bundled into the next release, but I still imagine we're going to get shorted on security fixes unless you apply all the OS updates first.
I'm just not as keen up updating my OS as other are, or indeed I were in the past myself. Largely because Google seems to be hell-bent on destroying everything good about Android as of late but overall I don't think you should be forced to change your experience just to fix security issues.
Security updates no different than OS updates. For this particular update, it's just a bump-up from an earlier release to r9 (5.1.1_r9). It's still lollipop and your Android experience won't change a bit. You won't notice any changes in appearance or functionality.
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
41 Comments
Back to Article
Yofa - Wednesday, August 5, 2015 - link
nexus 9?trekinator - Wednesday, August 5, 2015 - link
It is listed in the source article, so I think it will be getting the same treatment.Brandon Chester - Wednesday, August 5, 2015 - link
Yes, sorry for omitting that.danbob999 - Wednesday, August 5, 2015 - link
Another advantage of having a Nexus.Phones need security updates just like PCs.
Daniel Egger - Wednesday, August 5, 2015 - link
Sorry Google, but far too little *AND* too late. What is needed here is a new requirement that all vendors who want to use the Android moniker and/or the Play Store are required to submit to the same update policy. Anything else is just ridiculous and simply not acceptable.trparky - Wednesday, August 5, 2015 - link
Yes, very much so.It should be simple... Want to build an Android-powered device? Want to include Google Services on your device? You must provide security updates for a period of no less than 4 years! If a device can't handle the latest version of Android security patches MUST be patched into older versions to maintain security of those older devices.
We live in a world in which the barbarians are at the gates. Mobile device security must be taken just as seriously as we do on our PCs. These devices are not just phones, they are computers in every way; the only difference is that one is sitting on a desk and the other is being held in a hand. Just like Microsoft pushed security updates on a monthly schedule, so should the Android OEMs be forced to as well. To not be pushing out updates is playing with the security of people's personal data, and that's scary.
reuthermonkey1 - Wednesday, August 5, 2015 - link
Or, you know, only purchase devices from vendors that enact such policies...Cogman - Wednesday, August 5, 2015 - link
Not strong enough. The problem isn't just with the vendors but the carriers as well. I have a Galaxy S4 on tmobile and I'm still waiting for the Lollipop update which came out and was released by samsung nearly a year ago. T-mobile, get your act together. That is the last time I buy any sort of phone from them (and I'm seriously considering ditching them. This is a horrible way to treat your customers).WorldWithoutMadness - Wednesday, August 5, 2015 - link
Nothing new with Samsung's treatment. I was Galaxy S user and they ditched the support to ICS saying the hardware is obsolete but guess what, cyanogenmod can release it.I won't give money to samsung mobile anymore, anything with google UI (AOSP) is the best for me.
Gigaplex - Thursday, August 6, 2015 - link
At least you got KitKat. My carrier held my S4 back to Jellybean until I eventually flashed an unbranded ROM.jakeuten - Monday, August 10, 2015 - link
jellybean? jeez even my S III made it to KitKat on AT&T.edzieba - Thursday, August 6, 2015 - link
The solution there is DO NOT PURCHASE PHONES FROM CARRIERS. Carriers rebranding manufacturers phones as their own is almost unique to the US market. Buy the phone and contract separately and you avoid whole swathes of issues with lock-in and updates.Impulses - Thursday, August 6, 2015 - link
Yeah, the whole market including consumers shares a wealth of the blame... OEM, carriers, and the consumers that empower them got us to where we are.At least pricing structure has made it so you don't really need to subsidize a phone to save some money anymore tho, so not buying from a carrier is now not only viable but mildly advantageous in the US at last.
Moto had a good track record for a while but then slowed their roll, I'd be curious to see who's doing best with updates now. I'm sure some of the Android sites cover this but is anyone keeping a solid scoreboard that tallies update progress/timelines across the board?
For me personally, I'd still rather have a Nexus, screw waiting six months for new features. :p
BabelHuber - Thursday, August 6, 2015 - link
First of all, you can head to sammobile.com and install the latest updates manually with Odin. This should even work for phones with a locked bootloader.If you have an unlocked bootloader, you can use CM, where you get daily updates, or somne other ROM.
I can recommend this AOSP-ROM - your good old S4 will look like a brand-new phone: http://forum.xda-developers.com/galaxy-s4/i9505-or...
I never go back to this Touchwiz-crap, Samsung builds good phones, but I don't like their software at all.
trparky - Thursday, August 6, 2015 - link
Not always true. For instance, the ODIN flash files for many of AT&T's versions don't get published.FYoung - Saturday, August 8, 2015 - link
I think that a more effective method would be for the Play Store to report to users whenever the Android version they have is insecure. If a security fix is available, Play Store should offer to apply the latest fix (with a warning that some of the device's functionality may be disabled (eg the custom camera software).Rocket321 - Wednesday, August 5, 2015 - link
consumers should express the same thing with their spending - only Nexus and Samsung would be viable android purchases (unless/until other OEMs sign on to this cadence of support). I include Samsung because they have made a press release today promising the same monthly patches.blakflag - Wednesday, August 5, 2015 - link
In an ideal world the consumer would indeed vote with their wallet. But in practice there's too little information. And even technically proficient people too often place faith in supposedly premier hardware vendors to support their products security properly. I think until all the big players get on board with timely (within days) OS updates for security flaws, consumers will have to force their hand with class-action lawsuits whenever provable damage is done because of lack of vendor security updates.And hopefully these douchebag marketers who insist on polluting Android with their "value add" will be forced to do so in a way that is at least slipstreamable in an automated way from Googles updates (to prevent vendor lag in rollout of patches)
steven75 - Thursday, August 6, 2015 - link
Samsung's press release is all talk until the carriers actually allow it. Samsung doesn't have the power in that relationship.Both Google and Samsung's PR announcements don't mean a hill of beans to the actual problem with the Android ecosystem (at least in the US). So what if 0.5% of Android devices can get monthly updates? What about the other 99.5%?
Impulses - Friday, August 7, 2015 - link
Samsung probably accounts for like 50% of Android devices... And they do have a decent amount of leverage on carriers, they've been building that up year after year and are possibly not getting much credit for it. It was Samsung that initially bucked the trend of custom carrier models as they pushed the Galaxy brand year after year, for self serving reasons of course but still...jeffkibuule - Wednesday, August 5, 2015 - link
Let's be honest, if you care about security to that level, then Android can never be the OS for you, because there are too many players at the table which have to give the OK befor a software update actually hits a device that it's impossible. Google, phone OEM, and wireless carrier all have to say yes in a timely fashion. Both Apple and Microsoft say "Good luck!"Daniel Egger - Wednesday, August 5, 2015 - link
> Let's be honest, if you care about security to that level, then Android can never be the OS for you, because there are too many players at the table which have to give the OK befor a software update actually hits a device that it's impossible. Google, phone OEM, and wireless carrier all have to say yes in a timely fashion.Nonsense, Google does have very little to nothing to say and the wireless carrier even less: order a noname phone from China, put your SIM card in and you're good to go; your carrier could not care less that you do and whenever the friendly Chinaman is going to provide updated software.
> Both Apple and Microsoft say "Good luck!"
I've no idea what that means.
watzupken - Wednesday, August 5, 2015 - link
I strongly agree. Considering that they enforced that manufacturers using Android OS needs to have the suite of Google apps, I think they need to enforce mandatory security updates. It is after all their OS.grooves21 - Wednesday, August 5, 2015 - link
The only way to ensure that happens is to not buy devices from a manufacturer until they make the same commitment. Based on recent practices, I'm guessing Motorola will jump on this boat, which is why it's either gonna be the next Nexus phone or the Moto X for my next device. Samsung, LG, et al can go kiss my A.twizzlebizzle22 - Wednesday, August 5, 2015 - link
"three years or eighteen months after the device is discontinued on Google Play depending on which is longer."This is big news especially now we seem to have plateaued when it comes to device performance. Any flagship phone in the last 2-3 years is still extremely viable device for day to day use. Noway could my HTC One X or LG Optimus hold up after 2 years. Slow as a dog.
FYoung - Saturday, August 8, 2015 - link
Article: "...security updates will continue for three years or eighteen months after the device is discontinued on Google Play..."It should be three years after the device stops being sold; eighteen months is not enough. If the device is too slow for that, it is too slow to be sold as a new phone.
Buyers would legitimately feel betrayed if they bought a device with a built-in security defect that the maker refuses to fix after 18 months given that the fix would cost only a tiny fraction of the cost of the device, and no one else is able to fix it.
lilmoe - Wednesday, August 5, 2015 - link
"Commits"Anyone getting the irony here?
Impulses - Thursday, August 6, 2015 - link
On a nightly basis.dragonsqrrl - Wednesday, August 5, 2015 - link
NOICE.I'm hopeful that the 2015 Nexus 5 will be my next phone, if the rumored specs for the device are accurate. 5.2" 1080p display with a very thin bezel + front facing stereo speakers and ~3200 mAh battery (Hey Motorola, can you say Google gets it?). The SOC still seems to be a bit in the air (Snapdragon 620 or 808?) Google could have a real winner on their hands again.
Impulses - Thursday, August 6, 2015 - link
You had me at 5.2" with 3200mAh... They'd have to screw up the rest of the phone pretty badly or price it way too absurdly for me not to be on board with a small (relatively) Nexus model that finally gets great battery life (N5 wasn't terrible mind you, larger flagships with larger batteries just lapped it over the last two years and even within the release year in the form of the G2).Impulses - Thursday, August 6, 2015 - link
I do wonder if they'll try to sell it thru carriers a la N6 tho, personally I wouldn't mind since I'm still on a plan where I can renew contract for a subsidy... I know I know, but the way my student discount is applied makes this plan more appealing than anything more recent and off contract (never mind the contract expired over a year ago while I rocked a N5 bought on Play)pika2000 - Wednesday, August 5, 2015 - link
If you have a Nexus or Android One devices, great, but guess what, they are only available officially in select countries. And guess what, majority of Android users do NOT have those phones. And don't start making a high-nosed comment on how people should have thought better. The point of Android is variety, choice, access, and affordability level. Look at the most popular manufacturer, Xiaomi, where it is still selling phones with KitKat. That's reality. The stage fright vulnerability should be a wake up call.I am an Android user, and I actually now have to think hard and save money to get an iPhone instead. OS updates for features is one thing, but security issues are critical, and I don't see OEMs and/or carriers will have any incentives to push updates diligently, unless Google changed the whole Android OS concept, or the OEMs/carriers be made liable by laws for any issues that users have due to the unpatched phones.
LordConrad - Wednesday, August 5, 2015 - link
After experiencing the open and easily customizable Android, you're really going to hate your iPhone.trparky - Wednesday, August 5, 2015 - link
I had an Android for years and I now have an iPhone 6 Plus. It's just as good, if not better, than any Android device. The software performs better, smoother, and with far less glitches. Apps also seem to be far more polished than their Android cousins.Sure, I can't customize things on my iPhone but I couldn't do that on my Android phones either. No root, couldn't get root, and on top of that, a locked bootloader. So where's that customization now?
I have had my iPhone for six months now and sure, there are some little things that nag me some times but Android had far more issues than my iPhone has. Everything just works on my iPhone, I can't say that much about the Android devices I used.
Alexey291 - Thursday, August 6, 2015 - link
No offence but you don't need root for the majority of the customization that most people use.Things like custom launchers, icons, fonts, browsers and hell even icon positions... None of that needs root.
Root will give you more options and of course custom roms, but if you wanted easy root then you should possibly have done some minimal research (googled for 5 minutes).
That said, I understand why people end up moving to idevices. It takes away the requirement to google for five minutes innit?
ET - Thursday, August 6, 2015 - link
Moving to iDevices also provides much more of an assurance that apps you want will run. For example gaming on Android is a bit of hell, apps not available for many devices, or crashing, etc. iOS devices provide more stability. For many people saving hassle is lot more valuable than having more customisation options.steven75 - Thursday, August 6, 2015 - link
Custom launchers, icons, fonts, and icon positions and things that statistically speaking, no one cares about, are TOTALLY a valid reason to give up the security of your most personal device!Impulses - Friday, August 7, 2015 - link
So you're saying iOS is more secure and/or gets security patches more often?Exodite - Thursday, August 6, 2015 - link
I'd prefer to see a situation where security updates isn't tied to OS updates.This gets partially there, allowing security issues to get addressed without being bundled into the next release, but I still imagine we're going to get shorted on security fixes unless you apply all the OS updates first.
I'm just not as keen up updating my OS as other are, or indeed I were in the past myself. Largely because Google seems to be hell-bent on destroying everything good about Android as of late but overall I don't think you should be forced to change your experience just to fix security issues.
Doh! - Friday, August 7, 2015 - link
Security updates no different than OS updates. For this particular update, it's just a bump-up from an earlier release to r9 (5.1.1_r9). It's still lollipop and your Android experience won't change a bit. You won't notice any changes in appearance or functionality.edzieba - Thursday, August 6, 2015 - link
Hopefully these updates will be released as flashable images as well as OTA updates. OTAs leave anyone with root access SOL.