This website uses cookies to ensure you get the best experience on our website. OK
51 Shares 6 comments

Why monthly security updates won't make your phone any safer

In the wake of the Stagefright bug, a number of major manufacturers, including Samsung, LG and Google itself, have now promised monthly security updates. We expect the likes of HTC, Sony and Motorola to follow suit soon. But while this is definitely a step in the right direction, it actually isn't going to change things that much.

Think about it: of course OEMs promising to issue monthly security patches sounds good. Concerned customers know that every month they'll be getting the latest fixes for the most troubling security vulnerabilities in Android. But wasn't that pretty much always the case?

samsung galaxy s6 keyboard
Samsung's keyboard hack was addressed very quickly because it was a serious problem. / © ANDROIDPIT

Remember the Samsung keyboard hack a few months ago? Samsung got on top of that very quickly because it was a very serious problem (admittedly, Samsung has been working on this new monthly strategy for around six months). Likewise with LG's recent security scare, that only took a matter days to get patched. By the time the media picked up on it, the patch was already in place.

The same is true of most major security scares on Android: when it's a big enough issue, Google, manufacturers and carriers all get the job done pretty quick. Promising to release a security patch every month just sounds nice. Not to mention most patches will be issued for recent flagships, not the older mid-range phones that pretty much everyone has.

android sicherheit teaser
For all the occasional big scares, there's plenty of minor ones as well. / © ANDROIDPIT

That leaves us with minor vulnerabilities. Technically speaking, this is where the benefit lies, because those smaller patches will now come within no more than a month, rather than the couple of months they might have taken before. But issuing monthly updates doesn't mean that all bugs from that month will be addressed and again, the people benefiting most from these monthly patches will be those on newer versions of Android.

If one big scare and five minor ones are raised in a month, they will be dealt with in order of severity, exactly as they are now. There's also no guaranteeing that a bug can even be dealt with in less than a month. On the other hand, if no security issues arise in a given month are OEMs going to issue empty updates for no reason? What would the consumer response be if a monthly update was skipped?

AndroidPIT Nexus 5 Knock On
Not using lock screen security probably poses more of a risk than Android vulnerabilities. / © ANDROIDPIT

Keep in mind too that these bugs often exist for months before any researchers even uncover them, so speeding up the patch process by a month won't make a huge difference in the vulnerabilities' lifespan. Take the LG scare recently: the researchers who uncovered it claimed it was actually discovered last year, but as soon as LG knew about it, the problem was solved. The issue wasn't in the response time, but in the reporting mechanism.

So while this new focus on decreasing the security response time on Android is admirable, there is still a long way to go before Android is as secure as it should be. While we applaud the OEMs and carriers working together with Google on this, we also hope more efforts starts being made to proactively seek out bugs rather than simply responding when an external researcher happens to pick up on an exploit.

We think the good guys need to spend more time proactively looking for problems. / © ANDROIDPIT

To see if your device is vulnerable to Stagefright, you can download the Stagefright Detector app, from the security researchers that uncovered it. Unfortunately, the only fix if you are at risk is to wait for the update from your manufacturer, just as you always have. Now we just need manufacturers to speed up the way they deal with problematic Android updates. 

How concerned are you by Android security? What do you think manufacturers' response should be?


Write new comment:
  • For all of us, monthly security patches is very good idea and we are thankfuly for it to Google

  • Updating flagships only... That's convenient.

  • This is a good idea to get us a monthly security update.

  • I know that androd is very vunderable; I have AMC antivirus program, buth I know that no one is not 100℅ sure. thank's to Google, for sending monthly security updates and care abouth security users his phones.

  • I didnt update my s4 yet, and not any chance..

    • You should update when the security patches come through, I just think making a big song and dance out of putting the out monthly misses the point. Google and OEMs should be looking for these things all the time, not just responding quickly when something bad happens. It's definitely a step in the right direction, but it feels more like a marketing stunt to me.

This website uses cookies to ensure you get the best experience on our website. More info

Got it!