In the wake of the Stagefright bug, a number of major manufacturers, including Samsung, LG and Google itself, have now promised monthly security updates. We expect the likes of HTC, Sony and Motorola to follow suit soon. But while this is definitely a step in the right direction, it actually isn't going to change things that much.
Think about it: of course OEMs promising to issue monthly security patches sounds good. Concerned customers know that every month they'll be getting the latest fixes for the most troubling security vulnerabilities in Android. But wasn't that pretty much always the case?
Remember the Samsung keyboard hack a few months ago? Samsung got on top of that very quickly because it was a very serious problem (admittedly, Samsung has been working on this new monthly strategy for around six months). Likewise with LG's recent security scare, that only took a matter days to get patched. By the time the media picked up on it, the patch was already in place.
The same is true of most major security scares on Android: when it's a big enough issue, Google, manufacturers and carriers all get the job done pretty quick. Promising to release a security patch every month just sounds nice. Not to mention most patches will be issued for recent flagships, not the older mid-range phones that pretty much everyone has.
That leaves us with minor vulnerabilities. Technically speaking, this is where the benefit lies, because those smaller patches will now come within no more than a month, rather than the couple of months they might have taken before. But issuing monthly updates doesn't mean that all bugs from that month will be addressed and again, the people benefiting most from these monthly patches will be those on newer versions of Android.
If one big scare and five minor ones are raised in a month, they will be dealt with in order of severity, exactly as they are now. There's also no guaranteeing that a bug can even be dealt with in less than a month. On the other hand, if no security issues arise in a given month are OEMs going to issue empty updates for no reason? What would the consumer response be if a monthly update was skipped?
Keep in mind too that these bugs often exist for months before any researchers even uncover them, so speeding up the patch process by a month won't make a huge difference in the vulnerabilities' lifespan. Take the LG scare recently: the researchers who uncovered it claimed it was actually discovered last year, but as soon as LG knew about it, the problem was solved. The issue wasn't in the response time, but in the reporting mechanism.
So while this new focus on decreasing the security response time on Android is admirable, there is still a long way to go before Android is as secure as it should be. While we applaud the OEMs and carriers working together with Google on this, we also hope more efforts starts being made to proactively seek out bugs rather than simply responding when an external researcher happens to pick up on an exploit.
To see if your device is vulnerable to Stagefright, you can download the Stagefright Detector app, from the security researchers that uncovered it. Unfortunately, the only fix if you are at risk is to wait for the update from your manufacturer, just as you always have. Now we just need manufacturers to speed up the way they deal with problematic Android updates.
How concerned are you by Android security? What do you think manufacturers' response should be?