Research shows that most Android OEMs don’t actually deliver promised security patches to devices.
What matters to you the most while going for a new Android smartphone? Unless you are a shutterbug or someone conscious about brand value, then software updates take up the utmost preference while choosing your phone. Usually, Google’s stock Android builds are slated to get the fastest updates, followed by other manufacturers who ship with extensively customised interfaces. Since Android is an open-source operating system, it’s also vulnerable to malware and other forms of deadly cyber attack. Timely security patches from OEMs promise to fix those, provided OEMs deliver them on time.
However, a recent study conducted by Security Research Labs has unearthed a startling fact related to the rollout of security patches. The report by Wired suggests that several Android OEMs who promise to deliver the latest security patches often mislead their customers by not delivering those patches at all. Several OEMs, particularly from the Chinese market space, often skip on security patches. In order to shove sand over their mistakes, they simply mention that the devices are running on the latest updates, i.e. they lie about rolling out the patches in the first place.
The study was conducted on the firmware of 1200 smartphones from various manufacturers. While top-tier brands such as Google and Samsung mostly came out as the honest ones, several mid to low tier brands such as HTC, Xiaomi, Huawei, Motorola and LG follow this practice quite often. In fact, TCL and ZTE are the only two names that have been found to top the list by skipping the security patch updates, despite showing in the Device Info section that updates are installed.
If you are cross with your phone’s manufacturer, then you should also consider the reason as to why they do this. With stock Android ROMs, it’s easier to roll out patches as the changes incorporated in the system are easy to implement, without affecting most system elements. However, with extensively customised ROMs, a new security patch for a particular vulnerability could break something else or de-stabilise the system. Therefore, OEMs prefer to either remove the feature that has the vulnerability or don’t bother if that device lacked the feature in the first place. Additionally, it was also found that cheaper devices running on cheaper chipsets from MediaTek and Huawei’s HiSilicon are found to feature lots of vulnerabilities built in the chipset itself. So, if the chipset had the flaw, the OEM could do nothing until Mediatek rolled out the patch for the chip’s flaw. A recent example in the parallel universe of PCs is Intel’s Spectre and Meltdown issues, which has been declared to be unfixable for most old PCs.
While Google is investigating the findings of the report, it’s advised to opt for phones from those manufacturers who treat software support pretty seriously. Google’s Pixel branded phones are your best bet if you want to ensure peace of mind regarding these issues. Samsung isn’t one of the first ones to roll out security patches, but it’s ensured that most of their premium devices get the fixes sooner or later. Do keep in mind that the more customised your smartphone’s OS, the lesser the chances of it receiving the latest patches to vulnerabilities.