In 2015, a huge security vulnerability - known as 'Stagefright', and affecting hundreds of millions of devices - was discovered in Android, shining a harsh spotlight on how the operating system is maintained. In the wake of that discovery, Google announced that it would release monthly security updates for the OS, and several major manufacturers committed to bringing those updates to their devices swiftly each month.
Google has stayed true to its word, releasing new patches every month to combat the fresh discovery of new vulnerabilities. Manufacturers and mobile operators have been less consistent in holding up their end of the deal. AT&T, for example, delivered the February security updates to several Samsung handsets five weeks after Google released them, and a week after the March patches were made available. In February, ZTE released its brand new Blade V8 Pro handset with the December patches onboard, and only brought the January security update to the device in March.
Yesterday, Google published its Android Security Year in Review report for 2016 (PDF), admitting that "there's still a lot of room for improvement" for both the company and its partners.
Google said that "more than 735 million devices from 200+ manufacturers received a platform security update in 2016", although that terminology suggests that at least some of those devices received only a single update, rather than all of the monthly patches that were released.
It added that "carrier and hardware partners helped expand deployment of these updates, releasing updates for over half of the top 50 devices worldwide in the last quarter of 2016." However, it's clear that there are still weak links in the process. Last week, for example, Samsung promised to deliver monthly security updates to its unlocked Galaxy handsets in the US, despite having already commited to "fast track security updates" to its devices in 2015. In recent months, Samsung has instead been rolling out these security patches to many of its handsets, including its newest flagships, on a quarterly basis.
Additionally, while Google boasted this week that its monthly security patches are available for all devices running Android 4.4.4 KitKat and newer - covering "86.3 percent of all active Android devices worldwide" - it also admitted that "about half of devices in use at the end of 2016 had not received a platform security update in the previous year".
Google promised to do more to improve these deployments over the coming year. "We're working to increase device security updates by streamlining our security update program," it explained, "to make it easier for manufacturers to deploy security patches and releasing A/B updates to make it easier for users to apply those patches."
Google's Adrian Ludwig told TechCrunch that the company has already been able to drastically reduce the wait time for security updates from as long as nine weeks, down to just a few days by working with its manufacturer and carrier partners. He said carriers now viewed security updates differently to feature updates, and recognized the importance of swifter rollouts for those security patches, while OEMs are also changing the way they release those updates. But even with these improvements, Ludwig acknowledged that "in North America, just over 78 percent of flagship devices were current with the security update at the end of 2016."
"It's a good number in terms of the progress it represents," he said, adding, "We think we can do better."
Download: Android Security Year in Review for 2016 (PDF)