back to article Android's latest patches once again remind us: It's Nexus or bust if you want decent security

Another month means another double bundle of security vulnerability patches for Android. Google is sticking to the twin-release pattern it used last month: the first batch addresses flaws in Android's system-level software that everyone should install, and the second squashes bugs in hardware drivers and kernel-level code that …

  1. stuartnz

    A pleasant surprise

    When I bought my LG V10 a few months ago, I was pleased to see that not only did it come with Marshmallow, but LG seems to be one of the better manufacturers when it comes to patching. As of now, my phone has Android patches up to June installed - by no means perfect, of course, but much, much better than many handset manufacturers, I think. Based on the number of updates I've had since getting the phone, I',m hoping this next batch won't be too far away.

    1. jason 7

      Re: A pleasant surprise

      LG G4 - No patches since February. I've given up worrying about it really.

      1. stuartnz

        Re: A pleasant surprise

        That's odd - my wife's G4 got a patch update bundle just last month.

    2. 404 Silver badge

      Re: A pleasant surprise

      The G5 just got another update July 27 - Home with app drawer is available on the G5 now too.

  2. corestore

    It's Nexus or bust - full stop!

    1. Kurt 4

      Or Windows 10 phones which also have snapdragon but are they unaffected by the holes? Probably totally different drivers so I would assume so.

      1. Hans 1 Silver badge
        Windows

        > Probably totally different drivers so I would assume so.

        Probably, but who knows ? We are talking Qualcomm code, here, not MS'. Yes, MS is better at patching Windows than Sony is at patching Android, MS have had a monthly rehearsal over the past 20 years.... but I think chances are there are some issues with the Windows phones as well ... just that, the three or four users simply represent too little a target audience... ;-)

        Nice to read Blackberry is taking this shit seriously.

      2. Maventi

        "Or Windows 10 phones..."

        Meh, I prefer something that shows a promising future. Nexus both gets patched and runs my apps, and Google doesn't completely reinvent the OS every two years.

        And I say this as an previously happy Windows Mobile user from 2002-2010.

      3. Planty Bronze badge
        Stop

        Nope, Google do a better job of patching, and a more open disclosure. Sadly the press rip s new asshole becuase of that, rather than acknowledgement of full disclosure. Pathetic is the word we are looking for.

        Google will likely just stop revealing details if this press clickbait nonsense carries on.

    2. davenewman

      Or tablets

      Most Android tablets do updates at the same time, especially Google ones like the Pixel Pro. Why just think of phones?

    3. phuzz Silver badge

      Some third party ROMS are pretty good at integrating the security patches in a timely manner. (Cyanogenmod doesn't seem to have integrated this recent load of patches yet though)

  3. Anonymous Coward
    Anonymous Coward

    Google are wasting their time

    They might as well just patch the Nexus and not bother releasing the patches to any other manufacture. Everyone knows that the combined clusterfuck of manufacturers and carriers will never get these patches to end user devices.

    1. paulf Silver badge
      Unhappy

      Re: Google are wasting their time

      Surely it's about time Google started revoking use of the GMS binary blob for manufacturers that don't keep their devices up to date with patches for at least two years after launch. Would that focus a few minds? I suppose it doesn't get around the Networks/Carriers also wanting to stand in the way.

      Google have the power to solve this clusterfuck but continue to not give a toss.

    2. Tom 7 Silver badge

      Re: Google are wasting their time

      They're wasting my time - I dont get a usable signal at home so its not on much - but when it is all it ever does is bloody update update update.

    3. Anonymous Coward
      Anonymous Coward

      Re: the combined clusterfuck of manufacturers and carriers

      Yeah, because it's not like anyone could've written an update mechanism for Android that worked despite the manufacturers and carriers. You know, like MS and Apple do with their phones.

      Fucking Manufacturers and Carriers! I love Google!!!

      1. joeldillon

        Re: the combined clusterfuck of manufacturers and carriers

        MS and Apple /are/ the manufacturers for their gear, which is why they have the ability to develop and release their own updates. Google can't release updates for gear they don't make.

        1. Anonymous Coward
          Anonymous Coward

          Re: the combined clusterfuck of manufacturers and carriers

          MS and Apple /are/ the manufacturers for their gear

          True for Apple, not true for MS, others have and do make them, but they still get updates. You can wait for an official carrier build, or bypass it.

          1. Ken Hagan Gold badge

            Re: the combined clusterfuck of manufacturers and carriers

            In the MS case, they've issued guidelines for at least twenty years (basically following on the tradition set by IBM who documented what the PC spec was) and any OEM who doesn't produce a compatible machine can't sell it to customer because Windows won't work properly.

            So if the OP had said designer rather than manufacturer, they'd be basically correct.

        2. paulf Silver badge
          Facepalm

          Re: the combined clusterfuck of manufacturers and carriers

          @ joeldillon

          "Google can't release updates for gear they don't make."

          My computer wasn't manufactured by Microsoft yet they somehow manage to issue updates for it (Win 7 x64). Pop over to the latest Win 10 article and see the debate continuing to rage as Microsoft can now update computers they didn't make, without first seeking user approval.

          The point is Google could have structured Android so it was possible for the underlying operating system to receive these kind of security and bug fix updates without the Manufacturer/Carrier gating their distribution and without disturbing any customisations added by the manufacturer/Carrier. Even if they didn't do Android like this from the outset they've had 7 years to sort it out.

      2. Captain Hogwash Silver badge

        Re: I love Google!!!

        But it was all right, everything was all right, the struggle was finished. He had won the victory over himself. He loved Big Brother”

  4. Martin Summers Silver badge

    My Samsung S7 Edge has been getting Google security patches every single month without fail since I had it, just like my Nexus device did. So not really an accurate headline.

    1. Adam 52 Silver badge

      If Sansung stick to form your patches will be later than Google's and dry up much sooner. So I'd say the headline is accurate.

      Oh, and they'll bork something trivial like the 4G radio and you'll have to wait monthsfor a fix to fix the fix too.

    2. Anonymous Coward
      Anonymous Coward

      "My Samsung S7 Edge has been getting Google security patches every single month without fail since I had it, just like my Nexus device did. So not really an accurate headline."

      I'm impressed, current model gets update. Don't worry, Samsung will soon get bored once the newer model comes out.

    3. tiggity Silver badge

      Not all Samsungs are equal

      But compare that to minimal patch supports for low end Samsungs e.g. Tab 3 left to fester on 4.4.2

      Essentially have to buy a premium Samsung to have a hope of any regularity of patches

    4. nkuk

      Agreed, my OnePlus 3 has also been getting the monthly security updates.

  5. RPF

    Anyone know how good Cyanogen is at keeping up with Nexus?

    Tempted to try that on my Android 5.0 Asus Zenfone after reading this!

    1. HkraM

      If you're using the nightly builds, Cyanogenmod gets the updates very fast. My CM13 phone got the July updates within a day or two of Google releasing them; I'm expecting the August updates to be similar. I am using the nightly builds though - the last "stable" build for my phone is 9 months old.

      I'll never buy a new phone that doesn't have Cyanogenmod builds available. I had enough of manufacturers refusing to release updates after less than a year. (Motorola, Samsung, Sony have all done this.)

      1. RPF

        Thanks for the info - will definitely do that, then.

    2. asdf Silver badge

      CM is great at getting updates in nightlies which ironically means old phones out of warranty are usually much easier to update and keep secure.

  6. Ru'

    fwiw my S5 is still getting updates, which surprises me (even though it shouldn't).

    1. Tony W

      Same here, my S5 updated today to Marshmallow (which Samsung have previously said the phone wouldn't cope with - it seems to work fine though) and updated security patch to 1 July. 2016. On past form I won't hold my breath for more security updates though.

  7. RyokuMas Silver badge
    Facepalm

    The master plan...

    We're not trying to build a monopoly, oh no... buy a Nexus and go back to bitching about Microsoft and the browser wars...

  8. Anonymous Coward
    Anonymous Coward

    Yawn

    Scare stories, FUD and clickbait beware.. you really have become the tech press laughing stock. The daily mail of blogging (you can't really call what you write journalism, blogging is more accurate)

    "Getting a bad text or visiting an evil webpage could be enough to slip spyware onto your device"

    Untrue

    "these kinds of low-level flaws were used to blow apart Android's full-disk encryption system last month."

    Untrue

    "A malicious app on a Qualcomm-powered phone or tablet could exploit these to gain kernel-level access – completely hijacking the device"

    Unture

    1. JudeKay (Written by Reg staff)

      Re: Yawn

      Awww, shucks, Anonymous. We're blushing. Don't worry, we won't tell your friends how much you luuuurve us.

    2. TeeCee Gold badge
      Facepalm

      Re: Yawn

      Thanks for that. How's life in Google these days?

    3. Anonymous Coward
      Anonymous Coward

      Re: Unture

      Did you see that fuck off massive list of CVE's in the article? Were they Unture?

      1. Anonymous Coward
        Anonymous Coward

        Re: Unture

        Of course not. but the EFFECTS of the CVE's are untrue.

        1. Anonymous Coward
          FAIL

          Re: Unture

          @AC AKA Google Shill

          http://www.bbc.co.uk/news/technology-36744925

          And before you say...Oooo they should only download from Play store, remember many have been infected via that route. Plus I don't buy into this monopoly bollocks.

    4. Crazy Operations Guy Silver badge

      @Anon Coward RE: "Untrue"

      [citation needed]

  9. Anonymous South African Coward Silver badge

    Meh

    Time for another OS... or a fork of Android...

    1. Anonymous Coward
      Anonymous Coward

      I guess iOS should be forked first, as that CVE list is far far worse....

      http://venturebeat.com/2015/12/31/software-with-the-most-vulnerabilities-in-2015-mac-os-x-ios-and-flash/

      Android is well down that list. iOS and Mac right up there above flash....

  10. hamiltoneuk

    For those that care Cyanogenmod is still good for security updates, even for Kitkat on an ancient 1st generation Galaxy Tab - if you don't mind slow and heavy!

  11. BinkyTheMagicPaperclip Silver badge

    This is why reviews need information about third party ROM support

    Forget the camera, this is why it is essential to hold manufacturers to account otherwise they will never change. If you reward failure, there is no incentive to succeed.

    Never mind 'it's fast, waterproof, etc' the review should read 'It's a fast and functional phone but MegaCorp's support policy means it'll be a £500 doorstop inside 18 months. 2/10'

    Time to see where the latest Marshmallow Cyanongen builds for my 2012 phone are up to, because Motorola certainly haven't been patching it for years. It's not even on the list of devices for updates.

    About the only thing it doesn't do is 4G outside the US, and it's a bit unhappy running Pokemon Go. Frankly I can live with that, and uninstalled it.

  12. Anonymous Coward
    Anonymous Coward

    How do I know if my Huawei device has been updated with any security fixes ?

  13. Dave Bell

    So what do the phone networks have to do with code patches that Google don't have to deliver as mobile data? The last one I got came via the free Wi-Fi in the pub

    1. Crazy Operations Guy Silver badge

      Manufacturers make variants of each phone to be specific to a carrier, so something like and Galaxy S7 on AT&T and an S7 on T-Mobile are different devices. The biggest difference between the variants is typically that they are locked to a much narrower set of carrier-specific frequencies to make them a little more sensitive and use less energy versus the carrier-agnostic unlock phones that the manufacturers sell.

      Normally the changes between variants isn't an issue, but many times they changed more than just the radio block, which can cause updates to completely break between carrier-specific variants.

      The reason that Nexus devices aren't affected is that Google requires the devices use specific hardware without any deviation at all. This allows a patch that works on an LG-made Nexus-5X running on Verizon completely compatible with a Huawei-made Nexus 5X running on T-Mobile.

  14. Ken Hagan Gold badge

    Perhaps Google should re-architect Android so that it is a set of applications that run on top of an OS. The OS would, obviously, contain device specific code, so it would be up to the hardware vendor to maintain that bit. The Android bit would be just algorithms adhering to open standards. Google could update that on any device whenever they pleased.

    But a Mongolian clusterfuck is just so much easier for all the developers concerned.

  15. Avatar of They
    Thumb Up

    Ooooh I got udates.

    I just had Samsung (note 4) notify me of an update with a ton of "security fixes." I would like to believe they include this list, reality tells me it will be for whatever list was compiled in 2015.

    So Samsung do get some updates. :)

  16. pyite

    Fix the headphone volume mis-feature and I'll buy Nexus again

    Google intentionally limits the headphone volume (apparently due to a lawsuit). It is a big problem because if you use an aux connector it requires that everything be turned up to 11 and it still isn't loud enough.

    Please make this easy to override without rooting the phone.

  17. Dinsdale247

    Over Simplification

    PS: Yeah, yeah, BlackBerry's Priv and DETK50 Androids get patches at the same time as Nexuses. We know. Good for them.

    Your a git Iain and that is not correct. You paint everything in a "Google is the best" light when these problems have been around since the inception of Android (yes Googles fault). All vendors receive the updates at the same time, however Blackberry has put in place a policy to release patches on the same day they are publicly available. Maybe you should quite being a biased moron and write something like:

    "Blackberry has a chance to shake up the market as they are the only other vendor besides Google themselves that will have security patches available as soon as they are publically released. That is, if users (and moron tech writers) are smart enough to see that something needs to change in Android security."

  18. drtune

    Remote code execution in Wifi driver!?

    Oh man that's a tasty one...

  19. Crazy Operations Guy Silver badge

    Too bad the cell networks are irrevocably broken

    I still get near-daily spam calls from numbers that cannot exist (like yesterday, I got a phone call from the telephone number "1", or sometimes I'll receive calls from my own number) and the carriers are powerless to do anything about it since the protocols themselves are crap when it comes to security and allow impersonation by allowing a adevice to inject whatever phone number and EMEI / MSISDN / IMSI ID it wants into the packet header without the tower even checking.

    For a while, I was able to use an inexpensive SDR to authenticate against the tower using the phone number (555) 867-5309 and make and receive phone calls with that number.

  20. Dick Knuckle

    Oneplus 3 here...

    Patched upto 1st July.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019