Slashdot Mirror
Google Scans 6B Apps, 400M Devices Each Day; Says 30% of Android Devices Don't Get Regular Patches (googleblog.com)
Reader Trailrunner7 writes: As part of the enhancements to Android security, Google scans more than 6 billion installed applications per day on users' devices. The company also scans more than 400 million devices each day, it announced on Tuesday. Google last year also began releasing monthly security updates for devices running modern versions of Android, which includes devices on version 4.4.4 (KitKat) and later. "70.8% of all active Android devices are on a version that we support with patches," the Android report says. However, that still leaves hundreds of millions of Android devices without regular updates. There were roughly 1.4 billion Android devices active in September, according to Google, so that would leave about 420 million Android devices without patches. In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly.In its report, Google also says that fewer than 0.15% of devices, that only get apps from Google Play, had potentially harmful apps installed on them.
Newer versions of Android (6.0+ I believe) should have the security patches come through on a monthly basis even on manufacturer versions of Android (e.g., Samsung, LG, HTC, etc.) In other words, they are working at it, but it will take a while until all users have devices with 6.0+.
None. In most cases, the patches are controlled by the phone maker or carrier, and they don't patch regularly.
Learn to love Alaska
>> Google Says 30% of Android Devices Don't Get Regular Patches >> In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly. It sounds like the ball's in Google's court. "Want to be an 'Android' vendor? You agree to keep your devices updated with our security patches."
(I'm a member of Google's Android security team, but not an official spokesperson. Treat all of the following as informed personal opinion, not an official statement.)
If only it were that easy. A lot of people overestimate the power that Google has to tell OEMs and carriers what to do. There is some power there, certainly, but the fact that Android is open source means that if Google pushes too hard the partners can simply set up their own app stores, stop calling their devices "Android", and do what they like. Some of the big players are totally capable of doing this. Also, the contractual arrangements aren't renegotiated at whim, there's a schedule (every other year, I think?) so Google can only change them on that schedule, and even then it's a negotiation, not an opportunity for Google to dictate terms.
Still, Google does have considerable leverage, is using it, and this aspect of the ecosystem is getting much better. Rapidly, actually, on the time scales associated with designing and building hardware (as opposed to Internet time).
One of the big obstacles to regular updates is that many OEMs, especially the larger ones, have so many different devices to update. What looks to consumers like one product may actually be dozens of separate SKUs, for different regions or carriers, with slightly different hardware features, etc., and these different SKUs often run slightly different software. So it's not a matter of "the build", but rather dozens of builds for each "model", each of which has to be tested by the OEM, and then tested again by the carrier.
If you're planning on doing regular software updates for a substantial period of time, that's a ridiculous way to structure your product line and build processes, but most OEMs weren't planning on that. Now, most of the major (and many minor) players are, which means that going forward they're going to be working to simplify their offerings and streamline their development and update cycles to be able to turn updates around quickly and test them cost-effectively. They rarely have the bandwidth to go back and fix things up for older products, though, so to some extent the transition to a fully-patched Android ecosystem is going to involve waiting out the decline of older devices.
And keep in mind that by the time a device hits the market it's already been in development for well over a year. So if OEMs got the message in 4Q2015 that they were going to need to do regular updates on future devices, it'll be 2Q2016 or so before they figure out what that means they need to change for new device planning, and then late 2017 before the new crop of devices launches, all set up for monthly update cycles. Carriers have their own retooling to do.
This all means that the Android security team fully expects that we'll have to continue focusing on defense in depth rather than rapid patch deployment as our primary method of protecting user devices for the next few years. Luckily, the current set of techniques seems to be working astonishingly well. Much better than I would have thought.
Once the ecosystem gets far enough down the regular-update path, mind you, it may well become reasonable for Google to mandate regular patching in the contractual relationships that provide OEMs with access to Google's apps, just as you'd like to see happen now. Given that hardly anyone is tooled up to do it right now, though, I don't think there's any way Google could impose that mandate.
No iOS device has been supported as long as the 4S has.
My iPad 2, which is at least a year older than my iPhone 4s, would beg to differ with you.
Both run iOS 9, and in fact, Apple's SUPPORT of these older devices included a recent Update to iOS 9 SPECIFICALLY targeted at improving performance on older devices, specifically the iPhone 4s and the iPad 2.
So yeah, I'd call THAT "Support"!
BTW, that's why I skipped iOS 8. It DID have performance issues on the iPad 2. But they fixed it with (IIRC) iOS 9.2.1