Google Scans 6B Apps, 400M Devices Each Day; Says 30% of Android Devices Don't Get Regular Patches

Reader Trailrunner7 writes: As part of the enhancements to Android security, Google scans more than 6 billion installed applications per day on users' devices. The company also scans more than 400 million devices each day, it announced on Tuesday. Google last year also began releasing monthly security updates for devices running modern versions of Android, which includes devices on version 4.4.4 (KitKat) and later. "70.8% of all active Android devices are on a version that we support with patches," the Android report says. However, that still leaves hundreds of millions of Android devices without regular updates. There were roughly 1.4 billion Android devices active in September, according to Google, so that would leave about 420 million Android devices without patches. In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly.In its report, Google also says that fewer than 0.15% of devices, that only get apps from Google Play, had potentially harmful apps installed on them.

30% of Android Devices Don't Get Regular Patches

[Threni]

Well, Google, you're in the best position to make that happen. Allow your update process to update stuff like the libraries which had the stagefright problem to get updated by yourselves and not require the manufacturers to do it, because you know better than we do how bad they are at it. And have a word with Samsung, who tell you they'll provide major updates to Android for 18 months and then simply refuse to to it.

Or is this just a ploy to get people to buy from your increasingly bad value for money Nexus range?

Do I really need to point out the fix?

[xxxJonBoyxxx]

>> Google Says 30% of Android Devices Don't Get Regular Patches
>> In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly.

It sounds like the ball's in Google's court. "Want to be an 'Android' vendor? You agree to keep your devices updated with our security patches."

Re:Do I really need to point out the fix?

No money in that. It's why cell providers are trying to avoid selling WinPhones, without forced obsolescence a big part of the cell provider income stream goes away. They don't want to relay patches at any speed, they want customers to sign new 2-year contracts every two years, get a new phone running a modern build, and recycle the old one for raw materials (especially if the only problem with the old one is an obsolete OS version).
Remove Android's big advantage to the cell providers and watch them go back to pushing proprietary software like they did before Google's lax oversight unified their business plans.

Apple gets around this by having a very devoted fan base. They don't want "a good phone" they want "this month's iPhone," and AT&T gives in to the demand.

Re:Do I really need to point out the fix?

[shawn2772]

>> Google Says 30% of Android Devices Don't Get Regular Patches >> In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly. It sounds like the ball's in Google's court. "Want to be an 'Android' vendor? You agree to keep your devices updated with our security patches."

(I'm a member of Google's Android security team, but not an official spokesperson. Treat all of the following as informed personal opinion, not an official statement.)

If only it were that easy. A lot of people overestimate the power that Google has to tell OEMs and carriers what to do. There is some power there, certainly, but the fact that Android is open source means that if Google pushes too hard the partners can simply set up their own app stores, stop calling their devices "Android", and do what they like. Some of the big players are totally capable of doing this. Also, the contractual arrangements aren't renegotiated at whim, there's a schedule (every other year, I think?) so Google can only change them on that schedule, and even then it's a negotiation, not an opportunity for Google to dictate terms.

Still, Google does have considerable leverage, is using it, and this aspect of the ecosystem is getting much better. Rapidly, actually, on the time scales associated with designing and building hardware (as opposed to Internet time).

One of the big obstacles to regular updates is that many OEMs, especially the larger ones, have so many different devices to update. What looks to consumers like one product may actually be dozens of separate SKUs, for different regions or carriers, with slightly different hardware features, etc., and these different SKUs often run slightly different software. So it's not a matter of "the build", but rather dozens of builds for each "model", each of which has to be tested by the OEM, and then tested again by the carrier.

If you're planning on doing regular software updates for a substantial period of time, that's a ridiculous way to structure your product line and build processes, but most OEMs weren't planning on that. Now, most of the major (and many minor) players are, which means that going forward they're going to be working to simplify their offerings and streamline their development and update cycles to be able to turn updates around quickly and test them cost-effectively. They rarely have the bandwidth to go back and fix things up for older products, though, so to some extent the transition to a fully-patched Android ecosystem is going to involve waiting out the decline of older devices.

And keep in mind that by the time a device hits the market it's already been in development for well over a year. So if OEMs got the message in 4Q2015 that they were going to need to do regular updates on future devices, it'll be 2Q2016 or so before they figure out what that means they need to change for new device planning, and then late 2017 before the new crop of devices launches, all set up for monthly update cycles. Carriers have their own retooling to do.

This all means that the Android security team fully expects that we'll have to continue focusing on defense in depth rather than rapid patch deployment as our primary method of protecting user devices for the next few years. Luckily, the current set of techniques seems to be working astonishingly well. Much better than I would have thought.

Once the ecosystem gets far enough down the regular-update path, mind you, it may well become reasonable for Google to mandate regular patching in the contractual relationships that provide OEMs with access to Google's apps, just as you'd like to see happen now. Given that hardly anyone is tooled up to do it right now, though, I don't think there's any way Google could impose that mandate.

Re:Do I really need to point out the fix?

[shawn2772]

One of the big obstacles to regular updates is that many OEMs, especially the larger ones, have so many different devices to update. What looks to consumers like one product may actually be dozens of separate SKUs, for different regions or carriers, with slightly different hardware features, etc., and these different SKUs often run slightly different software. So it's not a matter of "the build", but rather dozens of builds for each "model", each of which has to be tested by the OEM, and then tested again by the carrier.

And this is one of the biggest reasons why Android sucks and iOS rocks.

Ignoring the unsubstantiated opinion, it's also the reason why Android market share has dominated iOS for years now, and iOS continues to decline. Yes, most of those Android phones are cheap devices that barely qualify for the name "smartphone", while iOS still leads in the lucrative premium segment (though that lead is eroding), but that's exactly the point. The wide variety of Android devices available means there are Android phones for every niche.

It's all very similar to the Windows vs MacOS story. In the last few years the combination of the iPhone tie-in and the fact that so much software has moved to the web browser, making it platform independent, but prior to that Windows trounced MacOS for the simple reason that you could buy whatever sort of Windows PC you wanted, and at a very aggressive price point, due to the many manufacturers of PC compatibles. A single manufacturer simply can't compete with an entire ecosystem. That doesn't mean a manufacturer can't carve out a very profitable niche for itself, which Apple has done incredibly well, but it will always be only a niche.

Google wax apparently too stupid and short-sighted to look into the future a little bit, and see the all-too-predictable outcome of losing control over their "Brand". And make no mistake: Most people DO know that Android means Google.

Meh. Google's brand is one of the strongest in the world, and Android is enhancing it, not dragging it down. Until recently most people did not know that Android was Google. Actually most people didn't know that Android was a thing at all; they just knew there was "Samsung", "LG", etc. That is why Google started the "Be together. Not the same." advertising campaign, to help people realize that Android existed and ran on all of those phones... and that it was from Google.

I realize it's hard to break free of the RDF, but you should give it a shot.

Re:Do I really need to point out the fix?

[shawn2772]

There is some power there, certainly, but the fact that Android is open source means that if Google pushes too hard the partners can simply set up their own app stores, stop calling their devices "Android", and do what they like. Some of the big players are totally capable of doing this.

Capable technically a financially ... possibly, yes. Actually going to do that? My twenty bucks says "no way in hell!". Can you imagine a cell phone in the shop with a tag saying "cannot talk to Google Play nor Windows Store"? That would be like a desktop computer with a tag "cannot play games because it does not run Windows".

It's really not that inconceivable. Consider, for example, if the top two or three Android manufacturers decided to ally with Amazon, which already has an app store. And obviously there would be no tag saying "Cannot talk to Google Play store". There would be a tag saying "Can run hundreds of millions of apps from the Amazon app store"... and it would be true. App developers don't often bother with the Amazon store now, but if that was the way to reach all new Samsung devices, you can bet that they would.

Galaxy Nexus

[Elledan]

My Galaxy Nexus with Android 4.3 says 'hi' :)

A flagship device only a few years ago, it's not received patches or any form of updates for years now and is now too unsafe to even consider using as a smartphone any more.

Meanwhile the iPhone 4S I also use is up to date on the latest iOS with no sign of support being dropped just yet, despite this phone being of a similar age as the Galaxy Nexus.

The lesson I have learned out of owning a Google Android device is to never buy Android again. Apple and even Windows update their devices for as long as reasonably possible, while Android is a walking security risk, even on Nexus devices.

Re:Galaxy Nexus

[rupert.applin]

Yep, it wouldn't be so bad if you just had to get updates from Google and the manufacturer, but when you have to suffer the carriers wanting to put their crap into the OS as well - then you are really in trouble as they don't care a jot about 'old' devices, but would much rather sell you something new that spend money providing updates for what they have sold previously.

Re:Galaxy Nexus

[JesseMcDonald]

The case with the Galaxy Nexus is a bit special, as they had planned to support it longer until Texas Instruments, the supplier of the OMAP 4460 SoC used in the Galaxy Nexus, suddenly decided to get out of the mobile and tablet business and also stopped providing updated (binary) drivers for their SoC. Without updated drivers Google is limited in what it can fix; in particular, the old drivers won't work with newer versions of the kernel.

Could Google have continued supporting the Galaxy Nexus anyway, backporting security fixes and other changes that didn't depend on an updated kernel? Sure. It would have been a lot of trouble which would have detracted from their other Android development efforts, however, so it's understandable that they chose to E.O.L. the Galaxy Nexus and focus on the rest of the Android ecosystem not based on obsoleted components. They also switched to a different SoC for the next Nexus device and updated their supplier policies to make this scenario less likely in the future.

(What they did not do, unfortunately, was take the more principled stand of only using components with properly upstreamed open-source device drivers, which would have eliminated dependence on the manufacturers and carriers for updates once and for all.)

Speaking as a Galaxy Nexus owner who was rather annoyed with the change at the time. I've since upgraded to a Nexus 5, but the older phone still works well enough several years after its official E.O.L. date (running the last CyanogenMod build for the Galaxy Nexus). It's a bit underpowered by modern standards, but I sometimes employ it for remote monitoring or other simple tasks when I don't want to tie up my main device.

Re:Galaxy Nexus

[macs4all]

No iOS device has been supported as long as the 4S has.

My iPad 2, which is at least a year older than my iPhone 4s, would beg to differ with you.

Both run iOS 9, and in fact, Apple's SUPPORT of these older devices included a recent Update to iOS 9 SPECIFICALLY targeted at improving performance on older devices, specifically the iPhone 4s and the iPad 2.

So yeah, I'd call THAT "Support"!

BTW, that's why I skipped iOS 8. It DID have performance issues on the iPad 2. But they fixed it with (IIRC) iOS 9.2.1

Re:Galaxy Nexus

[shawn2772]

My iPad 2, which is at least a year older than my iPhone 4s, would beg to differ with you.

I stand corrected. The iPad2 is indeed a few months older than the iPhone4S. It doesn't change the fact that Elledan compared the worst outlier among Nexus devices to nearly the best outlier among Apple devices. Perhaps he wasn't intentionally cherry-picking devices to support his argument but that was the effect.

Re:30% of Android Devices Don't Get Regular Patche

Newer versions of Android (6.0+ I believe) should have the security patches come through on a monthly basis even on manufacturer versions of Android (e.g., Samsung, LG, HTC, etc.) In other words, they are working at it, but it will take a while until all users have devices with 6.0+.

Re:Are there any non-Nexus devices getting securit

[heezer7]

Motorolo does, but it lags. My Moto X Pure 2015 is on the Patch version from February. Not great, but at least still supported.

Re:30% of Android Devices Don't Get Regular Patche

[Shadow99_1]

I'm positive they don't want the costs of keeping an OS up to date. If they fork their own version for their devices, they then take on all the major security issues Google has been handling. Samsung isn't the only Android vendor though and if they fall off the Google bandwagon for their own fork of it they will have quite the uphill battle. It would also give other vendors a much better shot at gaining marketshare. I've heard good things about the HTC 10 for instance...

Partly the problem is hardware

[Henarchaga]

I'm part of that 30% - my phone won't download a recent system update because there is insufficient dedicated system memory to (I assume) unpack and install the update. It's a fun combination problem - the version of 4.4.2 that I have won't let me move all downloaded apps to the SD card, which has 4x the available space as the internal memory. At least some of the software is bloat or crap from Virgin Mobile, and the other half of the problem is the very limited specs of the phone - an LG Tribute.

Re:Ok, but...

[AK+Marc]

None. In most cases, the patches are controlled by the phone maker or carrier, and they don't patch regularly.

Re:30% of Android Devices Don't Get Regular Patche

[Cramer]

Google's own braindamage is the reason why so few devices are actively patched. 6.0+ uses a filesystem block based patching mechanism. If you so much as mount the system partition (rw), you NEVER, EVER, EVER, EVER! get a single byte of patches.

And I don't know that the hell they're blabbering about... 4.4.4 absolutely does NOT get patches. Demanding I install 5.0.1 is not a patch. (it will then demand I install 5.1 then 6.0.) And unlike the majority of vendor "hacked" androids, Google doesn't ask a damn thing before it downloads hundreds of megs of crap I don't want -- tell me there's an update/patch/whatever and WAIT FOR ME TO APPROVE THE DOWNLOAD .

Re:Ok, but...

[AmiMoJo]

Incorrect. Patches can be delivered by either the maker/carrier via an OS update, or via Google Play. In versions of Android from 4.0 onwards (I think, it might be 4.1) Google can and does mitigate issues without any action from the manufacturer.

Re: Google has the power to change this

[Ilgaz]

If a black hat manages to crack the device, first target will be Google billing information and Google password. Once they are stolen, a huge, never heard of scandal will happen and people will blame Android or Google. Not the manufacturer of device.

It is just like Windows got blamed once the vendor bundled AV expired and let all the crap in.

Google doesn't have a clue about potential digital argameddon that is on the way.