Google Scans 6B Apps, 400M Devices Each Day; Says 30% of Android Devices Don't Get Regular Patches

Reader Trailrunner7 writes: As part of the enhancements to Android security, Google scans more than 6 billion installed applications per day on users' devices. The company also scans more than 400 million devices each day, it announced on Tuesday. Google last year also began releasing monthly security updates for devices running modern versions of Android, which includes devices on version 4.4.4 (KitKat) and later. "70.8% of all active Android devices are on a version that we support with patches," the Android report says. However, that still leaves hundreds of millions of Android devices without regular updates. There were roughly 1.4 billion Android devices active in September, according to Google, so that would leave about 420 million Android devices without patches. In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly.In its report, Google also says that fewer than 0.15% of devices, that only get apps from Google Play, had potentially harmful apps installed on them.

30% of Android Devices Don't Get Regular Patches

[Threni]

Well, Google, you're in the best position to make that happen. Allow your update process to update stuff like the libraries which had the stagefright problem to get updated by yourselves and not require the manufacturers to do it, because you know better than we do how bad they are at it. And have a word with Samsung, who tell you they'll provide major updates to Android for 18 months and then simply refuse to to it.

Or is this just a ploy to get people to buy from your increasingly bad value for money Nexus range?

Do I really need to point out the fix?

[xxxJonBoyxxx]

>> Google Says 30% of Android Devices Don't Get Regular Patches
>> In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly.

It sounds like the ball's in Google's court. "Want to be an 'Android' vendor? You agree to keep your devices updated with our security patches."

Re:Do I really need to point out the fix?

[shawn2772]

>> Google Says 30% of Android Devices Don't Get Regular Patches >> In the Android ecosystem, carriers are also responsible for pushing security patches to users, so while Google pushes security updates each month, not all carriers and device manufacturers release them to all users regularly. It sounds like the ball's in Google's court. "Want to be an 'Android' vendor? You agree to keep your devices updated with our security patches."

(I'm a member of Google's Android security team, but not an official spokesperson. Treat all of the following as informed personal opinion, not an official statement.)

If only it were that easy. A lot of people overestimate the power that Google has to tell OEMs and carriers what to do. There is some power there, certainly, but the fact that Android is open source means that if Google pushes too hard the partners can simply set up their own app stores, stop calling their devices "Android", and do what they like. Some of the big players are totally capable of doing this. Also, the contractual arrangements aren't renegotiated at whim, there's a schedule (every other year, I think?) so Google can only change them on that schedule, and even then it's a negotiation, not an opportunity for Google to dictate terms.

Still, Google does have considerable leverage, is using it, and this aspect of the ecosystem is getting much better. Rapidly, actually, on the time scales associated with designing and building hardware (as opposed to Internet time).

One of the big obstacles to regular updates is that many OEMs, especially the larger ones, have so many different devices to update. What looks to consumers like one product may actually be dozens of separate SKUs, for different regions or carriers, with slightly different hardware features, etc., and these different SKUs often run slightly different software. So it's not a matter of "the build", but rather dozens of builds for each "model", each of which has to be tested by the OEM, and then tested again by the carrier.

If you're planning on doing regular software updates for a substantial period of time, that's a ridiculous way to structure your product line and build processes, but most OEMs weren't planning on that. Now, most of the major (and many minor) players are, which means that going forward they're going to be working to simplify their offerings and streamline their development and update cycles to be able to turn updates around quickly and test them cost-effectively. They rarely have the bandwidth to go back and fix things up for older products, though, so to some extent the transition to a fully-patched Android ecosystem is going to involve waiting out the decline of older devices.

And keep in mind that by the time a device hits the market it's already been in development for well over a year. So if OEMs got the message in 4Q2015 that they were going to need to do regular updates on future devices, it'll be 2Q2016 or so before they figure out what that means they need to change for new device planning, and then late 2017 before the new crop of devices launches, all set up for monthly update cycles. Carriers have their own retooling to do.

This all means that the Android security team fully expects that we'll have to continue focusing on defense in depth rather than rapid patch deployment as our primary method of protecting user devices for the next few years. Luckily, the current set of techniques seems to be working astonishingly well. Much better than I would have thought.

Once the ecosystem gets far enough down the regular-update path, mind you, it may well become reasonable for Google to mandate regular patching in the contractual relationships that provide OEMs with access to Google's apps, just as you'd like to see happen now. Given that hardly anyone is tooled up to do it right now, though, I don't think there's any way Google could impose that mandate.

Re:Galaxy Nexus

[rupert.applin]

Yep, it wouldn't be so bad if you just had to get updates from Google and the manufacturer, but when you have to suffer the carriers wanting to put their crap into the OS as well - then you are really in trouble as they don't care a jot about 'old' devices, but would much rather sell you something new that spend money providing updates for what they have sold previously.