Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Look at the Amount of Time Smartphone Vendors Have Taken To Roll out Major Android Updates To Their Handsets, and How Things Are Beginning To Improve (androidauthority.com)

Posted by msmash on from the closer-look dept.

Most Android smartphone vendors have been notorious for the time they take to roll out the newest Android OS updates to their respective handsets. To tackle this, Google in 2017 announced Project Treble, which bypasses some middlemen in delivering new updates to consumers. With Project Treble now supported by all Android phone makers, in theory updates should roll out to us faster than before. To test this, news blog AndroidAuthority looked at the data to see where things stand. From the report: On average, Nougat updates took about 192 days to reach key devices, while Oreo was slightly faster at 170. Android Pie updates hit devices much faster, averaging just 118 days from Google's launch to significant OEM rollout. That's a significant improvement, though we're still waiting on updates from LG and HTC, which could drag this average back up. Most manufacturers are faster at providing updates now, but a few are slower. Huawei, Samsung, and Xiaomi were noticeably quicker this time around, bringing updates to key devices before the end of 2018. OnePlus and Sony were especially fast, but they've always been speedier than most. Disappointingly, Motorola has rolled out updates to its flagship Z series slower over the last few years.

15 of 131 comments (clear)

  1. This is about Lock In by Deliveranc3 · · Score: 5, Interesting

    I wish Google still "Don't be evil."

    I had a business selling G1 (Still an excellent form factor I hope they bring it back.) and I would Root and Superuser them and install custom Roms.

    They were really amazing, the early Android modding scene had a lot of potential.
    25% better battery life.
    40% better performance.
    More customization options.
    Excellent GUIs.

    But I ramble.

    Anyway nowadays it's hard to Root and get SuperUser and I don't understand why.

    It's actually put a lifespan on Android which is sad.

    Now Android is like Facebook, constantly getting worse and losing sight of what made it better than alternatives.

    I don't want to be one of those old people who think things were better in the past, give me something to work with.

    1. Re:This is about Lock In by hawguy · · Score: 2

      Anyway nowadays it's hard to Root and get SuperUser and I don't understand why.

      Seems pretty straightforward:

      https://www.xda-developers.com...

      It's not trivial and should not be since only those that know what they are doing should root their phone.

    2. Re:This is about Lock In by swillden · · Score: 5, Informative

      Anyway nowadays it's hard to Root and get SuperUser and I don't understand why.

      This is my fault. Not only mine, not even mostly mine, but definitely my team's fault -- and I, personally, have a little of the blame. So that makes me a good person to explain.

      First, let me point out that my teammates and I have no interest in preventing you from rooting your device. None whatsoever. We are skeptical that you can make good use of root without compromising your own security, but we also believe that if you want to compromise your security, you should be free to do so!

      So, if we don't hate rooting, why have we made it hard?

      We haven't, exactly. Let me explain.

      Let's start with the bootloader. If your device has a locked bootloader (note that this is completely different from carrier locking, AKA SIM locking, which is what people usually mean when they talk about an Android device that is locked or unlocked), then you may not install your own software on it. All of the devices from Google ship with bootloaders that can be unlocked, because we think people should be able to do what they want with their devices. Most other Android device makers feel differently about this and ship bootloaders that cannot be unlocked. Some of them will sell you a "developer edition" that is unlockable.

      It's always been this way. Nexus/Pixel devices have always been unlockable, most others have not. Those G1s you were rooting almost certainly did not have unlockable bootloaders. So... how did you root them?

      You exploited vulnerabilities. There were lots of them. There was no software integrity checking, so once you exploited a vulnerability you were able to modify the system and keep it in the exploited state.

      These vulnerabilities were nice for you because they let you root. They were also nice for anyone who wanted to hack into your phone and get your personal data out. Useful to good guys, but also to bad guys. On balance, that's a bad thing.

      What we did was to fix a lot of vulnerabilities. Not all; no software system of substantial size will ever be free of vulnerabilities. Recognizing that, we built defense in depth. SELinux is a big component of this defense in depth. Today in Android it's almost unheard of to find a single vulnerability that allows the attacker to pwn the entire system. Vulnerabilities still exist, but now attackers need long exploit chains. They use one vulnerability to open a chink in a part of the system that then lets them find and exploit another vulnerability, and so on, until they finally get to the data they're trying to get, or -- better yet -- pop the kernel. Root isn't good enough any more; for free reign of the system you need to pop the kernel and disable SELinux. Today's exploit chains often use five to ten separate vulnerabilities, because less than that doesn't do you any good. Working exploit chains for major device models sell for $1M+ on black markets. That's because they're hard to find.

      In addition to that, we also added verified boot, so that every piece of the system software is validated as its loaded. This means that once you find and exploit a long chain of vulnerabilities to get control, you can't just change the system software so that you always have it, because if you modify the system the device won't work any more. You have to re-exploit the vulnerabilities after every boot. (Note that a new class of techniques makes so-called "systemless root" possible; which gives you persistent root without changing the system. We're shutting those down, too.)

      In addition to that, we got much more aggressive about making device makers patch the vulnerabilities. So if you find a sequence of vulns that gets you control, you'd better keep it secret or it'll stop working after the next update. Oh, and we also made it basically impossible to install an older version of the software to get back to a version that had known vulnerabilities you could use.

      That's a small taste; a lot m

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:This is about Lock In by swillden · · Score: 2

      Given your UID, I'm guessing we're probably around the same age, having grown up with early x86 machines, dos, os/2, slackware, etc.

      I suspect so. I'm 50.

      Not to go all nostalgic, but "those were the days." We were free to explore, learn, tinker, fix, and break. We could output directly to ioports and trigger interrupts as a matter of course. I learned more about what makes a computer compute as a kid with a beat up old 8086 than I have as an adult (both in University and professionally).

      Yep, but the openness of the systems isn't the only thing that has changed in the last 30-40 years. When we were tinkering, computers were rare, little-used and isolated. Now they're ubiquitous, so heavily-used they're almost a brain expansion pack and they're networked all of the time. The fact is that the vast, vast majority of computer users -- especially of mobile devices -- know absolutely nothing about how they work, and have no interest at all in learning, exploring, tinkering. They just want to read Facebook, surf porn, make phone calls, etc. They would look at the computers that you and I started on as completely and utterly useless because it took a tremendous amount of work to make them do anything.

      Another thing that has changed is the nature of the threats. 35 years ago I wrote a little terminate-stay-resident DOS program that made the characters on the screen fall into piles on the bottom. I gleefully installed this on lots of friends' and family members' computers (well, "lots" was like four; machines were rare). Later I modified it to spread itself virally, by writing itself into the boot sector of any floppy it could. I never installed that one anywhere, though. But we're long, long past the days of the casual, for-fun hacker. Today security is a serious problem. The attackers are often organized criminals, of varying but often significant sophistication. Sometimes the attackers are nation states. Military cyberwarfare groups, intelligence agencies, etc. (Aside: We'll never keep the really serious attackers out of consumer devices, but we maybe can make it hard enough that they can't scale their attacks.)

      The reason that the attackers have changed is because the way we use computers has changed. Absolutely everything is on a machine somewhere. Our mobile phones contain pretty much our whole lives: personal, financial, photographic, you name it. This puts even the average person at significant risk, mostly financial. We've seen hundreds of thousands, perhaps millions, of people scammed out of significant amounts of money by people who explolited vulnerabilities in their devices. And that's nothing compared to the risks to high-profile people, who have much more to steal.

      The total number of Android users has passed three billion, and it won't be long before it hits four. Shipping vulnerable software to damned near 50% of humanity would be unthinkable, especially in the high-threat world we live in.

      So... we do everything we can to make it secure. We fail, of course. We always will. But we fail less every year.

      (Aside: Working on Android security is particularly challenging, because we write our specs and our code, and then throw it all over the wall to the device makers, who are free to change almost anything. So we have to come up with ways to make stuff secure, and then we have to further find ways to design/build it so that it's hard for the device makers to screw up.)

      If I could beg Google for one thing, it would be to deny compliance certification (and Play Store access) to any manufacturer that doesn't provide bootloader unlock codes to their users at the point of sale.

      Now you're talking about something well above my pay grade. But I'll take a stab at it anyway. I think the reason Google doesn't do this is because carriers and device makers would Just Say No. It wouldn't take much for them to organize and set up an alternative app

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re: This is about Lock In by swillden · · Score: 2

      Why can't I get root on any android phone just by connecting it to a pc, enabling developer mode, letting the pc with adb set or deny root, or special commands like let apps of my choosing enable or disable wifi, data, gps, etc.?

      Let me tell you a story. A true one. It's not actually an answer to your question, but it points the way.

      Last year, a major Android device maker came to me and asked how I planned to fix the developer mode vulnerability. "What developer mode vulneability?" I asked, reaching for my laptop to look up the CVE.

      They explained that in various parts of the world, especially Asia, but not only Asia, there are lots of free charging stations at bus stations, airports, coffee shops, Internet cafes, restaurants... and just about everywhere else you can think of, including public restrooms. These charging stations have a sign hanging over them with a list of instructions that people have to follow to get free charging:

      1. Go into the settings app (actual signs explain in detail how to do this on many common devices).
      2. Go into "About phone"
      3. Tap the "build number" seven times.
      4. Go into "System", tap "Developer options"
      5. Turn on "USB Debugging"
      6. Plug your phone in. When the dialog pops up asking to "Allow USB debugging", tap "OK".

      According to the device maker asking the question, If you go watch one of these locations you'll see that 95+% of people dutifully carry out all of the steps so they can charge their phone. They often don't notice the flood of malware the charging station sideloads onto their phone. This is because it doesn't do anything right away, usually not until after the next reboot plus a random delay.

      I put my laptop away and explained that we had no plans to fix the developer mode vulnerability.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Uh huh... by Desler · · Score: 4, Interesting

    With Project Treble now supported by all Android phone makers, in theory updates should roll out to us faster than before.

    This is a rather interesting edit of a sentence from the actual linked article which says:

    With Project Treble now supported by key Android flagships, in theory updates should roll out to us faster than ever before.

    msmash, you do realize that the two versions do mot mean the same thing, right?

  3. Meanwhile... by Anubis+IV · · Score: 4, Insightful

    Look, it’s great that updates are available sooner on “key devices”, but the fact that this is being cited as something praiseworthy is rather indicative of how broken the situation remains. It took 192 days on average for Nougat to even become available on a subset of devices. 170 for Oreo. 118 for Pie. Meanwhile, iOS has always taken 0 days: it was available to all compatible devices immediately upon its release.

    And availability is just half the problem. If availability is staggered, you have a harder time encouraging people to update (or even making them aware of the update), which hampers the deployment rate. Improving the speed of deployment needs to be the end goal. Improving availability is just a necessary step towards clearing hurdles that are in the way.

    1. Re:Meanwhile... by alvinrod · · Score: 4, Interesting

      I think that you're leaving out something even more important which is that for a lot of devices, the update will never be made available nor are there even any plans to make it available that only end up getting canceled. At some point all hardware hits end of life, but for a lot of Android phones that's artificially lower than it should be.

      But on the flip side, I don't think you get to 0 without having the same kind of control that Apple exhibits, and I'm not sure that's something that would be good for Android. If you're careful with your own personal choice of which device to buy, you can get that immediately availability for yourself. It may require extra effort on your part, but that's the cost of the greater freedom that Android affords.

    2. Re: Meanwhile... by cyber-vandal · · Score: 4, Insightful

      The price you pay for "freedom" is being constantly vulnerable unless you buy a new flagship phone every year plus having Google spying on you constantly. Both options in the smartphone market are shit but I'll go with the one that's still getting updates after 5 years. There are no Android phones that have that option.

    3. Re:Meanwhile... by Solandri · · Score: 2, Interesting

      But on the flip side, I don't think you get to 0 without having the same kind of control that Apple exhibits,

      Technically, Apple's iOS release are not available on their phones in 0 days.

      • Apple's software guys are happy with all the feature changes they want to make to iOS. This is analogous to Google making a new version of Android available.
      • Apple then tests it internally on their current, upcoming, and older phones to make sure everything still works. If something doesn't work, the software guys have to tweak it further, test it on all models again, repeat. Until it's finally ready to be released to to all users. This is analogous to the Android version being rolled out to the different phones.

      So the difference is that in Apple's case, the lag between software feature freeze and end of hardware testing is internal and hidden from the public. In Android's case, the lag is public, making people antsy about a "delay" which really is nonexistent. Android rollouts are "slower than iOS" only if you use different ways of measuring how long a rollout takes for the two OSes.

      In other words, if Google did it Apple's way, they would not release the new version of Android on their AOSP servers the moment their software guys were finished with it. They would send it in secret to all their OEM vendors, then OEM vendors would work to modify it to make it compatible with all their devices. All OEMs would be embargoed from releasing the new version of Android until the last OEM finished their testing and had it ready for their phones. Then there would be a simultaneous rollout of The New Version of Android across all devices and on the AOSP servers on "day 0".

      So really, those graphs in TFA should be inverted, with the last OEM to release each Android version set at zero. And the bars for the other OEMs indicating how many days before day 0 you got the new Android version on your device, because your vendor managed to finish modifying and testing that Android version before what would've been day 0 in Apple's case.

    4. Re: Meanwhile... by Desler · · Score: 3, Informative

      BS. The last major OS version for the S5 that was officially released by Samsung was Android 6.0.1 which was released by Google 3.5 years ago. So you're either falsely conflating security updates with OS upgrades (you know, the topic of the submission) or you're using a third-party ROM when this whole topic is about first-party support.

  4. Samsung is bad... by Ecuador · · Score: 2

    The Galaxy S3 was my last Samsung "flagship". Not only was it stupidly expensive for what it was, but the updates were slow to come and they seemed to leave the phone worse-off. I'm now settled with the Xiaomi Mi Mix line (switched from the cheaper but almost as good Mi line partly because of supporting T-Mobile LTE when I travel to the US), cheaper, better in most respects and updates don't leave the phone worse off. And according to TFA the updates come quicker too, although if that was my main concern I'd probably be looking at Android One phones or something like that...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  5. Re:Um... by LynnwoodRooster · · Score: 4, Insightful

    Two billion Android devices and 3.5 billion searches a day. You're right - no one uses Google services. No one. Sad.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  6. Re: Um... by LynnwoodRooster · · Score: 2

    Are there alternatives to Android and Google tools? Yes? Then perhaps billions of people use them because they generally work well.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  7. Re:Android update? by arglebargle_xiv · · Score: 2

    Same here. Android phones get updates? The only way I've seen to update an Android phone is to throw it away and buy a new one.

    There's also a marked difference between "is an update available" and "is it possible to update it". Some phones, and I'm thinking specifically of Samsung's J series, are so desperately crippled that if you install anything more than a weather app on them there's no room to perform updates. So even if you could, in theory, update them, you can't actually do so in practice.