Google has spent the past year working with third-party manufacturers and phone carriers to improve its update system for Android, which is often criticized for not being fast enough to protect users from known vulnerabilities. And while Google says it has made some progress in this area — Android issued security updates to 735 million devices from more than 200 manufacturers in 2016 — about half of Android users still aren’t receiving important security patches.
“There is still a lot of work to do to protect all Android users: about half of devices in use at the end of 2016 had not received a platform security update in the previous year,” Android security leads Adrian Ludwig and Melinda Miller wrote in a year-in-review post. Android issued monthly security updates during that time frame.
When phone makers discover vulnerabilities in their products — either through external reports from security researchers or through internal audits — it kicks off a race to patch the problem before it’s widely exploited. But in the Android ecosystem, which includes hundreds of carriers and manufacturers, pushing those updates out to every user is a complex process.
While Google-manufactured Pixel and Nexus phones and tablets receive automatic updates, hundreds of manufacturers that run Android on their devices don’t push security updates to their customers immediately. This practice can leave customers waiting for months to get updates, and their devices are vulnerable in the meantime.
Ludwig told TechCrunch that Google has been able to cut the wait time for security updates from six to nine weeks down to just a few days by working with carriers and manufacturers. “In North America, just over 78 percent of flagship devices were current with the security update at the end of 2016,” he explained. “It’s a good number in terms of the progress that it represents. We think we can do better.”