Android Security Updates: An Important Element of Device Hygiene That Device Makers Often Miss

Consumers store more personal data on smartphones than any other device. But many are unaware of how risky this can be. Few consumers in our research mention regular security updates as a highly desirable feature. This may be because consumers assume that their smartphones will be updated, or that they don’t understand the implications of poor security. Or maybe it’s because attacks are relatively rare. But they can be highly disruptive when they do occur. Google is issuing regular Android security bulletins covering the security updates, which provides fixes for possible security issues affecting devices running on Android. Hence, updating devices regularly is one of the important ways to keep devices secure.

Most of these vulnerabilities range from remote code execution, denial of service, and disclosing information. For example, Google has confirmed that it is fixing 193 Android security vulnerabilities with its Android 10 release through a default Android 10 patch. In the September Android security bulletin, Google has fixed more than 50 Android vulnerabilities, which included two critical ones while 12 were categorized under “high-severity”. As per Google, one of the critical vulnerabilities included in the media framework component that could enable a remote attacker using a special file to execute arbitrary code within the context of privileged process.This is just one example of how issuing regular security updates can help end consumers mitigating security-related risks on their Android devices.

Google is addressing security and privacy-related risks through various other steps. Some of the initiatives include Project Treble and strengthening device partner agreements with mandated security updates, the most recent being Project Mainline. Project Mainline aims to bring more security updates to users faster than ever before. Google is working closely with device manufacturers to ensure smooth execution of Project Mainline. Currently, very few device makers are doing a good job on issuing regular security updates even though Android partners are notified of all security vulnerability issues at least a month before publication.

As per our recent whitepaper titled Software and Security Updates: The Missing Link for Smartphones, among the top 10 smartphone makers, Nokia issues regular monthly security patches across its entire portfolio. Nokia is closely followed by Lenovo, which issues monthly security patches to most of its active models. Other leading brands including Xiaomi, Huawei, OPPO, Samsung, and Vivo, tend to issue security updates only quarterly. If we analyze further by price tier, the trend is similar to that of operating system updates. The sub-US$200 segment has the fewest security updates, while premium smartphones fare better in getting regular updates.

Exhibit 1: Security Patch Frequency Share for Top 10 Manufacturers

Security Patch Frequency Share for Top 10 ManufacturersSource: Counterpoint Research White Paper: “Software and Security Updates:  The Missing Link for Smartphones”

To conclude, we believe that while issuing regular software and security updates are important, notifying users is also equally important. This should be undertaken widely – for example, on websites, and via social media. Consumers are tending to keep their smartphones for longer. And they tend to spend a little more when they do buy a new device. The average time consumers keep a flagship smartphone before buying a new device has been gradually extending. In markets as diverse as China, Europe, and the US, it is now approaching 30 months. Clearly, keeping the software and security up to date is important to ensure consumers continue to enjoy good performance and security throughout their ownership