Violet R.While we’ve long since become accustomed to regular updates and patches for the Windows operating system and take them for granted, Android phone updates are still largely misunderstood. For a lot of users, downloading, installing, rebooting and booting the system feels like a complete waste of time. Even so, you shouldn’t put off system updates, and that goes double for security updates.
Every month, Google releases security updates to fix discovered bugs, security holes, and vulnerabilities. And because there are always potential security issues, it’s a long run, but one that needs the cooperation of users themselves.
Android Security Bulletin
On the first Monday of every month, Google releases a new version of a security update, called the Android Security Bulletin, on this website. If perhaps Monday falls on a holiday or weekend, the security update is published the next business day. By forking, manufacturers can quickly deploy fixes for certain vulnerabilities that are similar across multiple device types. Both variants are released on the same day, the variant with a one at the end fixes the Android Framework but does not include third-party patches or kernel patches. The variant with a five at the end includes patches for third-party closed-source components, such as controllers for Wi-Fi or Bluetooth. Of course, this security version also fixes the patches from the “one” variant.
And while the manufacturers make no distinction between the two levels of patches in the system, if you use a custom ROM (e.g. LineageOS), you will learn both the patch level for the platform and the patch level for the component vendor (aka Vendor).
The Android Security Bulletin includes fixes for vulnerabilities that Google refers to as CVEs (Common Vulnerabilities and Exposures). If a vulnerability is found in Android, it is given a unique label. It includes the year the bug was discovered, as well as a four- to five-digit number. For example, this could be CVE-2022-20081.
Before a patch is published in the Bulletin, mobile manufacturers know about it at least a month in advance (often more) so they can prepare for the security update. However, this only applies to major brands that have an “Android Partner” designation. Smaller manufacturers do not receive any notification. Therefore, the vulnerabilities that have already been fixed are described, and only in a cursory manner, so that a potential attacker does not learn how to exploit the security hole in phones that have not yet been updated.
However, it doesn’t end with Google releasing a monthly security update. While manufacturers have security updates ahead of time, they often have their own patches that they must include with the security update. Whether this is most often related to bugs and flaws within their own graphical superstructures. For vulnerabilities, Google lists the type of potential exploit , severity and the version of AOSP to which the patch is being downloaded. Manufacturers, in turn, specify for their patches which version of the superstructure the patch applies to.
Pixels have their own Bulletin
As soon as the manufacturers are done, the patch is ready to be installed in the end devices. But because of the complexity of security updates, the interval of deployment to phones varies from brand to brand and model to model. Generally speaking, more expensive Androids receive more security updates and more frequently than cheaper devices. However, over time, even for earlier top models, the pace of updates gradually slows down.
Cheaper machines may receive security updates every two months, quarter or half a year, or “regularly”, so patches may arrive on phones, but with a longer lag time. However, updates may also be delivered to phones irregularly, so forget about them for older phones. You should always check your smartphone manufacturer’s current policy.
Add comment