Mere hours after Samsung shared plans to issue over-the-air (OTA) security updates “about once per month” for its Android devices, Google has announced pretty much the same strategy. Starting this week, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates.
Just like Samsung, Google didn’t explicitly say why the new Android security update process is being unveiled now, but it did mention Stagefright, a vulnerability disclosed last week that affected roughly 95 percent of Android devices. In short, the security hole could allow a hacker to remotely access an Android smartphone using only a person’s telephone number, and potentially without the owner knowing.
The first Nexus security update is rolling out today for Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. Google says it contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the aforementioned Stagefright vulnerability. Google also promises to release the same security patches to the public via the Android Open Source Project (AOSP).
Google’s support for Nexus devices remains unchanged: Devices will continue to receive major updates for at least two years. That said, the company is promising Nexus devices will get security patches “for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store.”
Last month, Google expanded its security rewards to the latest available Android versions for Nexus devices available in the U.S. Google Store. That meant just the Nexus 6 and the Nexus 9, so it’s great to see that the company’s security update announcement today encompasses all recent Nexus devices.
Google also cited its favorite statistic for Android security: Fewer than 0.15 percent of devices have a potentially harmful app installed (read: malware), as long as all apps are installed from Google Play. Unfortunately, the app store is not available in all countries, so not all Android users can simply be told to get all their apps from Google Play.
Nonetheless, Google’s move today is a big deal. Security updates need to be delivered immediately, and definitely should not be blocked or delayed by carriers. A monthly update isn’t exactly timely, but it’s a huge improvement from the previous system, where users simply didn’t know when their device would be patched.
Samsung, the largest Android device maker, starting basically the same practice today is no coincidence. We expect Google will try to convince its other partners to follow suit.