Analysts of the German company SRLabs, using the SnoopSnitch application installed on more than 500,000 smartphones, collected information on the so-called “Patch delays.” Experts concluded that security updates began to reach Android users faster.Update speed is important because Android OS has been recognized as the most vulnerable platform of the past year.
The time that passes between the official release of the Google patch and the addition of this patch to the firmware of smartphones from other manufacturers (OEM vendors) is called the patch delay.
SRLabs analysts have thus calculated that it takes 38 days to distribute patches (versus 44 days in 2018).
“Although in recent years, the delays in fixes have overall decreased by 15%, these figures vary widely among different smartphone manufacturers. So, it turned out that Google, Nokia and Sony are the fastest integrating monthly updates into their customized versions of Android, while Xiaomi, htc and Vivo are far behind”, — According to SRLabs.
Analysts write that Nokia and Google apply patches “especially fast” and often generally show the so-called negative update rate. This term refers to a situation, when Google provides vendors with updates one month prior to their publication on the Android Security Bulletin website.
As a result, Google, Nokia and Sony have a zero or negative patch delay value, because they begin work on upcoming security updates long before they become publicly available. This allows companies to start distributing patches for their devices as soon as the official security bulletin is published on Google.
“Some OEMs also achieve good patch delay performance because they work with vanilla versions of Android, or have fewer device models, which simplifies the process of optimizing patches (compared to manufacturers who use highly customized versions of Android or have in their arsenal many different devices)”, – say the researchers.
Often delays in the distribution of patches occur through faults of the vendors. For example, the illustration below shows that Xiaomi gives priority to patches for newer devices, leaving devices running Android 8 out of work.
Let me remind you that in 2018, it was SRLabs experts, which discovered that many large manufacturers of Android devices (including Samsung, Xiaomi, OnePlus, Sony, HTC, LG, ZTE and Huawei) only make it look as if patches are released, while in reality many bugs remain uncorrected.
Researchers now claim that this practice is in the past, and now most manufacturers rarely miss patches. So, earlier the average value of missed corrections per device was 0.7, and now this number has decreased to 0.3. At the same time, most suppliers (with the exception of Huawei) keep the number of skipped patches at a level below 1.
Recall that popular Android phones can be used to track users.