Shortly after the Stagefright security vulnerability was unveiled, Google announced an important change to how it delivers security updates and patches, promising that supported devices would receive security updates on a monthly basis. Devices would be supported with operating system updates for around two years after launch and would then receive security updates for another year, effectively keeping devices up to date for three years after launch. During those three years, the latest critical vulnerabilities, as identified by the Google developer team, are fixed in software updates rolled out to the device. At the time, manufacturers’ opinions were divided about Google’s new security patch promise. Some companies branded Google’s approach as unworkable and even went to the extreme length of removing the date of the security patch from the operating system. Other manufacturers, with Samsung as one example, also moved several of their devices to the same monthly patch update regime.
Last week, T-Mobile US released the latest Android patch for July 2016 for a number of Samsung smartphones, these being the Samsung Galaxy Note 5, Galaxy S6 Edge+, Galaxy S7 and Galaxy S7 edge. Today, Verizon Wireless has announced that it too is releasing the “latest” security patch update for the Galaxy Note 5, Galaxy S6 and Galaxy S6 Edge devices – although Verizon has not explicitly stated that these updates are for the July 2016 code. Verizon’s instructions explain that customers should connect to a reliable Wi-Fi network when downloading the software update and make sure their device’s battery is topped up when performing the update.
Although it is welcome that Verizon have updated three Samsung Galaxy devices, the vague instructions highlight one of the difficulties facing Google in its promise to deliver monthly updates. This schedule is subject to delays from first the smartphone manufacturer, which has to incorporate the changes into its software. Second, it is subject to delays at the carrier end, where individual carriers can be more or less responsive to changes. Currently, these security patches appear to undergo a similar testing regime as the full version updates receive. Where Google’s only changes are presumably deep in the code to patch up a security vulnerability, one would hope that carrier testing is quicker as most other aspects of the operating system have not changed. In the respect of software updates, Google still has a long, uphill struggle.