The Android Security Bulletin for January 2019 contains a range of key security fixes for Pixel devices, but it seems that this time, all of the Nexus devices have finally been left in the dust. The Nexus 5X and 6P, from LG and Huawei respectively, were the final stragglers, and the latest factory images for them are Android Oreo-based packages from December. This means that security updates for all Nexus products have officially stopped, and no Nexus will ever run Android Pie through official means. Those in the Pixel camp, meanwhile, will be able to load up this latest update via factory image or OTA, depending on how proficient and how patient they are, all the way back to the OG Pixel lineup from 2016. The Pixel C stands as somewhat of an exception; it’s still receiving security updates, but it’s stuck on Android Oreo, presumably for good.
Background: This time around, Pixel owners can look forward to a grand total of 27 security patches, including 6 that pertain specifically to Qualcomm components, and 1 that only owners of NVIDIA devices like the NVIDIA Shield or Pixel C have to worry about. Of the vulnerabilities that affect everybody, only one is considered critical level. That particular fix patches up a security hole that allows attackers to use a specially made file to start up a privileged process on a device, elevating privileges all the way to the root level and messing around with the device as they see fit. They would have had to get the file onto the device through some kind of either physical or user-approved means first, but it could be used remotely. Additionally, a high-level vulnerability was patched that allowed attackers to get additional permissions for their apps without users’ express consent, a situation that has been shown to be potentially disastrous. As an aside, the Pixel 3 and Pixel 3 XL version of the patch also includes a functionality tweak that improves the audio quality of recorded videos, and two kernel-level security fixes that patch up security holes that exist beneath the OS and only affect those two devices.
Impact: While those who rock a Nexus device to this day or may have had one at one point are free to take a moment to mourn, the largest impact of this patch arguably lies with Google putting a stop to apps that want to get more permissions than users know about. From now on, apps will have to ask for each and every permission that they want, and that means that it will be a lot harder for apps to do shady things in the background without users’ knowledge, such as committing ad fraud or sending users’ data to places that they don’t want it to be. Since Google doesn’t individually screen each app in the Play Store like Apple does for its App Store, this is a key patch for everyday users that does away with a major attack method that’s been used in various capacities since the dawn of Android, making it a much safer OS overall.