Android security in 2016 is a mess.

Summary

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

Read on for more.

Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.
Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.

An illustration: MediaTek / BLU phones are uploading your data.

You might recently have read about the incident with the popular BLU phones sold by Amazon in the US. It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.

What about A-list phone makers?

I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.

However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)

Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.

(LG seems to be tracking Google’s security updates quite well, but somehow these updates are not reaching phones.)

A scary little aside

I just tried Check Point Labs’ QuadRooter Scanner app on my “updated” LG G3, and this is what I saw:

LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.
LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.

So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app, although I keep mostly to the official Play Market, so the risk is slightly mitigated.

At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.

Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.

It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.

The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.

Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.

What can we do?

Buy an iPhone. No really.

I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.

However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.

Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat, released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.

Stick with Android Pixel or Nexus.

If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.

Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.

In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.

Consider installing a custom ROM.

Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.

Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.

Update: David Metcalfe pointed out in the comments that you can buy a secure Android phone from Copperhead.  If you are in the US or Canada, and you have some budget, you could buy the LG Nexus 5x or the Huawei Nexus 6P with CopperheadOS pre-installed. It’s great that this is available, but due to price and geography not really accessible to most Android users.

Keep manufacturers honest.

Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.

I was happy to see that at least Huawei has a pretty good record in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.

Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!

Addendum: Android phones with acceptable security update records

Blackberry PRIV, DTEK50 and DTEK60

lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates. Read more at CrackBerry and here in the BlackBerry Android security bulletin for November: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh) and have already received the November 2016 update.

Here is the original blog post where BlackBerry explained their security patching policies for the PRIV.

35 thoughts on “Android security in 2016 is a mess.”

  1. Nice to bring such important information to public. Most people thinking to temporarely when buying a new phone and forget the aspect how the manufactorer will update this phone for the future.
    I own a Xiaomi Phone which is pretty rare here in europe. I get weekly updates on it. Every Friday. So i dont really know how much of these update fix security Issues. Most improvements are tweeks and design updates. But still I am very happy and wouldnt want to change back to Samsung.
    So I dont know if your example of Xiaomi is valid

    1. Hi there Francy, thanks for stopping by!

      Which Xiaomi do you have? Could you perhaps check the “android security patch level”? (settings -> general -> about phone | software info).

      This is a bit worrisome: http://thehackernews.com/2016/09/xiaomi-android-backdoor.html — looks like Xiaomi phones talk to the mothership without your knowledge.

      Besides this, I have not been able to find an official Xiaomi security update policy. I would be very interested in knowing, because the Xiaomi phones are easily available down here on the tip of Africa. :)

      1. Here’s my security patch level (December), the ROM itself a mod from official beta ROM released on Nov 24th https://1drv.ms/i/s!Ap-NvVhi7caBgYJfAgc3jN0fVNOWhg

        I also failed to find their official statement of policy, just broken english posts on their forum written by ‘moderator’ (could be a random dude not related to Xiaomi for all we know).

        The ‘stable’ (not that stable, really) update schedule is monthly, while the weekly update is beta channel. Agreed with the backdoor risk, the standard China ROM is riddled with China-only apps, so non-Chinese either use the global ROM (that still have China-only apps) or move to custom ROM altogether (like Xiaomi.eu, put by yet another random dude in Eastern Europe). My ROM is yet another modification from the Xiaomi.eu. Oh and even sellers loves to put modified ROM to add local languages (and adware). For all we know someone in the chain could have added a malware to send every picture to Russian server.

        So do I get the monthly security patch? Yes, at least in beta channel (I never used the stable for extended period). Do user need to jump through various hoops just to get a phone free of useless apps? Yes it is, to the point I believe it’s actually cheaper to just get a Motorola than getting a Xiaomi then spending weeks just to figure out how to get a usable phone.

    1. OnePlus started updating (at least) the OnePlus X monthly with Androids security patches. And since the OnePlus X costs ~250€ it might be another worthwhile budget option. I don’t know about their update policy for the 3(T).

      My unrooted stock OPX is now on Android 6.0.1 November security patch level, which I received at the end of October.

    1. Remind me again why you were misrepresenting CopperheadOS which is on Android 7 while talking about WebKit issues of Android 4.4? (Likewise for Bionic which is actually pretty good and libstagefright which doesn’t even exist anymore in 7).

  2. Copperhead isn’t just a ROM. It’s a phone you can buy. Why not recommend it? It’s the best option available. Unlike iPhone, it’s still mostly open source (auditable security), although Google could free up more.

    We should get behind & help people like Copperhead (Daniel Micay), who are doing something about improve things!

    1. Do you mean the Nexus phones that they are selling with CopperheadOS?

      Whatever the case may be, it’s a great and commendable effort. I agree that It’s taking important steps in the right direction, but to help the hundreds of millions of Android users who are not able to acquire or even afford a phone such as the Copperhead Nexus, another solution is required. (heck, in theory I might be able to afford a copperhead, but getting one down here on the tip of Africa is not going to be easy)

      1. Yes, there’s huge problems with security becoming a luxury. Apple unfortunately isn’t cheap either. (Neither are Blackberries, which aren’t as secure as Copperhead).

        Google certainly needs to up its game, but instead (with Pixel), it’s heading in the opposite direction and trying to replicate Apple.

        The shipping is an issue recognised by Copperhead. Google make it unaffordable for them to do much else. Their main game plan is to get OEMs to adopt it, which sounds like it’s in progress. Personally, I needed a handset in a hurry to replace a broken one, so picked up a Nexus 6P locally installed the ROM (which was a very well documented and surprisingly easy process), then made a donation to the project in lieu of the handset purchase.

        1. Thanks for all the useful info!

          Once you have CopperheadOS on your phone, does it get OTA updates? In other words, is the process of keeping up to date then just as transparent as when you buy a main-stream unlocked phone from a good manufacturer?

          1. Yes, it gets OTA updates. Most importantly – unlike every other custom ROM – they’re signed updates and maintain support for signed & verified boot. Verified boot is a fairly critical feature if you want to ensure system integrity (e.g. that malware etc. hasn’t modified system libraries).

            CopperheadOS checks for OTA update availability once a day by default.

            You’ll also often get advanced patches that are in AOSP Master or fix branches, but delayed or not released in monthly “Android security patch level” (e.g. there’s currently 4, including a fix for DirtyCow, that was released with 24-hours of the bug being public, while Google *STILL* haven’t released a patch for it on their own devices, let alone downstream vendors).

            I’ve just seen tickets indicating that incremental OTA update functionality (deltas) has now been completed. You already automatically get notified when update are available, but it’s been tap notification to download, tap again to install & reboot (seamless). Automatic background download of updates, without triggering it, is coming (on/off/wifi-only). Automatic install of those downloaded updates is planned too, known to be a high-priority and tagged as a “Release” requirement (e.g. either forced reboot within 72, or online updates without reboot for newer devices such as Pixel that would support it). AFAIK, no work has started on Pixel support yet, as no one has funded a pair of devices & builds for it to start on (and they’ve given up on running crowdfunding campaigns after past experience).

            Probably the biggest issues with updates are when Google release a major new version, like Nougat and then drop stop releasing security patches for the previous version. There’s a *LOT* of security fixes/improvements that CopperheadOS make, that Google won’t/haven’t merged into upstream AOSP. e.g. because they won’t take a few percent hit to performance, 10-100’s of ms latency of app startup, or 10MB overhead on processes – because security is lower priority to them. CopperheadOS always had the position that they WANT Google to upstream their fixes. Many just don’t happen though.

            Here are examples of the things still to be re-added again since the Nougat move: https://github.com/copperhead/bugtracker/issues?q=is%3Aissue+is%3Aopen+label%3Anougat-port

            The other major issue, and a problem for all of Android, is that Google’s giving OEMs massively long notice of open security bugs, that Copperhead frequently doesn’t find out about until the day they’re made public. There’s always risk of those leaking from OEMs (and surely do to most governments around the world with any basic intel capabilities for example).

            There’s also concern about the number of non-paying users, as it costs money to provide infrastructure for example. Financial support of the CopperheadOS project has been a major issue. Even open source developers need food and shelter & the guy behind it deserves much more after working on it full-time for years. Most importantly, the project needs contributors too (so e.g., releasing patches on-time don’t cause total burnout). I’m very reluctant to tell anyone to install the custom ROM, without buying a handset, because more users has often just meant more free support that some (too many) people expect. It’s not scalable/sustainable as is. The net result has been that the license was very recently (and very reluctantly) changed to not allowing commercial reuse of the code without agreement (e.g. by other distros who were selling it for profit, without giving anything back). Hopefully that change will lead to some funding and project survival.

            Lastly, there’s risks of AOSP being hollowed out and more code moving into closed-source Google Play. CopperheadOS seem to be the only ones who are seriously working on getting AOSP to pass the Android Compatibility Test Suite (and fixing a lot of bugs in the process to do so). Technically, because Android Open Source Project doesn’t fully pass the CTS, Google can’t even call AOSP “Android” if they followed their own terms.

            Google have started breaking things in AOSP too, because their no longer testing on it. (Latest example was Text to Speech in Nougat. So, e.g. GPS navigation wasn’t possible with AOSP based builds). It’s basically a load of anti-competitive BS, where Google pretends to courts that Android is open source (and puts out utter BS like this: https://blog.google/topics/google-europe/android-choice-competition-response-europe/amp/), while it’s being actively hostile to open source builds.

            It’s a very sad thing. As the world moves more to these mobile OS’s, end users are losing complete autonomy over their own information, with loss of control of their systems (with the slow death of open source) and have no idea what they’re even losing.

            So much for “Trust, But Verify” being a basic and fundamental security principle huh!

            Reality is – these big vendors are not only becoming more powerful that governments now (and will only continue to grow in power without extreme antitrust intervention – which is unlikely given how tightly they’re integrated) – but they’re also becoming “too big to fail”. We’ve seen how “too big to fail” worked out during the Global Financial Crisis. But IT collapses would be even worse – particularly if your remaining duopoly becomes total monopoly.

            Information is *deeply* integrated into our modern lives, and will only continue to be more so, in ways most people can barely imagine yet. The way things are going – democracy, individual freedom, etc. basically will end up dying with our loss of controls over our own information, communication privacy, etc. (Note – all these efforts at communication security like Signal Messenger etc are totally meaningless in the face of endpoints that are totally insecure & backdoored too).

    2. Copperhead has one specific flaw, and several inherited flaws.

      Copperhead does not include access to the Google Play store. This means (not only) that it can’t install apps directly from Google Play, but installed apps also cannot use Google Mobile Services. A number of popular apps require GMS, leading to a big disadvantage for Copperhead.

      Since Copperhead cannot access Play, it can’t update WebKit/WebCore, so any apps that use the bundled /system/lib/libwebcore.so cannot be trusted. This includes most 3rd-party browsers, and otherwise any app that renders HTML without including their own rendering engine. Maybe you can side-load Amazon to get webcore updates (I haven’t tried it).

      Copperhead inherits Android Zygote, which loads /system/lib/libstagefright.so as root while booting. The Zygote process lives forever and forks your apps. StageFright is a security disaster that got 115 patches in 2015 and should never have been implemented as a privileged process. Copperhead can’t fix OS fundamentals like StageFright (and perhaps Bionic).

      I haven’t really looked at Copperhead other than a brief glimpse months ago at their specs. I know they implemented grsecurity, stack smashing protecting, and they likely turned on -D_FORTIFY_SOURCE. These are great steps, but they can’t fix an architecture that is fundamentally flawed.

      1. Hi Charlie,

        Lack of Google Play is a feature not a flaw, if you’re concerned about privacy & security. If you can’t live without Play on Copperhead, you can build it in: https://blog.torproject.org/blog/mission-improbable-hardening-android-security-and-privacy.

        Do you really want Play phoning home in the background all the time though? Reporting your location back to Google everytime you grant Location to any app, etc.? Chewing battery needlessly, reporting back every app you run, etc.

        Your info about Webkit on Copperhead seems out of date? Copperhead builds it’s own Webview & Chromium directly from source and includes a bunch of hardening and security improvements: https://copperhead.co/android/docs/technical_overview#chromium–webview.

        They’re not tied to Android’s release cycle and regularly promptly release patches, often well before Google does.

        Mediaserver/StageFright was completely overhauled in Android N (https://android-developers.blogspot.com.au/2016/05/hardening-media-stack.html#containment). Split up and sandboxed with “-fsanitize=integer” enabled, etc. Meanwhile, Apple’s just had a drive-by JPEG parsing remote-exec hole in CoreGraphics too.

        iOS certainly has some excellent security features, but also has fundamental flaws of its own. Like iCloud getting copies of most of what you do, metadata on every phone call you make, etc. It’s all a completely blackbox architecture. Not even AOSP’s 100% open source now, even on Nexus/Pixel devices – but it’s way more open than Apple will ever be. You’re basically just hoping and praying that iOS isn’t full of backdoors & privacy invasion (which it is), because there’s nothing you can check. Also, *everything* on your phone is entirely subject to Apple’s whims.

      2. > Copperhead does not include access to the Google Play store. This means (not only) that it can’t install apps directly from Google Play, but installed apps also cannot use Google Mobile Services. A number of popular apps require GMS, leading to a big disadvantage for Copperhead.

        There are advantages and disadvantages to shipping Google Play Services. It’s far from being the one-sided issue that you present. CopperheadOS itself includes F-Droid rather than the Play Store, which you’re leaving out here. Copperhead partners can choose to ship Google Play Services including the Play Store on top of CopperheadOS. Play Services is incompatible with the privacy and security goals of CopperheadOS itself but that doesn’t mean that it can’t be used on top of it. It works fine.

        > Since Copperhead cannot access Play, it can’t update WebKit/WebCore, so any apps that use the bundled /system/lib/libwebcore.so cannot be trusted. This includes most 3rd-party browsers, and otherwise any app that renders HTML without including their own rendering engine. Maybe you can side-load Amazon to get webcore updates (I haven’t tried it).

        That’s completely untrue. The WebView is updated by CopperheadOS via OS updates and we can ship updates for it via F-Droid too. It makes more sense to do the updates via the OS so that they’re still present after a factory reset or in safe mode and so that the Java code can be shipped preoptimized rather than the work needing to be done again and again.

        There is no /system/lib/libwebcore.so anyway. The WebView has been built from the Chromium source tree and shipped as an app since before CopperheadOS existed. Even if the WebKit-based WebView still existed, I don’t understand why you would think that we would need Google or Amazon to update it. It makes no sense. If the code was internal to Google, Amazon couldn’t update it. The claim you’re making wouldn’t be at all true even if the WebKit-based WebView was still around.

        > Copperhead inherits Android Zygote, which loads /system/lib/libstagefright.so as root while booting. The Zygote process lives forever and forks your apps. StageFright is a security disaster that got 115 patches in 2015 and should never have been implemented as a privileged process. Copperhead can’t fix OS fundamentals like StageFright (and perhaps Bionic).

        The Zygote doesn’t load libstagefright.so. CopperheadOS uses exec-based spawning, not simply forking from the Zygote. That’s the FIRST feature listed at https://copperhead.co/android/docs/technical_overview. Even if the Zygote and apps not using it did load that library which they do not do, code doesn’t become a security risk simply because it is loaded. There are plenty of ROP gadgets elsewhere and Android has library load order randomization where more libraries means more entropy.

        Also, libstagefright.so is a library, not a privileged process. It’s also not particularly bad compared to other media libraries written in C and C++. It just has a lot of attention so many bugs are being found and fixed. The same thing would happen if other media libraries received comparable attention from security researchers.

        There’s a set of mediaserver processes using libstagefright.so and the other media libraries. The core codec and extractor processes are heavily sandboxed and all of the media processes are heavily constrained by SELinux. You should really look into how things work before making strong claims about it as if you know what you’re talking about.

        It’s also hard to understand your implication that there’s something wrong with Bionic. It’s a particularly good C standard library implementation in terms of security. A large part of it is simply the OpenBSD standard library, such as the stdio implementation.

        > I haven’t really looked at Copperhead other than a brief glimpse months ago at their specs. I know they implemented grsecurity, stack smashing protecting, and they likely turned on -D_FORTIFY_SOURCE. These are great steps, but they can’t fix an architecture that is fundamentally flawed.

        Android’s security architecture is not fundamentally flawed and you’re misrepresenting both Android and CopperheadOS here. You should read https://copperhead.co/android/docs/technical_overview and do some basic research into Android before making claims about it. You’re spreading blatant misinformation and misrepresenting yourself as someone knowledgeable about it.

    1. Quite decent? At the end of october the newest security patch level for the xperia z5 was april, APRIL! Now they updated it to august. Still more than two months behind with no sign of preparing any new updates.

      Sony handles security updates really badly!

  3. It’s possible Google started developing Fuchsia, their new OS+micro-kernel (Magenta), for this reason. With a modular OS and micro-kernel, they could update the OS directly, instead of waiting for Qualcomm, OEMs and carriers to work together to ship updates.

    https://fuchsia.googlesource.com/

  4. Fairphone is a Dutch company that aims to create a fairly produced smartphone. They started shipping the first version of the Fairphone 2 early this year. It’s a modular phone designed to be repaired. For example, you can replace the the screen without removing a single screw. Iirc the camera module just needs a single screw.

    I’ve been getting regular security updates for the Fairphone 2. Current patch level is at November 5th. One of their goals is extending the longevity of the phone which also includes security updates. Might be worth a look for some people, even though it costs about double what phones with similar specs cost…

    1. A patch level of November 5th means that it doesn’t have the fix for Dirty COW which was disclosed on October 20th. They’re only complying with the bare minimum expected from Google if they haven’t gone to the November 6th patch level yet.

      Fairphone 2 also not using Android 7.0, which brought major security advances. No device not yet based on 7.x can be considered to have good security. It addressed the biggest Android security issues by splitting up the mediaserver processes and heavily isolating / sandboxing them along with enabling automatic integer overflow checking. The media libraries (libstagefright) have been the source of most serious Android vulnerabilities, particularly via integer overflow vulnerabilities. There are also many other security improvements in 7.0 beyond that including hidepid=2 and much stricter SELinux policies but those media changes stand out a lot.

      They cannot really extend the longevity beyond the 3 years offered by Google for Nexus/Pixel devices because SoC vendors like Qualcomm don’t provide support for that long. If you ship a bleeding edge high end SoC, you can expect 3 years of support. They could continue providing incomplete security updates, but they’ll have an insecure baseband with unpatched vulnerabilities and the same goes for the rest of the SoC platform which is an extensive codebase.

      1. A colleague has a Nexus 6P which is also on a patch level of November 5th. Shouldn’t Nexus devices be up to date?

        Regarding Android 7.0, that will never officially be possible for the FP2 as Qualcomm does not release some drivers necessary to pass the Google CTS: http://www.androidauthority.com/android-7-0-snapdragon-800-801-712930/ From my understanding it technically works fine though, so I guess I’ll simply have to upgrade to a custom ROM later on.

        Basically you’re saying that as Android users we either need to buy only Google phones and replace them every 2-3 years, or stick to custom ROMs that push out every security update?

        1. Google doesn’t have the Dirty COW fix either yet. They have no real excuse for not shipping it on October 20th since they had early notice.

          October 20th -> December 5th to ship a patch for such a big issue is ridiculous.

          >Regarding Android 7.0, that will never officially be possible for the FP2 as Qualcomm does not release some drivers necessary to pass the Google CTS: http://www.androidauthority.com/android-7-0-snapdragon-800-801-712930/ From my understanding it technically works fine though, so I guess I’ll simply have to upgrade to a custom ROM later on.

          If it’s Snapdragon 800/801, it’s not going live for much longer as a device with full security updates.

          > Basically you’re saying that as Android users we either need to buy only Google phones and replace them every 2-3 years, or stick to custom ROMs that push out every security update?

          A custom ROM can’t provide updates for low-level firmware like the baseband, bootloader, TrustZone, etc. if the vendor is not providing the updates. So that isn’t a solution. They also can’t really provide updates to all of the proprietary blobs in the OS that are part of the SoC platform, including various drivers/libraries and more firmware for hardware like the WiFi radio.

  5. I dont usually finish a online tech readc…. but this was just outstanding…. great info, clear to the point and gave us the real problem/issue with options and resolutions w/out equivocations thanks

  6. Moto devices get quick updates, not only that they are notorious to release updates before Nexus gets them.
    Nextbit Robin is close to stock and they provide updates every 2 months, being a small company with only one device as such the community is well served and replied by their team.

  7. HTC is quite good too (disclaimer, I mostly buy their flagships) I have an HTC M8 ( there’s 2 phones released after it) which is on M via OTA (MTN South Africa)

  8. I’m having a LG G3 too (D855 32GB).
    Not true about Quadrooter and Android security patch. I’m on V30o-EUR-XX and my security patch is 2016-09 and not affected by Quadrooter nor was the version before (V30n-EUR-XX) with google security patch 1/08/2016.

    http://imgur.com/a/Nltue

Leave a Reply

Your email address will not be published. Required fields are marked *