Opinion: F*ck Android Software Updates

android update security patch

We may earn a commission when you click links to retailers and purchase goods. More info.

The year is 2016 and I’m officially sick of talking about Android software updates because the whole system is still broken. I’ve just had enough of the lack thereof, the slowness and inconsistency of them, the bugginess when they arrive, and the number of players involved that have allowed this platform, which is the best mobile platform in the business, to continue to stay such a disaster in one of its most important areas.

Let me try and explain what I mean through a handful of examples that have all popped up within the past couple of weeks. 

The first has to do with the recently released US unlocked Samsung Galaxy S7 and Galaxy S7 Edge models. These phones arrived at the end of June and were billed as phones that bring the Galaxy experience to more people because they aren’t tied to a single carrier. And they do that! I’ve been using one since the day they arrived and continue to go back to it because this is the best phone of 2016 in my opinion. You know what they don’t do? Receive software updates. While carrier models across the US are seeing monthly security patches from Samsung, the phones that don’t have any carrier interference are still sitting on May’s security patch. That’s right, my unlocked S7 is still only on May’s patch, which means it’s vulnerable to anything that was patched by Google in June, July, and August.

There was a time where we blamed carriers for slow updates, but now I’m not so sure I’d lay blame there any longer. Samsung sure as hell seems capable of working with T-Mobile and AT&T and Verizon to keep those carrier-tied phones up-to-date while their unlocked units sit here just asking to be Quadrootered into oblivion.

And there may not be any better example of the manufacturer now being at fault than Motorola. We’ve documented the fact that Motorola’s DROID brand of phones is the absolute worst option for anyone who cares about both software updates and security patches, but in reality, that idea now carries through onto almost all Motorola phones. Did you know that the Moto X Pure Edition, an unlocked phone with zero carrier ties, is still on Android 6.0 (Android 6.0.1 has been out since December) and May’s security patch? And did you know that it only got May’s patch in July, after not seeing an update since February?

Sticking with Motorola for a second, we certainly can’t look past their new Moto Z DROID phones in this whole ongoing mess. Shortly after review embargoes lifted for each, Motorola found itself in a bit of hot water over the idea that they weren’t going to provide monthly security patches. Not that we ever expected them to deliver any, but they did tell select media outlets that they were going to push a software update with the latest security patches shortly after the phone launched. I can tell you that we still have review units in house and neither has seen an update. It has been almost three weeks since launch and they are only up to May’s security patch, which they had out of the box.

Circling back again, though, maybe the idea of an unlocked phone is a large part of the problem. At one point in time, we advocated for unlocked phones because they were the most likely to see software updates the quickest because we wanted to blame carriers for our update problems. Now, I don’t think I’d tell anyone that. Well, there are some unlocked phones that do well, like those made by HTC or Google that still see quick updates. So like with any smartphone purchase, it may not be about the carrier so much as the manufacturer these days.

Why are manufacturers ignoring their unlocked phones? I don’t know for sure, but in the US, they probably aren’t selling many and so they probably don’t see the need to spend the resources to keep them as up-to-date as their carrier alternatives. While that’s a pretty shitty way to approach security and software, money does still run all the things.

Carriers aren’t exempt from criticism here, though. Take for example the T-Mobile Galaxy S7 Edge that we purchased for Tim earlier in the year. He used the phone for a good month on T-Mobile’s network before he could unlock it and take it to his personal AT&T GoPhone line. Since the moment he unlocked it and switched carriers, he hasn’t seen a software update of any kind. In fact, when I asked him to look at his security patch level, the phone was still on April’s. I asked him last week, by the way. Another friend of the site owns a T-Mobile HTC 10 that he recently flashed to be recognized as the unlocked HTC 10. Within a day of unlocking it, he saw an update sent out from HTC with August’s security patch, while T-Mobile’s support still shows their variant only patched through July 1. You could also look at my AT&T Galaxy Note 5, which because I haven’t used a SIM in for a good year, won’t update to Marshmallow and is still on Lollipop.

The point here is that these carrier-tied phones only matter to the carriers selling them if they are still active on their network. Not that that is a shocking revelation, but because these software updates for carrier phones seem to be tied to network or SIM activity, these phones are all but left for dead should you take them elsewhere. Or god forbid you use one on WiFi-only. That’s a troubling connection that shouldn’t even exist since these software updates all originate from the manufacturer. Why tie these to the carrier and not the phone?

Of course, outside of carriers and manufacturers continuing to screw up software updates, you can’t forget about the general slowness of the security patches I keep referencing. Quadrooter is the latest headline grabbing vulnerability that Google actually seems to have acknowledged and so it’s a prime example of the issues here. While Google’s phones will be patched from vulnerabilities like this the quickest in most cases, most of the rest of the world may not know when to expect a fix. And even if Quadrooter isn’t exactly a huge risk to leave unpatched for the majority of users, the fact that we have to consider the idea of it going unpatched for months is scary.

This all comes from the number of players involved in Android updates and security patches. This particular vulnerability involves Qualcomm chipsets and so Qualcomm has issued patches to Google who then pushes out Android updates to manufacturers who are then in charge of pushing the final releases to their own phones, which may also include a carrier or two. That’s a lot of moving pieces and testing and lot of approvals before your phone is up-to-date.

How do you fix all of these problems? Hah, good question. Again, it’s 2016 and these have all been a part of the Android equation since day one. Is there a fix? I don’t know. I hate to sit here and complain and point out issues without being able to offer a solution, but I’m no software engineer. There are much smarter and more capable thinkers than me, all of which don’t seem to have answers. What I do know is that it’s unacceptable for unlocked phones to be shunned, for major manufacturers to just ignore security, for fully paid-for carrier-tied phones to be abandoned, and for security patches to still take months to arrive on everyone’s device.

F*ck Android software updates.



Collapse Show Comments