That doesn't help for 99.9% of Android devices out there (including mine) which aren't Nexus phones, and will only receive 1 or 2 updates, usually within 12 months of purchase and nothing after. The only way to stay current for Joe public is to buy a new phone every year. Lack of long-term updates (along with getting everything google shoved down my throat by default) are the primary reason's I'm actively considering alternatives to my current preference for buying Android phones.
True, but it embarrasses the phone operators. This isn't new - Google has used the Nexus line to push various features that manufacturers have then picked up.
It's not just the operators. If an Android phone is more than 12 months old manufacturers simply stop providing updates, and even if they did they'd have to wait for the operators to add their crapware. It's a problem with the Android ecosystem as a whole, which doesn't seem to affect (the overpriced) iPhone from what I can see.
I'm not sure what Apple has to do with the poor software support by Android manufacturers.
I want also point out that cost is really not the issue with Android support. As an example, Samsung which has large share of the smartphone market does a very poor job of keeping their phones updated.
The OEMs have to pay developers to implement AOSP on their devices. They reassigning the developers to new devices after a Handset has shipped. Those developers are always working on the next revenue source.
Assigning developers to implement patches on devices that have long since launched does not generate new revenue and it takes them away from developing devices that will generate new revenue.
> That doesn't help for 99.9% of Android devices out there (including mine) which aren't Nexus phones
Right, it differentiates Nexus phones from non-Nexus phones and provides a reason to prefer the former (of course, there is no barrier to other phone vendors seeking to negate this advantage by duplicating the process.)
I don't jest. I owned the first Android phone from T-Mobile. I owned every Nexus phone after that up to the Nexus 5. I was tired of being the "abused spouse" who thought Google would change and one day release a product that would actually work properly for longer than a few months.
Purchased an iPhone 5s, haven't looked back. The cost of current Nexus phones are on parity with iPhones (or close enough) that cost is no longer the deciding factor. Why do people continue to put faith in a product that continually fails to deliver?
Google: I want to love your Nexus line and Android. But you're going to have to start treating customers like customers, and not just a necessary evil.
I can't bring myself to use iPhone because of the walled garden. Sorry, but I shouldn't have to pay $99 and own a licensed mac computer running OSX just to develop an app and test it on my phone.
Android has a couple editors now that let you develop an app directly on your device. The Apple DRM isn't even that hard to break, which is such a shame because the only people being hurt by it are legitimate customers and people looking to get into development for it.
Yes, you can jailbreak your iPhone and install unsigned code. You can even set up a compiler toolchain to build your iOS apps, but you shouldn't have to do all of that just to build an app for your phone.
This doesn't alleviate the walled garden concern entirely, but I've been kind of held up in my desire to try iOS development because I always felt the $99 ADC subscription was a silly requirement just to test an app on my own device. I've learned that with the next release of OS X and iOS, developers will be able to test their apps on their own devices using only an Apple ID; no ADC subscription required.
This is not an argument in support of Apple's approach. I just wanted to share what I'd learned about similar concerns.
I had more problems with the iPhones I had before I switched to Android than I've had with Android; the product that fails to deliver for you isn't necessarily the product that fails to deliver for everyone else.
If you want to share a list of open bugs effecting the iPhone that are breaking critical features, I'm open to a debate.
I didn't give up on Android until I had collectively spent thousands of dollars on Nexus phones and continually had problems with each model at some point in time.
I'm not sure why you are being down voted. I followed a similar path. I loved the Nexus 5 because it hit a sweet spot for price/performance. The Nexus 6 basically said look elsewhere and I ended up back on the iPhone after owning multiple Android phones.
Or, you know, you could ACTUALLY read the article:
> The first update is being pushed out today, and the company said that other Android handset manufacturers are planning to follow suit and provide monthly updates to carriers.
Says right in the article that LG and Samsung are on board for monthly security patches as well. What's your little percentage rating at now?
Nexus 4 is receiving updates, it is just about 3 years old now.
Other than the obvious brand association issues that's not really Google's problem. IIRC this is part of the reason why Google changed their licensing agreement to prevent forked SDKs. If you want to ensure you receive timely updates either complain to your phone manufacturer or buy a Nexus phone.
I'm not suggesting that it's Google's fault (well other than forcing OEMs to shove Google stuff down my throat). It's a general complaint about the android ecosystem as a whole. Even Windows 98 got more regular security updates than most android phones.
This is not necessary true in the long term though. The presence of that regular updates may have the vendors create a process to release them to their customers in a reasonably timely manner.
Blaming Google for not updating your non-Nexus Android phone is like blaming Linus Torvalds for not updating your cisco router from your ISP just because it uses linux.
Android is based on AOSP, which Google does not control because of the license, not sure why especially on HN, people do not seem to understand or want to understand how open source licensing work.
It's not as simple as that. Android may be open source, but Google can set the terms under which manufacturers can use the Android trademark and sell phones with access to the Play store and other Google services.
AFAIK they did amend those licenses to contain mandatory updates for some time after a device first hits the market, so it's definitely something they're actively trying to improve. It's probably not the easiest thing to solve, because manufacturers might decide to fork Android if they'd go too far, so they have to keep a balance.
I don't think this is true. Google could have handled Android licensing in such a way that resellers were required to patch security holes within a certain amount of time after release.
AOSP is a software license, and governs contributions and replication. The agreements whereby various vendors get rights to sell and distribute Android devices are between Google and the various vendors. If Google had so chosen they could have added conditions to those agreements whereby vendors would be required to apply security updates within some reasonable amount of time. They did not do so in order to increase their marketshare. This decision hurt the platform, at least insofar as security is concerned.
It was a choice: marketshare vs. security. Google chose marketshare.
AOSP is not a software license, AOSP is the name of the open source project (like chromium is to chrome), the license of AOSP is Apache Software License, Version 2.0 (and some GPL and LGPL stuff).
They're giving the example and providing the fixes themselves in a "stable patch release" rather than let every other company figure out what and when to patch each in their own way. And it affects the ecosystem because two (for now) others major manufacturers are following it, as said in the very first paragraph of the article ...
> The first update is being pushed out today, and the company said that other Androd handset manufacturers are planning to follow suit and provide monthly updates to carriers. [...] The change from Google, LG, and Samsung [...] Adrian Ludwig, lead engineer for Android security at Google, said the company plans more frequent updates for Nexus users and for other handset makers
> From this week on, Nexus devices will receive regular OTA updates each month focused on security [...] Both LG and Samsung, two of the larger Android manufacturers, have committed to getting those updates to carriers more quickly
It currently can't do anything about the non-Nexus market. This is because the manufacturers and operators are responsible for dealing with sending anything out of the door.
It would be fantastic if Google was able to have a version of Android that was the same across all capable devices and the manufacturer's customizations are all userland.
It helps in exactly the same way the nexus program is supposed to work: it influences the other oems, providing an example of good practices that they will hopefully follow. Samsung also announced yesterday that they would be moving to a monthly schedule for security updates.
Google issues bulletins and security patches to the manufacturers. Nothing is stopping Samsung, HTC, Motorola, etc from having a monthly security update system like this one that the Nexus devices will have.
> Nothing is stopping Samsung, HTC, Motorola, etc from having a monthly security update system like this one that the Nexus devices will have.
Why would they do that when they can just sell new handsets? they have no financial intensive to do that, and that's where the android platform fails.
Because for all these manufacturers android is just a free os they don't have to maintain to begin with. They(Most) are not in the business of selling software services. It's up to Google to find a way to force updates upon consumers , or these manufacturers will just blame Google for their problems.
Google owns android , each time an exploit is found it hurts Google, not HTC nor Samsung.
You can't paint all carriers with one brush like that. Any BYOD phone on a BYOD-friendly network should be upgradeable directly by the manufacturer (or by Google--it would be up to the manufacturer to set that up).
The issue is with networks that don't allow non-carrier approved phones. Don't let them shift blame. They've decided to be bullies in their sandbox, so if you get sand in your eyes, take your money elsewhere.
Verizon may have a great network (I wouldn't know, they won't let me bring my own phone and none of their phones interest me). It helps lock customers in, but their phone policies also leave then vulnerable (and roped into an expensive hidden-cost upgrade treadmill).
The Google ecosystem. If you want to ship a phone with Play, Maps, Gmail etc you have to commit to supporting it with patches for N years where N is greater or equal to 2.
As has been pointed out, Google doesn't do this for the fear that the manufacturers will walk and as such has prioritized market share over security.
“With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner. Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected."
I don't think Mr Dong Jin Koh knows what "timely" and "fast" means. Then again, a month is better than months, except I don't think this changes too much if it took them a month to fix something they knew about. Nothing stops them from releasing a security patch in a fifth batch after discovery of a hole...
They're moving from once or twice a year if you're lucky to monthly, so while it's not enough it certainly is a step in the right direction. It's easier to move from monthly to weekly than when starting where they are now.
Linux: constantly. On a rolling release distro like Arch its rare to have less than a few updates a day. Security patches are often available within hours of upstream release if not earlier.
Can we get a fix for Logjam yet? It was first reported on May 20 [0], presumably Google knew about it earlier (I know Firefox was given advance notice [1]), yet the latest stable releases of chrome on both mobile and desktop are still vulnerable.
Firefox fixed it on Jul 2 [2], Apple fixed it on June 30 [3]. Can someone explain to me why Google hasn't released a fix to something that affected 10% of popular websites on disclosure day [0]?
It can break also standard functionality, like the first iOS 8 release did.
When things like this happen, both Apple and carriers scrable to fix things. However, Apple has a "special" position by the virtue of it's image, carriers are not going to do the same for everyone.
One could engineer phones differently so they would be more secure. Having some fallback option if a phone update fails, which I think is a reason why manufacturers does not update.
For example having a boot loader and two different flash areas. One primary area and one secondary then you tick tock boot between the different images. This how routers and CoreOS and XenServer does it.
The kernel can be live patched as of Linux 4.0
It's either that or more open phones where the customers can install and maintain their own operating system. Android stock, Cyanogenmod, Ubuntu phone etc.
Before Stagefright the situation about Android security was very strange. Google and the Android OEMs basically had ancient unpatched WebKit running on ancient unpatched Linux, both with huge swaths of unpatched serious vulnerabilities, on zillions of devices with some half assed sandboxing thrown in, and they were getting away with it. No widespread malware outbreaks.
Maybe they were just experimenting how long they could keep this laissez faire thing going on until they had to react, and had a plan in the back pocket.
Nexus phones are suffering from app crashes and frequent phone restarts, Security is important, but at the same time stability too matters. Google should take care of these issues first. Samsung, HTC and LG's build are more stable than google's stock android.
Lollipop has effectively made my Nexus 5 worthless. Battery barely lasts a day now and the phone is still continuously plagued by disconnecting from the network at seemingly random times.
I've owned every generation Nexus and the 5 went from being the best phone they've ever made to the worst phone I've ever owned in one fell swoop. :(
Ordered a Moto this time around to see if I can have better luck there.
I don't think it is a bandwidth issue. I think that they purposefully push the update to x% of the users first, wait for potential problems and then resume the rollout.
I have bought a Nexus 4, it has giant issues where you are unable to hear recipients, intermittently until you reboot. This has been reported to Google via so many ways.
Being able to talk on a phone is kind of important. Is it also important to Google ? Since I don't want to shell-out another two bills for a different phone - please let it be!
So, stay unprotected for an average of half a month? If this is what Google can do best, imagine the others! I'm highly disappointed! Not to mention that Nexus updates, although Google doesn't have so many of them, usually take a whole week to roll out! Google is setting a really bad example here!
Still, it'll be far less worse than having the carriers take care of those up-//whats?//
However, Google is moving in the right direction IMHO: don't forget that there is this weird thing named "No-Disclosure", so hopefully, you'll get a patched Android even before the bug/flaw is unveiled.
You are basically unprotected 100% of the time anyways... as long as you are not a target, you should be ok.
Also, I think that Microsoft have been doing monthly security updates for many years... and once in a while, they push an update early for very severe bugs.
