
Google plans monthly security updates for Nexus phones - moviuro
https://threatpost.com/google-plans-monthly-security-updates-for-nexus-phones/114148
======
thescrewdriver
That doesn't help for 99.9% of Android devices out there (including mine)
which aren't Nexus phones, and will only receive 1 or 2 updates, usually
within 12 months of purchase and nothing after. The only way to stay current
for Joe public is to buy a new phone every year. Lack of long-term updates
(along with getting everything google shoved down my throat by default) are
the primary reason's I'm actively considering alternatives to my current
preference for buying Android phones.

~~~
untog
True, but it embarrasses the phone operators. This isn't new - Google has used
the Nexus line to push various features that manufacturers have then picked
up.

~~~
thescrewdriver
It's not just the operators. If an Android phone is more than 12 months old
manufacturers simply stop providing updates, and even if they did they'd have
to wait for the operators to add their crapware. It's a problem with the
Android ecosystem as a whole, which doesn't seem to affect (the overpriced)
iPhone from what I can see.

~~~
aNoob7000
I'm not sure what Apple has to do with the poor software support by Android
manufacturers.

I want also point out that cost is really not the issue with Android support.
As an example, Samsung which has large share of the smartphone market does a
very poor job of keeping their phones updated.

~~~
droopybuns
This is simply incorrect.

The OEMs have to pay developers to implement AOSP on their devices. They
reassigning the developers to new devices after a Handset has shipped. Those
developers are always working on the next revenue source.

Assigning developers to implement patches on devices that have long since
launched does not generate new revenue and it takes them away from developing
devices that will generate new revenue.

------
spiralpolitik
How does this help the wider Android ecosystem or is Google pretty much saying
it doesn't care about the non Nexus market ?

Google holds all the cards in solving Androids security patch problem. The
fact that they haven't done anything about it says volumes.

~~~
patrickaljord
Blaming Google for not updating your non-Nexus Android phone is like blaming
Linus Torvalds for not updating your cisco router from your ISP just because
it uses linux.

Android is based on AOSP, which Google does not control because of the
license, not sure why especially on HN, people do not seem to understand or
want to understand how open source licensing work.

~~~
revscat
I don't think this is true. Google could have handled Android licensing in
such a way that resellers were required to patch security holes within a
certain amount of time after release.

AOSP is a software license, and governs contributions and replication. The
agreements whereby various vendors get rights to sell and distribute Android
devices are between Google and the various vendors. If Google had so chosen
they could have added conditions to those agreements whereby vendors would be
required to apply security updates within some reasonable amount of time. They
did not do so in order to increase their marketshare. This decision hurt the
platform, at least insofar as security is concerned.

It was a choice: marketshare vs. security. Google chose marketshare.

~~~
patrickaljord
AOSP is not a software license, AOSP is the name of the open source project
(like chromium is to chrome), the license of AOSP is Apache Software License,
Version 2.0 (and some GPL and LGPL stuff).

[https://source.android.com/source/licenses.html](https://source.android.com/source/licenses.html)

------
Aoyagi
_“With the recent security issues, we have been rethinking the approach to
getting security updates to our devices in a more timely manner. Since
software is constantly exploited in new ways, developing a fast response
process to deliver security patches to our devices is critical to keep them
protected. "_

I don't think Mr Dong Jin Koh knows what "timely" and "fast" means. Then
again, a month is better than months, except I don't think this changes too
much if it took them a month to fix something they knew about. Nothing stops
them from releasing a security patch in a fifth batch after discovery of a
hole...

~~~
jsight
How does this turnaround time compare to the typical turnaround time for
desktop operating systems?

~~~
Aoyagi
Well, Windows updates weekly with actually critical updates being pushed as
they come. Not sure what it's like on OSX and various Linux distros.

~~~
ac29
Linux: constantly. On a rolling release distro like Arch its rare to have less
than a few updates a day. Security patches are often available within hours of
upstream release if not earlier.

YMMV based on distro.

------
ikeboy
Awesome!

Can we get a fix for Logjam yet? It was first reported on May 20 [0],
presumably Google knew about it earlier (I know Firefox was given advance
notice [1]), yet the latest stable releases of chrome on both mobile and
desktop are still vulnerable.

Firefox fixed it on Jul 2 [2], Apple fixed it on June 30 [3]. Can someone
explain to me why Google hasn't released a fix to something that affected 10%
of popular websites on disclosure day [0]?

[0] [https://weakdh.org/](https://weakdh.org/)

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1138554](https://bugzilla.mozilla.org/show_bug.cgi?id=1138554)

[2] [https://www.mozilla.org/en-
US/security/advisories/mfsa2015-7...](https://www.mozilla.org/en-
US/security/advisories/mfsa2015-70/)

[3] [https://support.apple.com/en-us/HT204941](https://support.apple.com/en-
us/HT204941)

~~~
RobAtticus
[0] says I'm not vulnerable and I'm using Chrome 46 on Windows, so I guess
it's on its way.

(Chrome 44 on Android still vulnerable.)

~~~
ikeboy
46 is not stable (the current stable release is 44, see
[http://googlechromereleases.blogspot.com/](http://googlechromereleases.blogspot.com/)).
Also, if you want Chrome Beta on android you can go here:
[https://play.google.com/store/apps/details?id=com.chrome.bet...](https://play.google.com/store/apps/details?id=com.chrome.beta)

------
gambiting
The idea that software updates have to be approved and released by carriers is
still incredibly stupid and unnecessary.

~~~
michaelmcmillan
What if it breaks some functionality the carrier has implemented?

~~~
vetinari
It can break also standard functionality, like the first iOS 8 release did.

When things like this happen, both Apple and carriers scrable to fix things.
However, Apple has a "special" position by the virtue of it's image, carriers
are not going to do the same for everyone.

------
acd
One could engineer phones differently so they would be more secure. Having
some fallback option if a phone update fails, which I think is a reason why
manufacturers does not update.

For example having a boot loader and two different flash areas. One primary
area and one secondary then you tick tock boot between the different images.
This how routers and CoreOS and XenServer does it.

The kernel can be live patched as of Linux 4.0

It's either that or more open phones where the customers can install and
maintain their own operating system. Android stock, Cyanogenmod, Ubuntu phone
etc.

------
fulafel
Before Stagefright the situation about Android security was very strange.
Google and the Android OEMs basically had ancient unpatched WebKit running on
ancient unpatched Linux, both with huge swaths of unpatched serious
vulnerabilities, on zillions of devices with some half assed sandboxing thrown
in, and they were getting away with it. No widespread malware outbreaks.

Maybe they were just experimenting how long they could keep this laissez faire
thing going on until they had to react, and had a plan in the back pocket.

------
skybrian
Samsung will be doing this as well. Perhaps that will encourage others?

[http://www.engadget.com/2015/08/05/samsung-montly-android-
se...](http://www.engadget.com/2015/08/05/samsung-montly-android-security-
fixes/)

~~~
aNoob7000
I'll believe it when I see it. As a Samsung Galaxy Note 4 owner, I'm still
waiting for Android 5.1.1 on my handset.

------
brimoh
Nexus phones are suffering from app crashes and frequent phone restarts,
Security is important, but at the same time stability too matters. Google
should take care of these issues first. Samsung, HTC and LG's build are more
stable than google's stock android.

~~~
jcastro
Lollipop has effectively made my Nexus 5 worthless. Battery barely lasts a day
now and the phone is still continuously plagued by disconnecting from the
network at seemingly random times.

I've owned every generation Nexus and the 5 went from being the best phone
they've ever made to the worst phone I've ever owned in one fell swoop. :(

Ordered a Moto this time around to see if I can have better luck there.

------
SCdF
While this is just lovely news, I'll withhold my breathless excitement for the
headline: "Google implements monthly security updates for Nexus phones"

------
SchizoDuckie
I'm more interested in what they're going to do to push updates to android
2.x+ devices. Will it even be technically possible without vendors?

------
yssrn
Google claims that a security patch came out yesterday, yet my Nexus 6 still
has no OTA update available.

What, do they not have the bandwidth to send it out at once?

~~~
francoisblavoet
I don't think it is a bandwidth issue. I think that they purposefully push the
update to x% of the users first, wait for potential problems and then resume
the rollout.

------
condescendence
So basically, they're starting to do something they should've been doing?

------
rplnt
Considering how they can fuck up "feature" update.. no, thanks.

------
tempVariable
I have bought a Nexus 4, it has giant issues where you are unable to hear
recipients, intermittently until you reboot. This has been reported to Google
via so many ways.

Being able to talk on a phone is kind of important. Is it also important to
Google ? Since I don't want to shell-out another two bills for a different
phone - please let it be!

------
kolev
So, stay unprotected for an average of half a month? If this is what Google
can do best, imagine the others! I'm highly disappointed! Not to mention that
Nexus updates, although Google doesn't have so many of them, usually take a
whole week to roll out! Google is setting a really bad example here!

~~~
moviuro
Still, it'll be far less worse than having the carriers take care of those
up-//whats?//

However, Google is moving in the right direction IMHO: don't forget that there
is this weird thing named "No-Disclosure", so hopefully, you'll get a patched
Android even before the bug/flaw is unveiled.

