“It’s a dangerous world out there,” Apple VP Phil Schiller once tweeted regarding the security (or lack thereof) of Android devices. Apple has had its share of fun with Android devices, laughing on stage for a few years about how many Android users never receive the very latest updates from Google, how few users have the latest update available from the day the new update(s) is released, and so on. At the same time, however, Google has been in the news more and more for its decisions to keep certain security issues silent – despite knowing about them for weeks on end. This has not helped the company’s image, since consumers want to be informed when a vulnerability threatens their smartphone experience.
While we’ve seen massive issues with vulnerabilities such as HeartBleed from a year ago that put Android devices running anything below Android 4.3 Jelly Bean or 4.4 KitKat at risk, a new vulnerability discovered as of late has prompted Google to do what the company has never done before: announce monthly security updates for its Nexus devices.
The StageFright exploit has become, like HeartBleed, yet another example of a security vulnerability that’s easy to come into contact with in the world of open-sourced software. Essentially, someone could upload malware to a video or text message, which would then attach itself to every device that downloaded that same video or opened the infected text message.
By way of its own Android Official Blog today, the search engine giant and Android owner revealed that it intends to update Nexus devices (and ultimately, all Android devices) for up to 3 years from the purchase date:
An additional approach to further increase the security of Android users involves updates to the device software. For the past three years, we have been modifying Android manufacturers every month through bulletins of security issues so that they can keep their users secure.
Nexus devices have always been among the first Android devices to receive platform and security updates. From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Goole Store.
Google stated in the excerpt above that it intends to issue these security updates to all current Android devices, and it seems as though Samsung has taken the initiative to get its current devices on board. Today, Samsung announced its desire to push updates to its devices as quickly as possible: With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner, the Korean manufacturer said. Even though the large majority of Android devices (if not all) contain Address Space Layout Randomization (or ASLR) protection, it’s still nice to see Android OEMs taking the initiative in protecting Android users.
Google and Samsung have both started rolling out StageFright security patches, with Google releasing its software update under build number LMY48I. AT&T has started rolling out software updates for the Galaxy S5 (build number G900AUCU4BOF3), S5 Active (G870AUCUBOF3), Galaxy Note 4 (N910AUCU2COC6), and the Galaxy S6 Active (G890AUCU2AU2AOF4), all Samsung devices. Sprint provided the StageFright patch for the Samsung Galaxy S6, S6 edge, the Galaxy S5, and the Galaxy Note Edge.
Alcatel OneTouch hasn’t yet issued its StageFright update, but says that Idol 3 users can expect to receive the software patch on Monday, August 10th.
Have you received your update via AT&T and Sprint for Samsung devices, or Google if you own a Nexus device? If so, please feel free to write in and let us know.