One of the big takeaways from the recent Black Hat security conference was Google announcing plans to issue monthly security updates, and that it would strive to keep us all better informed.
Lead engineer for Android security at Google Adrian Ludwig has announced a big step in the right direction with the creation of the Android Security Updates Google Group. The focus of the group is to provide more information about security issues and bulletins, and the first post details exactly what's in the current update for Nexus devices.
A quick peek shows that they have taken the "Stagefright" issues pretty seriously, and they detail exactly why it's an issue, where the patches are in the code tree, when they (and partners) were first informed and when they started patching Nexus devices. It's technical, because it needs to be technical. But it's also well worth reading if you're concerned about security and Android.
On Episode 248 of the Android Central podcast we talked in detail about how media outlets (including ourselves) aren't really qualified to dissect most security issues, and hoped for better transparency from the folks who are qualified — such as Ludwig. We're pretty stoked about having an historical record of security bulletins and their patches from here on. This is a great resource for everyone, not just folks trying to figure out security and Android as a journalist. It's not perfect, but it's a great start.
We hope the vendors who make the majority of Android phones follow the lead here. Google telling us about updates and patches for the Nexus line and their relevant patches for AOSP is great, but knowing when Samsung or LG or Motorola is going to incorporate the fixes, which phones will get patched and when they plan to send out updates is just as important, if not more.
For now, this is all required reading for anyone who wants to have a serious discussion about Android security going forward.
Image source: Ludwig's BlackHat slides