Vague announcements of monthly security updates mean nothing if we don't know when (or if) phones will see updates.
Update Feb. 26: Samsung's February update has now been disclosed. Whether you'll see it on your phone anytime soon remains a question.
Perhaps we should thank last year's "Stagefright" security freakout. The vulnerability deep inside the Android operating system was dubbed a "unicorn" by the researches who discovered it (never mind that it's not known if anyone was ever actually affected by it) and sent Google and its downstream partners scrambling for fixes. And within a matter of days, Google announced that the Android Open Source Project and Google's own Nexus line would see monthly security updates independent of major maintenance releases. You can find up-to-date information on those updates here.
That is a good thing (in addition to all the server-side protections Google has in place), and is no small undertaking.
Since the Stagefright scare last fall, anyone who's anyone has begun taking a long, hard look at security updates. Google, even, has made it a requirement for devices to display the date of their most recently installed update in the "About" section on the phone or tablet. (Or TV — whatever.) We're placing a greater emphasis on updates in our evaluation of products, both in terms of the software a device ships with, as well as in the long-term updates received.
Nobody's doing as well as Google, of course. The Nexus line was the first to show the Oct. 1, 2015, patches. And early each month since we've received updates and blog posts from Google explaining what's in each update.
Samsung, as you'd expect from a manufacturer of its caliber, quickly followed with its own security website. It's basic, and largely mirrors Google's own security bulletin. But there's a very big difference between announcing updates, and actually rolling them out to devices. Samsung says the maintenance release is for "major flagship models" — and if you poke around more on Samsung's rudimentary site you'll find they're talking about the Galaxy S6 and its "edge" variants, the Galaxy S5, Note 5, Note 4 and Note edge, and the Galaxy Tab S2 and Tab S tablets.
But you don't have to look far for the footnote: "Models list may vary depending on regions and carriers."
And that's the rub.
My Verizon Galaxy Note 5, for example, is still on the November 1, 2015, security update. That's not a small phone on a small American carrier. That's the Note 5, on Verizon. And according to data from the Google Play Developer Console — which keeps track of all different models of phones that access the store for app compatibility reasons — that's just one of the 14 Note 5 listings (you'll often see a single model referred to as a SKU). The Galaxy S6 line is worse; there are 44 listed models, between the GS6 proper, the GS6 edge and GS6 edge+. The Galaxy S5 and S5 Mini add another 34 to that list. The Note 4 adds another 18.
That's 110 SKUs of phones that need to be supported by these new security updates. And myriad cellular operators — and not just in the United States — that need to be handled before many of those updates will ever make it to our phones. I don't envy Samsung — or any of the manufacturers — in this. It's a hugely important, and damned near impossible, given the shotgun approach employed by most manufacturers.
Any real improvement here will take a few steps. Some drastic, others not so much.
Samsung needs to be more specific about which phones are actually getting updates — and when the new software is available.
First, Samsung needs to be more transparent in its update announcements. Vague statements about "flagships" doesn't do a whole lot for the folks actually holding the phones, even when (or especially when) we're getting the same vague statement every month. The static, black-and-white web page doesn't help, either. Users need to be able to search for their phone and know where it stands. And if it's more than a month behind, we need to know why. Is it held up in carrier testing? Is there some other factor at work? We put a lot of trust into the manufacturers — and more trust in Samsung than just about any other — and so they need to trust us to be able to handle more than a vague (and not particularly well-worded) "releases a maintenance release" statement.
And then Samsung needs to make sure updates actually hit phones in a timely manner. Having 110 SKUs of supported phones doesn't help. (And it's certainly possible that software updates could overlap models.) But if any of the manufacturers outside Google is in a position to fix this it's Samsung.
Maybe it'll make some progress this year with the Galaxy S7. But let's not break our arm patting anyone on the back for presenting us with an updated blog post of what mostly is Google's security changelog — at least not until updates consistently reach our phones and tablets.