Look down at the phone in your hand. Since you're here reading Android Central, there's a good chance it's a high-end, late-model, Android-powered (that's a lot of hyphens) phone. There's also a good chance you're pretty happy with it, and it does the things you want it to do in the way you want them done. Awesome.
Unfortunately, there's an even better chance that the phone in your hands is woefully out of date when it comes to security matters. I don't mean the version of Android it's running, because we're past that. I mean the security patches you should be getting on a regular basis.
Unless you're holding a Nexus phone, you're probably not getting them, and that's something you should be concerned about.
We came close to a meltdown this year when the Stagefright exploit went public. Not because it was any worse than any previous security issue that has came about in the past, but because of the press it received. Ditto for the SSL nightmare that affected almost everyone, regardless of the operating system on their phone. Everyone was talking about these issues — including people with the time, the know-how and the means to use them against you and me.
One day, one of these security issues will blow up and someone will find a way to spread it to a whole lot of people. When (not if) that happens, we have to hope that someone has written a patch against it, and that patch is made available for the phone or tablet we have in our hands. Unfortunately, unless you have a Nexus phone in your hands, chances are you're hosed.
This ultimately is Google's problem, but it's not a problem they can ever fix. Android is not like Windows, where Microsoft provides an operating system to the manufacturer that they can install and customize. Android is given to companies like Samsung or LG as source code, which they then modify and use to build their own operating system. This means Google can't send out a security update for any phones or tablets that weren't built to their spec under the Nexus program. Google also can't force any manufacturer to update anything, because the code is freely given. The only thing Google could do would be to revoke the license to their suite of services and apps until the manufacturer updated, and then the EU and Department of Justice would quickly rip them a new orifice.
So how does this get fixed?
This is the real problem. The only people who can update or patch the software on an Android phone are the people who built the software for it. And most of them build too many different models which then have to go through carrier certifications for different parts of the world for it to ever happen. Samsung (for example) has a whole lot of really good software engineers working on its Android products. But it would be impossible to have a big enough team to stay on top of every issue for every model of every phone or tablet and get an emergency update (or even a monthly update) out to millions and millions of users. Even if they could, AT&T or Verizon or any other carrier will still need time to approve things for the models that were built specifically for them. It's a no-win situation, with the users as the biggest losers.
In other words, it can't be fixed. No matter what ideas or schemes you might read on the Internet about how to fix the Android update issues, they aren't going to work under the current model. This sounds defeatist, I know. Open-source operating systems can be very secure and promptly patched, but not when they are done the way Android is done, where nobody is willing — or able — to take responsibility for keeping the software patched downstream. Promises of monthly updates are great, and we love seeing them from the people making the phones we use every day. But they aren't (and won't ever be) happening as promised. They can't. As an example, Samsung sent out a security update earlier in October for four of their phone models. They missed the updates for August and September, and most of the phones they still sell and presumably support are as of yet unpatched. This is broken.
If all of this matters to you, you have two options. And you probably aren't going to like either. Buy a Nexus phone, or buy an iPhone. Apple and Google only sell a few models, and both have the means to quickly patch any severe software issues and send those patches out in a timely manner. Unlocked models from the big-name players in Android stand a better chance of getting an important patch on-time than customized, carrier-locked models, but as mentioned above, this is unlikely. When a security nightmare does happen, I hope they can prove me wrong.
If this doesn't matter to you (and that's fine, we won't tell you what you should care about), there is no problem. Keep on being happy with the phone you already bought and are using, and be as careful as you can to keep safe. Just know that we will worry for you. And we'll keep talking about security in a sane way to try and make things better for all of us.
I know, about now you're probably thinking that this is one of those Nexus fanboy flame-bait articles and you're ready to get into the comments and tell me I'm wrong and I should shut up. That's fine, but it's also incorrect. I realize that many people (most, if we go by sales numbers) just aren't into buying a Nexus phone for one reason or another. It's awesome that we have so many good choices when it comes to buying a premium Android phone. Your G4 or your Note 5 may work better for you, and that makes it the better phone when it comes time to spend your money.
I'm not here to say one phone is better than the others. I'm here because there is a problem that needs to be discussed. Discussion is the only way to find any real solutions.