Skip to main content

Google's Android Security Bulletin for July 2016 has two patch indicators

Welcome to another thrilling episode of Important Things Google Fixed with your host, Android Central! Every month for over a year now, Google has been releasing monthly updates to keep as many Android phones as possible more secure than they were the month before. During that time we've seen some of Google's partners make a real effort to deliver those updates every month, while other fall a little short when it comes to keeping their users safe.

Every month the list of things Google and their partners have discovered and fixed in Android is a little different, but unlike previous patch updates this month there will be two different indicators that your phone is up to date. We've got a quick breakdown of what those two dates are, and what they mean for the security of your phone.

Patch Level — July 1, 2016

In every month but one so far, the patch level on your Android phone has been marked as the first of whatever month that update was released by Google. For many users, this month will not be any different. The July 1 2016 patch this month is a list of Android includes fixes for remote code execution vulnerabilities in the Mediaserver, as well as in OpenSSL and BoringSSL. Google has also fixed 12 different elevation of privilege vulnerabilities across Android, and dealt with Denial of Service vulnerbilities in libc and Mediaserver.

A complete list of the vulnerabilities addressed in this month's patch can be found on the Google Developer Site. Google has not found any evidence to suggest active customer exploits are happening using any of the vulnerabilities that have been fixed in this patch.

Patch Level — July 5, 2016

This second patch includes everything you'll find in the July 1 2016 patch, but also includes patches for a great number of drivers in Nexus, Pixel, and Android One hardware. This includes fixes for Qualcomm, Mediatek, and Nvidia drivers that address a significant number of components across Google's hardware lineup. These driver fixes can be applied to non-Nexus hardware, but may require additional work on behalf of the hardware manufacturer to ensure stability with their existing firmware.

A complete list of the vulnerabilities addressed in this month's patch can be found on the Google Developer Site. Google has not found any evidence to suggest active customer exploits are happening using any of the vulnerabilities that have been fixed in this patch. You can head to Google's OTA page for factory images with this patch for your Nexus phone.

What happens if I only have July 1, 2016?

Google's decision to split these two groups of patches out does not necessarily mean that your phone is less secure if you have July 1 instead of July 5.

Devices that use the July 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use July 1, 2016 security patch level may also include a subset of fixes associated with the July 5, 2016 security patch level.

It's not overly likely we'll see any manufacturer release a July 1 and a July 5 update this month, but Google's decision to split the updates up like this hopefully means more phones will get the much needed July 1 updates with the expectation that the applicable July 5 updates would be applied with the August update. Like all previous updates, Google's were notified of the issues found and fixed in this update 30 days ago. Keep an eye out for which update your phone gets!

Russell is a Contributing Editor at Android Central. He's a former server admin who has been using Android since the HTC G1, and quite literally wrote the book on Android tablets. You can usually find him chasing the next tech trend, much to the pain of his wallet. Find him on Facebook and Twitter

  • Cool ig Posted via the beautiful honor 5x with Android m ui theme
  • This article is very difficult to understand. I have no idea what I read and still don't understand why 2 different patches and if I should expect either or both of these updates on my Nexus 6. Posted via the Android Central App
  • Yeah they didn't break it down very well for the "non-tech" people. 
  • July 1 is the regular monthly update with fixes that can apply to all of Android, July 5 is July 1 plus driver fixes for a variety of devices that use them. Some devices will want July 5 and some don't have affected drivers and won't need it.... I think. Posted via the Android Central App
  • It's fairly easy. Use the newest image tgz for your device and you should be good.
  • To clarify for my N6, by applying the OTA patch of MOB30O, (which is the 2nd new patch posted since the June 2016 patch of MOB30M), I will be applying the July 5th patch, which also includes everything from the July 1 patch? TLDR - just apply the MOB30O and I'm done?
  • Yerp.
  • The Nexus 6 is a special case, though, since the OTAs are still split between two different levels, MMB and MOB. It could be that MOB30O is the 7/1 patch and the 7/5 patch hasn't made it to the factory images page yet. Only flashing will tell.
  • EDIT: Duh, copied what you already wrote. My bad. I'm going to assume the 30O is both July 1 and 5. Flashing the 0O and will see what I get. EDIT #2: Confirmed. Sideloading the MOB30O OTA patch only produces a patch date of July 5th.
  • I'm not sure why they didn't just include them all in one patch. I feel this is one more thing that is going to slow down OEM's with the security updates. Make it all one patch, and include everything under that patch.
  • This will actually make it easier. The July 1 patch is for Android. The code Android, not a phone Android. The July 5 patch has device-specific fixes for Qualcomm and other vendors in it. None of that is part of Android.
  • But it says it's for Google branded devices only? This is a terribly written article. Posted via the Android Central App
  • Exactly. Jerry, they should let you write all articles that involve things of this nature. You break it down so much better, and make it easier to understand. 
  • And does anyone know if monthly security patches are issued to devices running the N Developer Previews? I started with DP3 and am now on DP4 and I have not seen a security patch since leaving MM. NEXUS 5X on AT&T on N DP4
  • July's patch should be included when beta 5 comes out in a couple weeks
  • Wouldn't the July 5th patch be enough?
  • Yep, the July 5 level includes everything from July 1.
  • Probably true that a manufacturer won't bother with both. Blackberry skipped the July 1 version and released the July 5th level, some started updating on July 4.
  • From what I've read Google made all the manufacturers do a code audit. The July 5th is to address any issues from that audit. So if you don't get the July 5th update it will be included in the August one. Posted via the Android Central App
  • Wat Posted from my cracked Nexus 6/Nexus 7 2013/Surface Pro 3
  • How do I flash these on my moto g 3rd gen? Posted via the Android Central App
  • So when can we expect an OTA notification for the Nexus 6? Posted via the Android Central App
  • I need the ELI5 version of this article cuz I just had my eyes glaze over trying to read it. Posted via the Android Central App
  • I haven't gotten either yet on my Nexus 6p. This makes me sad. Posted via the Android Central App