"That Broadcom bug makes me not want to use anything other than an iPhone or Pixel."
That's what I heard from an admittedly security conscious friend while talking about him getting a new phone. The bug being referenced here, in case you're unaware, affected over 1 billion phones that use a Broadcom Wi-Fi chip and would have been an easy way for them all to be hacked in any number of ways.
Most likely the phone you're reading this on has a nasty, exploitable bug.
You don't have to worry about it if you have an iPhone or a Pixel (or any Nexus that's still supported) or an Android-powered BlackBerry because it was patched before it was disclosed to the public. But the Pixel, late-model Nexuses and Android BlackBerrys sold in minuscule numbers compared to all the other Android phones (I'm being very generous here). That means millions and millions and millions of other Android-powered phones are still vulnerable. Including the Galaxy S8, even though every Android partner has had access to the patch as long as Google and BlackBerry and Apple have.
In "real life" this is both a problem and not a problem. One thing goes hand in hand with every announcement of malware or other tricks and tools that can be used to remotely hack a phone: it almost never happens. But it still could. Simple logic says one day it will. And unfortunately, outside of some sort of government oversight on phone software (which nobody wants), there is no way to fix it.
Not long after the release of the HTC Dream/T-Mobile G1, a security flaw was found where anyone could take control via outside software. Early iPhones all used the same admin credentials for remote logins. This sort of thing comes with the territory — all software has bugs or holes that can be exploited. These early bugs were promptly fixed and updates were sent to the phones. That's not how it works anymore, at least for Android.
All software ever written has bugs. Good software has had them patched.
Because Android is given under an open-source license, Google has no control of how it's used outside of the requirements for access to Google Play and the associated apps. It's tough to wrap your mind around that unless you're familiar with open source software, I know. But Google simply can't force a company who makes Android phones into doing anything more than meeting a few minimum requirements designed to make them compatible with the APIs Play Store developers use to write apps. Even those are in question by courts in Europe.
This puts another company in control of the majority of the software we call Android, and with control comes a lot of responsibility. I truly believe Samsung (for example and because it is such a large part of Android) cares enough to want all of its customers to be immune to things like the Broadcomm bug. But that takes work and commitment that it is unable to give. It's not that Samsung doesn't care, it is just unable to fix it as fast because of how its business works. The same goes for every company that makes Android phones, possibly even more so because none have the resources that Samsung has.
It says Android right on the box, so this is Google's problem.
Software is hard. Doing it right — patching every known bug as soon as it's disclosed — is even harder. Adding yet another middleman means it's damn near impossible.
Ultimately, all this falls on Google's shoulders. The Android name is on the box, on the phone, and on your mind when you buy a new phone. This might not be fair to the people at Google who work hard to patch bugs and issue updates or security bulletins, but that doesn't matter. Android is Google's baby. When brand new phones from any company are running Android and have severe vulnerabilities, all eyes look towards Mountain View.
Google has done things to address the problem, and it is doing even more with Project Treble. I'm sure one of the long-term goals is to fix the issue somehow, whether that means a complete rewrite of the Android underpinnings or altering the usage license or pulling a rabbit out of a hat. It knows as well as we do that it owns this problem, and rather than cry foul it is trying to address it.
I hope it can do so before it's too late, because "not wanting to use anything other than an iPhone or Pixel" is a sentiment nobody wants to hear.