Monthly security patches are the most important updates you'll never get

Android is broken. We're all fans here, and I'd never want to switch to any other smartphone platform for my own needs, but we all know inside that Android is broken. The introduction of monthly security patches and how most of us aren't getting them only solidifies this simple truth.

Let me explain. Android is a huge convoluted set of source code files. It's not a stand alone product, as someone needs to build the actual product from those sources and distribute it. Any of us, with a little studying and some time, can take those source files and build an operating system out of them. Because most of it is open source, we can also change anything we like to make something unique. Google the words AOSP custom ROM — all of those people have access to the same code that Samsung or LG uses to build their "Android" with. It's fabulous.

Google encourages people to look through the code, try to break everything, be sneaky as hell and find security vulnerabilities in Android. Android may not be the most "open" open-source project out there, but the way they encourage others to find bugs and exploits is really great. Cash incentives work really well for a lot of things.

We're promised monthly updates, but instead we get a few updates on specific versions of a small handful of models. And a bunch of broken promises.

Once a month, since August of 2015, they take the information other people have given them about bugs and exploits, and edit the code to try and prevent it from happening. Code maintenance and security patching isn't fun or easy, but it's part of responsible software development — take care of your users. They then publish these changes, both in the code itself and as a bulletin so we know what they did without looking at code commits, each month. Nexus products get a small OTA security patch soon after.

Google's partners who make the phones we love get the changes a month in advance so they can also be ready to update as soon as they can. Some, like BlackBerry, are able to push these updates right away, with a short delay for carrier branded (remember this, it's important) models. Others take a little longer, and some phones will never, ever get any security patches.

These are the important updates. We all love the idea of getting new features and a new version of the operating system, but these patches are what you need to make sure the phone you keep your digital life inside is fit to use. Read some of the exploits addressed the next time Google announces their monthly patch notes. That's some scary stuff, and one day someone is actually going to release some bad software that takes advantage of all the unpatched phones. A bonafide Android security apocalypse is a real possibility.

That is broken. That needs fixed.

Security patch level under 9000

But fixing it is almost impossible. Companies modify the source code in ways that Google's updated code can't just be dropped in and everything rebuilt. Maybe they shouldn't be messing with the core of Android itself, but it's open and they can. Remember, companies want Android to work with their software and services as well as they can make it. This means they have to do much of the work fixing these issues themselves, and that takes time. And they have their own security issues to worry about with software they wrote in-house.

Companies get in the code and muck with things because it's open, and they can.

Sometimes, these companies also make "special" variations of their phones for carriers. Just because your phone says Samsung Galaxy S6 on the back doesn't make it the same as the one made specifically for Verizon or AT&T from a software standpoint. These phones are made to the carrier's specifications, and they get final say over software changes. All of this makes the complicated process of updating a phone even more complicated. Add in the fact that people building phones think some models aren't worth the time and money it takes to update them (and that is even more broken) and all of this is why most of us aren't getting the updates we deserve that make our phones safe.

We all want Google to step in and fix all of this, but the way Android works makes it almost impossible. Things could be re-written so that the code is more compartmentalized and certain areas could be independently updated (kind of the way Google broke out the web view component) but that would mean almost starting from scratch. And companies would still get in and muck with things because it's open, and they can. Then we're back where we started. Some people even think Google should stop allowing companies to use their services if they can't keep their phones updated, but legal issues mean that will never happen. Stop saying it.

The only reasonable way to fix this whole mess is for companies using the Android code to build phones (and tablets, and laptops and microwaves) to be more responsible. We thought that was going to happen when people like Samsung and LG promised monthly updates, but instead we got a few updates on specific versions of a small handful of models. And a bunch of broken promises.

We're going to see a slew of new phones from just about every company out there at MWC in the coming days. Unfortunately, most of them won't be getting the updates they need to keep them safe and secure. Remember this when you spend your money on your next.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.