Google and the companies that make phones using Android have gotten pretty good about keeping everything updated to protect our online security and privacy. Mostly. These are the important updates, even if they aren't the glamorous kind.
A lot of work goes into an Android Security update. Probably more than you think, and from more companies than you realize, too. When you get right down to the brass tacks, those companies you aren't thinking about are doing the most work and play the most important role.
So many smart parts
Your phone isn't just a hunk of metal and glass filled with Android magic. It's built using thousands of different parts, many of which run a bit of code inside of them so they can operate. One of the most important of these parts is, of course, the SoC (System on a Chip) inside. The chip is not only the most powerful part of a phone, it's usually the most vulnerable when it comes to exploits that affect our security and privacy.
Case in point: Check Point Research just released some news about a vulnerability (it's since been patched or is being patched on all affected devices) inside the chips that power about two-thirds of every Android device.
All software has bugs and unknown exploits and it always will.
Long story short, 11 years ago Apple released some open-source code used for audio decoding. It's been modified over the years but it's still in use today. That's what's great about open-source code — anyone can use it, make it better, and share it with everyone else.
Qualcomm and MediaTek both use some variant of this code and hackers (the bad kind that nobody likes) have found a way to exploit this code to do things like stream video from your camera without you knowing, or even get permission to install malware or take control of everything. That's bad news.
You don't have to worry about this one because all of the best Android phones have already been updated with a patch that stops these hackers from doing any of this. But soon enough, another similar — or worse — vulnerability will be found.
Google can't fix this
We like to go on and on about how important it is for Google to do whatever it takes to get the latest security-focused updates to every user. But that's a momentous task because Google can't just make a patch and force it out to every phone because the manufacturer needs to get involved. Google can patch a Pixel phone, but Samsung has to patch a Galaxy phone. Samsung does an awesome job, but not every phone maker cares as much.
All this aside, even if every phone maker and Google got together to make sure all the Android patches get sent out, a vulnerability like the one described above wouldn't be fixed. That's because neither Google nor the company that built your phone can fix the code provided by Qualcomm or MediaTek or any of the other vendors that provide parts that include a bit of code needed to operate correctly.
Google can't fix what it doesn't make itself. Neither can Samsung or OnePlus or any other company.
Thankfully, companies like Qualcomm, MediaTek, and Nvidia are really good when it comes to quickly patching vulnerabilities and passing the patches along to their customers. Qualcomm, for example, patched the audio decoder exploit then forwarded everything needed by Google to Google and also forwarded anything the phone maker would need, too.
Of course, this is probably a condition of any service contract but the timeliness and complicated work to find and patch out a bug or exploit is still a big deal and no matter what you might think about a company that provides microprocessors — or even if you never think about them at all — they deserve some recognition.
You need to do the right thing, too
Some of us can't wait to get an update of some sort. Whether it be for an app or a security patch or even the next version of Android, we watch for it and install it as soon as we can. Some of us even sign up for beta access to try it before it's ready.
But for a lot of people, installing an update to their phone is just a pain in the ass. It usually means you have to reboot your phone and you don't seem to even get anything cool from doing it, so the notification just gets swiped away. After all, it will come back and you can "do it later."
Don't be that person who ignores and never installs updates. A secure and more private experience depends on all of us doing it.
Don't be that person. As you can read above, patching software is a never-ending process that involves a lot of hard work, and every bit of it is done to make your phone and online experience more secure. Sometimes it forces changes onto people that they may not like or one that app developers aren't ready for, but no company is spending the time and money on building software patches because it's fun.
You're not the only one affected when it comes to poor security, either. People around you don't want to be recorded without anyone knowing and if a malicious app can get access to your contacts someone else's privacy could be invaded. Yes, that can happen. Anything can happen when you have a lot of people looking for any way to cause trouble in a system as complicated as the software that powers a smartphone.
When you see that notification about an update, remember how hard so many different teams worked, why they did it, and how it will only take a few minutes for you to get on board and install it.
