Pixels, a lot of Nexus devices, and a few names that are a welcome addition.
A previous version of this article noted BlackBerry was not included on the list. After further review, the Google provided documentation shows they were, specifically the BlackBerry Priv.
In its 2016 Android security year in review post, Google highlighted steps it has taken over the course of the year to thwart malware and malicious apps on the Play Store. The company said that only 0.05% of apps downloaded from the Play Store in 2016 had a Potentially Harmful Application, down from 0.15% in 2015. Verify Apps — which periodically scans your phone for harmful apps — conducted 750 million daily checks in 2016.
Google has also collaborated with manufacturers and chip vendors like Qualcomm, MediaTek, and NVIDIA to address known vulnerabilities via monthly security patches. Over the course of the year, that included fixing 655 vulnerabilities — more than half of which were of a high severity, a 275% increase from 2015. The company said that it has delivered a security patch to 735 million phones covering more than 200 manufacturers and over 2,000 models, or roughly half of the 1.4 billion Android devices active today.
Google is now working to get updates delivered faster and to more devices, and in the process has shared phones that have received a "60% to 95%" update rate. Google checked Play Services for devices that ran the October security patch or higher during the month of December, and found that these were some of the devices that received quick security updates. Unsurprisingly, the list has a lot of Nexus phones:
- Google Pixel
- Google Pixel XL
- Motorola Moto Z Droid
- OPPO A33W
- Nexus 6P
- Nexus 5X
- Nexus 6
- OnePlus 3
- Samsung Galaxy S7
- Asus Zenfone 3
- bq Aquarius M5
- Nexus 5
- Vivo V3 Max
- LG V20
- Sony Xperia X Compact
- BlackBerry Priv
What is included in the list is the Vivo V3 Max, a best-seller in Asia last year. With Vivo and OPPO steadily gaining ground — they're now the fourth- and fifth-largest smartphone vendors globally — it's great to see these Chinese companies commit to regular security updates.
Asian markets are skewed toward mid-range devices, and it's telling that not a single phone from HTC, Huawei, Lenovo, and Xiaomi made the list. Samsung is also at fault here. Although the S7 picked up regular updates, the Galaxy J series — the company's best-selling lineup in India — is not featured, nor are any devices from the Galaxy A series.
Going forward, Google said that it would work closely with its global partners to streamline the update process, which should hopefully see more devices getting security updates on a monthly basis. If you're interested in the findings from the Android Security team, check out the webinar below:
Reader comments
These are the phones that receive regular security patches, according to Google
I don't understand. In the original documentation, BlackBerry is listed.
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2016_Report_Final.pdf
The ZTE Axon 7 got the latest security updates along with Android 7.1.1 recently. And the jump from 7.0 to 7.1.1 was pretty quick - so not bad there.
Problem is they sat on 6.0.1 for months while they were working on 7.0, and stopped releasing security updates for their 6.0.1 build. In other words, if the OEM only focuses on Android version updates - even if they're pretty quick (relative term) about those, you end up going without security updates for months. That's rarely a serious problem - except for when it is. And of course, when the version upgrades stop coming, so do the security updates. That's why you should never buy a device that is not unlockable - i.e. ROM'able. Unless you plan to throw it away in 2 years.
HTC ,10
Mate 9 has gotten one every month it's been out this year.
They also didn't get the Z Force Droid which has also been getting them updates along with the regular Z.
My Note 4 gets updates every month. My V20 rarely gets any updates.
I can confirm my Moto Z Force Droid gets these updates...
There is something wrong here. Every single, and I am not joking about this at all, every single BlackBerry device running Android gets current security patches. Whether users install them is another issue, but they are certainly offered up as an option. Most times the security patches come out before Google even pushes them to the Pixel devices. I don't understand the omission at all.
Very suspicious leaving BlackBerry out, I own 2 Dtek60, a PRIV and a Dtek50 and all of them get the patches days before or after my Nexus. Usually the Dtek50 and Dtek60 2 days before the PRIV.
TMobile Nexus 6...Still on 6.0 and no security update since November 2016 :(
HAHA HAHAHA LG V20! ARE YOU KIDDING ME? I bought it the day it came out and am still on the December patch. Is this a joke?
Still counts according to the criteria Google used.
"Google checked Play Services for devices that ran the October security patch or higher during the month of December"
The US unlocked version of the Samsung S7 has not had security updates in months.
Surprised only the Xperia X compact is listed. no XZ, Z5 premium? seems odd the flagships are not included.
Factory unlocked BlackBerry's are always within a few days. What's the deal with that list?
As weird as it sounds but the Verizon version of Samsung's Note 5 should be part of that list. Have been getting security updates every month so far (knock on wood). Hoping for Nougat now and a continuation of the frequent security patches.
Does anyone know if the "Motorola Moto Z Droid" being on the list *includes* the "Motorola Moto Z Droid Force" as well? I'm asking because I thought those two phone pretty much had identical factory ROM's (as they only had slight differences in hardware, such as battery size, shatter-resistant screen, etc.).
I have the Moto Z Force Droid and so far it gets the security update approximately 30 days after they are released.
Same here.
My PRIV doesn't get the security update until about 2 weeks after it releases. Not entirely sure why.
60% of what? How/why is this number calculated?
Half the comments here don't/can't understand how BBRY isn't on this list given the fact we've been getting updates on more than several occasions before nexus'.
Very odd!
"Google checked Play Services for devices that ran the October security patch or higher during the month of December"
Weird...my Verizon PRIV had the current security patch during the month of December. I will echo the sentiment that it's awful weird/suspicious that they left BlackBerry off of this list. In fact, since VZW finally dropped our MM update last fall, we've been receiving the monthly security update usually within a week of it coming out. This month was a few days later but no biggie.
I have been very pleased with the updates hitting my Moto z force
My AT&T Note 4 still gets the latest security patch each month.
No galaxy note 5. I guess Samsung quit supporting it.
No the Note 5 is still getting updates c, although it's the Feb 1 update.
Unfortunately, many manufacturers/carriers don't patch their phones regularly. You have to wait months for an update.
This is the biggest problem with Android
Wait, I receive them every month on my Note 5.
My Priv is on the March security update and has been on schedule so far, and it's on Verizon too . . .
Same here...since the MM update dropped last fall, we've had consistent security updates every month.
Zenfone 3????
Very strange BlackBerry is missing. I've received every security update within a week of release from my PRIV and now my dtek60.
Very strange indeed. I'd really love to see the reasons why BlackBerry was not included.
I agree with everyone asking where Blackberry is. My Priv has recieved security update same day as Google phones.... That is suspicious omission.
The*Samsung s7 is on there, which surprises me as unlocked s7 Edge in Europe is on December 1st 2016
Report was ran when your phone would have shown as current.
"Google checked Play Services for devices that ran the October security patch or higher during the month of December"
My Nexus 5 got the October security update but hasn't had any since.
I didn't expect the Moto Z on that list.
Haven't got new patches. I'm not sure if systemless root and a custom recovery have got to do with it not getting OTA notifications.
Custom recovery usually means no OTAs.
I'm not sure if it has changed, but usually, even when you're rooted and have a custom recovery, you can still receive OTA updates. However, they will fail to install.
Great -- 10 non-Google phones out of the dozens and dozens are the only ones getting regular security updates? And what -- maybe 5 phones on the planet are running 7.1? This situation has gone from bad to worse to unacceptable. Google should have and should be forcing any phone manufacturer to get with the program or lose their license. And don't tell me it's the carrier's fault -- Google should come down hard on them also.
Google doesn't care, or I should say they're not overly concerned. Google / Android has what about 75% of the phone market World wide. There's no incentive for them to do so until they start losing market share they won't care.
The fact that they have so much market share is why they can't do what the original comment was suggesting. Such actions would cause Google to run into antitrust trouble (they're already being probed over such actions in the EU).
For security patches no anti trust there.
Unfortunately, the various regulators (particularly the EU) wouldn't see it that way. They'd see it as another attempt at abusing a dominant market position.
OK fine leave Europe out of it I mean it's really that simple. There's really no excuse for it in the United States Central and South America Africa Asia but like I said Google doesn't care or should I say not concern
But the EU investigations (not sure if they actually led anywhere as it's been ages since I last heard anything about them) would make Google extra cautious globally. That's why you don't see them forcing OEMs to release monthly security updates in a timely manner. Bear in mind that they already give the OEMs access to these updates well before they release the monthly bulletins.
This won't happen because Google would run foul of antitrust regulations. The EU are already probing Google over such things.
I have a LG V20 on Sprint, security patch is December 1st 2016.
I have a T Mobile V20 and I'm also on December 1st 2016 security update.
This report was compiled in December, so at the time the V20 met the criteria.
"Google checked Play Services for devices that ran the October security patch or higher during the month of December"
OK, that explains, I am far from happy not seeing updates in over 90 days
If only google could spread the security updates in different package, regardless of phone, even distribution to all phones, that would be perfect.
They do kind of do that with Google Play Services updates. And really, the security updates pushed through Google Play, which make it much harder to install malicious apps from the Play Store (and elsewhere) and prevents those apps from doing evil stuff with your data, are just as important as the OS-level security patches in terms of real world use. Your average Android user is a LOT more likely to have information stolen after installing a Super Mario Run clone from a dodgy Chinese company than after getting an SMS with a Stagefright exploit, you know?
I'd add the Sony Xperia XZ to that list. I've been getting the security updates every month. My Xperia XZ is on 1st March 2017 patch
Odd that BlackBerry you didn't make the list.
Nor did any of the high end Samsung devices. My Note 5 and retired GS6edge are still seeing updates
Or security patching could have been core OS functionality.
Google is using manufacturers as Somebody else's problem -field to hide that it's their decision that keeps most of devices from receiving security updates.
There's really nothing Google can do about it. The core Android code is open source which means anyone can take that code and customise it to create their own vision of what the OS should look like (this is how you get TouchWiz, EMUI, LG UX and other OEM skins).
Telephony, core OS, UI. Manufacturers could customize first and last as they want, core should be optimized already and usable as-is. Then, if someone wants to meddle with that to effectively disable updates, it's their choice...
When there is a will, there is a way. Security issues have been known to exist for 5 or 6 android generations . Enough time to advance. Wasted opportunity. And AGAIN nothing is done to improve the situation.
There is everything Google can do, the question is why they don't. Maybe to highlight Nexus and Pixel - made for Google?
When is Google going to update my old version of Open Office?
Exactly the same as Google updating software that Samsung created and controls. Android is not a thing, it is a bit of source code that only belongs to Google when they compile it for their phones.
Every time the finger gets pointed at Google the problem will get worse because the company actually responsible is off the hook and will care even less.
Google is only responsible for their apps on phones they do not sell, no matter how many people think differently.
People seem to think that the only customizations are the launcher, but the code changes go much deeper than that. I seem to remember you saying something in a podcast a few years back to the effect of that the code if the GPE Phones had more in common with the original manufacturers version than a Nexus.
I think that's because the launcher is the user-facing part of any OEM skin. The user doesn't see the deeper customisation of the base Android code.
Really? :)
"Android is continually developed by Google and the Open Handset Alliance" - https://en.wikipedia.org/wiki/Android_version_history. So Google might have something to do with Android.
OO probably does not get too much input from Google, as it has own online office suite. Google also didn't update my W10, DVR, Eclipse nor Arduino IDE. And I didn't expect them to do that.
-------------------------------
But let's say, to be correct, that Google _and OHA_ have missed opportunity to make parts of core OS between cellular and UI updateable and patchable for many years and no improvement is in sight. Simple CI systems (at Samsung et al - or at Android) could build, test and deploy patches immediatelly instead of building almost full OS requiring extensive testing and validation from operators (maybe once or twice, because the process is so heavy and developers are best used in new development).
Would you still choose your way?
Yes Google contributes to the Android code (as do other OEMs). The code itself however is still open source which means it can be tinkered with to create the various customised OEM visions of how Android should look and behave.
My Nexus 5 hasn't received a security patch in months.
Likewise. My backup Nexus 5 records last security update as October 2016.
Google abandoned that device.
How can they not include BB?
Hopefully this means punting the carriers out of the way (most of the time it's them causing delays).
Rubbish! I don't believe Google got the result right... BlackBerry is supposed to be number 1 on the list.
It is total BS. We have a couple DTEK50 devices and security patches were / are within the first week of the security patch release for the shop BlackBerry purchased. The B&H purchased tan a week or two later. Someone at Google or in putting this article together gaffed.
Lol, you don't believe Google has the information as to who is pushing their own security updates out right?
wait what about blackberry's commitment with priv/dtek? thought they were quick with updates too? I'm waiting for the keyone and i sure hope that makes it on a future list like this..
My PRIV has received every security patch since I've had it (December 2015)
Thrawt....
Totally glossed over that as I was reading through. Thanks.