Bart and I have talked a lot in his Security Bits segment on the NosillaCast about the problems with security on Android. It’s not that Google hasn’t produced a good operating system, and it’s not that they don’t patch security holes when they find them. The biggest problem with Android is the stronghold that the phone manufacturers and the cell carriers have over the operating system.
If you buy an Android phone from a cell carrier, It will usually have the latest and greatest version of Android. But once a new version comes out, it might be greatly delayed in delivery to you, or the carrier may never let you have it at all. That’s a problem, but a worse problem is that the cell carriers may or may not push security updates to you.
From the data, it would be logical to surmise that the cell carriers want you to upgrade to a new phone and this is a way of nudging you along. But the important thing is not their motivations but rather the affect of these actions.
Without assigning root cause, we can simply look at the data. In the show notes, I’ve put two pie charts that I created using data from independent sources. First, let’s look at iOS. iOS 10 came out in September of 2016. As of this month, May of 2017, 89.8% of iOS devices are running iOS 10. That means that just around 10% are not (Source: data.apteligent.com/…).Now let’s look at Android. Nougat is the new hotness for Android, and it came out a month earlier than iOS. As of April of 2017, 95% of Android phones are not running Nougat (Source: fossbytes.com/…).
Let me state that one more time, in the exact length of time from release, 90% of iOS phones have the latest OS, and 95% of Android phones do not have the latest OS.
So if you do want an Android phone and you do want the latest and greatest OS and more importantly you want the latest security updates, the only way to ensure that is to buy a Google-branded phone. Or at least that’s the advice that Bart and now I have been giving. That’s why when I wanted to get Project Fi from Google, I wasn’t worried about security when I bought the Google Nexus 5X.
Imagine my dismay this week when Google put up a chart explaining that they’re not going to guarantee OS updates for the Nexus 5X past September of this year, and security updates past September of next year!
Now I’m sure some of you tuned out at that because you’re thinking, “oh, she bought an old phone, these things happen.” But get this. Google is still selling the Nexus 5X! They also put the same expiration date on the Nexus 6P that they’re still selling on their site! They’re actually selling phones with less than 5 months of guaranteed OS updates. And like I said, they’re still selling them – we don’t know when they’re going to stop! With this total lack of logic, they could keep selling them after they stop guaranteeing updates for these phone.
The Nexus 5X is the bottom of the line, starting at $250 with activation of Project Fi, but the 5P starts at $400 with Fi activation, so this is no throw-away phone! Granted the Google Pixel is the new hotness (at $650 with activation) but until they have lower-end Google phones for their own cell service, it seems ludicrous to stop supporting what they’re still selling.
Google execs announced a few years back that they were going to focus the company, that they had too many projects going. But rather than do that, they seem to keep starting as many projects as before, they’re just killing them off more quickly than before.
When Allo came out from Google, my first thought wasn’t, “I should check this out because it might be cool.” Instead it was, “I wonder how long they’ll keep this going” and “Maybe I’ll wait to see if they stick with it instead of investing any time.
It makes me sad but I’d come to peace with it. Even so, I never would have guessed that this would apply to their own hardware. I think this is unconscionable behavior on Google’s part.
After I wrote this up, I chatted with Tom Merritt and he pointed me to an article on arstechnica.com/… that explains the story a bit more. Evidently Qualcomm isn’t guaranteeing driver support for these phones past the dates given by Google, but says it’s because the handset manufacturers haven’t been asking for it. As the title of the article explains, there’s enough blame to go around. But I still think it’s unconscionable for Google to not provide security updates after a year and five months when Apple can do it five years back!