For the first time Samsung’s and Google’s Android security fixes sync up

For the first time since Google began monthly Android patches for Nexus devices, the world’s biggest Android maker, Samsung, has actually kept pace.

Google has rolled out fixes for 12 critical and 19 high severity Android security vulnerabilities affecting its Nexus devices, bringing the latest version of Android 4.4 KitKat, 5.0 Lollipop, and 6.0 Marshmallow to Security Patch Level May 01, 2016.

The fixes themselves are important but the most notable part of the May security bulletin, which Google published on Monday, is what’s not explicitly mentioned in it: that Samsung for the first time has released the same fixes for its Galaxy devices in sync with Google’s fixes for Nexus devices.

Samsung’s May bulletin details 31 Android bugs and four of its own that once installed, will bring millions of Galaxy handsets up to Security Patch Level May 01. Samsung’s bulletin means the May patch level update is on the way to its flagship Galaxy devices across the globe.

Google also announced that as of the May patch level for Nexus devices it has renamed its the “Nexus Security Bulletin” — its monthly Android security notice — to the “Android Security Bulletin”. The name change reflects that Google’s bulletin does address Android bugs affecting Nexus devices, but may also include bugs that don’t impact Nexus devices.

“To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices,” Google noted on Monday.

This suggests Google could be confident that future security updates from Samsung, and possibly other Android device makers, will more closely align with its Nexus updates.

That Samsung has released its May security update in kilter with Google means the update should reach many, millions more end-user devices than just Nexus devices, which make up less than five percent of more than one billion Android devices that connect to the Google Play store each month.

Google has updated Nexus devices on a monthly basis since August, shortly after the Stagefright bugs were discovered. The bugs affected over 90 percent of Android devices, many of which can’t be patched, and could also be easily exploited for devices running Android 4.1 and below.

Google noted in it’s recent annual Android security wrap up that LG, Samsung and BlackBerry have made statements around monthly patching. HTC has previously said monthly Android updates were unrealistic due to testing at the carrier stage.

Despite these commitments, until now only BlackBerry has successfully updated Android Priv devices within a few days of Google publishing its monthly Nexus/Android Security Bulletin, which Google times to coincide with its over-the-air updates for Nexus devices. The Blackberry Priv and Google’s Nexus devices represent a very small fraction of the more than billion Android devices actively in use around the world.

Since Samsung announced its monthly security update ambition last August, its updates have trailed Google’s Nexus updates by no less than three weeks. Samsung devices that are updated currently include its flagship Galaxy S series devices (S7, S7 edge, S6 edge+, S6, S6 edge, S6 Active, S5, S5 Active); its Galaxy Note series (Note 5, Note 4, Note edge); and the Galaxy A series (A5x).

If Samsung keeps up pace with Google, it potentially spells a dramatic shift for Android security and alleviate concerns over the length of time before Google’s Android patches reach end-user devices.

Samsung may even have the capability to update some of its devices before Google fixes Nexus devices. Google tells members of the Open Handset Alliance of new Android security bugs one month prior to publishing its monthly Android security bulletin. Galaxy S7 Edge devices in South Korea reportedly received the May 2016 security update in late April.

Join the CSO newsletter!

Error: Please check your email address.

Tags Android security bulletinNexus devices6.0 MarshmallowAndroid 4.4 KitKat5.0 LollipopAndroidGalaxy handsetsGoogle Appssecurity patchsamsungGoogleGoogle Play Music

More about BlackBerryGalaxyGoogleHTCLGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts