For the first time since Google began monthly Android patches for Nexus devices, the world’s biggest Android maker, Samsung, has actually kept pace.
Google has rolled out fixes for 12 critical and 19 high severity Android security vulnerabilities affecting its Nexus devices, bringing the latest version of Android 4.4 KitKat, 5.0 Lollipop, and 6.0 Marshmallow to Security Patch Level May 01, 2016.
The fixes themselves are important but the most notable part of the May security bulletin, which Google published on Monday, is what’s not explicitly mentioned in it: that Samsung for the first time has released the same fixes for its Galaxy devices in sync with Google’s fixes for Nexus devices.
Samsung’s May bulletin details 31 Android bugs and four of its own that once installed, will bring millions of Galaxy handsets up to Security Patch Level May 01. Samsung’s bulletin means the May patch level update is on the way to its flagship Galaxy devices across the globe.
Google also announced that as of the May patch level for Nexus devices it has renamed its the “Nexus Security Bulletin” — its monthly Android security notice — to the “Android Security Bulletin”. The name change reflects that Google’s bulletin does address Android bugs affecting Nexus devices, but may also include bugs that don’t impact Nexus devices.
“To reflect a broader focus, we renamed this bulletin (and all following in the series) to the Android Security Bulletin. These bulletins encompass a broader range of vulnerabilities that may affect Android devices, even if they do not affect Nexus devices,” Google noted on Monday.
This suggests Google could be confident that future security updates from Samsung, and possibly other Android device makers, will more closely align with its Nexus updates.
That Samsung has released its May security update in kilter with Google means the update should reach many, millions more end-user devices than just Nexus devices, which make up less than five percent of more than one billion Android devices that connect to the Google Play store each month.
Google has updated Nexus devices on a monthly basis since August, shortly after the Stagefright bugs were discovered. The bugs affected over 90 percent of Android devices, many of which can’t be patched, and could also be easily exploited for devices running Android 4.1 and below.
Google noted in it’s recent annual Android security wrap up that LG, Samsung and BlackBerry have made statements around monthly patching. HTC has previously said monthly Android updates were unrealistic due to testing at the carrier stage.
Despite these commitments, until now only BlackBerry has successfully updated Android Priv devices within a few days of Google publishing its monthly Nexus/Android Security Bulletin, which Google times to coincide with its over-the-air updates for Nexus devices. The Blackberry Priv and Google’s Nexus devices represent a very small fraction of the more than billion Android devices actively in use around the world.
Since Samsung announced its monthly security update ambition last August, its updates have trailed Google’s Nexus updates by no less than three weeks. Samsung devices that are updated currently include its flagship Galaxy S series devices (S7, S7 edge, S6 edge+, S6, S6 edge, S6 Active, S5, S5 Active); its Galaxy Note series (Note 5, Note 4, Note edge); and the Galaxy A series (A5x).
If Samsung keeps up pace with Google, it potentially spells a dramatic shift for Android security and alleviate concerns over the length of time before Google’s Android patches reach end-user devices.
Samsung may even have the capability to update some of its devices before Google fixes Nexus devices. Google tells members of the Open Handset Alliance of new Android security bugs one month prior to publishing its monthly Android security bulletin. Galaxy S7 Edge devices in South Korea reportedly received the May 2016 security update in late April.