Google and the companies that make phones with Android have become pretty good at keeping everything up to date to protect our online security and privacy. Mostly. These are the important updates, even if they are not the glamorous kind.
A lot of work goes into an Android security update. Probably more than you think, and from more companies than you realize, too. When you get all the way down to the brass choppers, they company you is it not thinking about doing most of the work and playing the most important role.
So many smart parts
Your phone is not just a piece of metal and glass filled with Android magic. It is built using thousands of different parts, many of which run a bit of code inside them so that they can function. One of the most important of these parts is of course the SoC (System on a Chip) inside. Not only is the chip the most powerful part of a phone, it is usually the most vulnerable when it comes to exploits that affect our security and privacy.
Example: Check Point Research has just released some news about a vulnerability (it has since been fixed or is being fixed on all affected devices) inside the chips that drive about two-thirds of each Android device.
All software has errors and unknown utilities, and it always will.
Long story short, 11 years ago Apple released some open source code that was used for audio decoding. It has changed over the years, but it is still in use today. That’s what’s great about open source code – anyone can use it, make it better and share it with everyone else.
Qualcomm and MediaTek both use some variant of this code, and hackers (the bad kind that no one likes) have found a way to exploit this code to do things like stream video from your camera without you knowing it. or even get permission to install malware or take control of everything. That’s bad news.
You do not have to worry about this because all the best Android phones have already been updated with a patch that prevents these hackers from doing any of this. But soon enough, another similar – or worse – vulnerability will be found.
Google can not fix this
We like to keep on and on about how important it is for Google to do what it takes to get the latest security-focused updates for every user. But it’s an important task because Google can not just make a patch and force it out to every phone because the manufacturer needs to be involved. Google can patch a Pixel phone, but Samsung will patch a Galaxy phone. Samsung does a great job, but not all phone manufacturers care so much.
All this aside, even if all phone manufacturers and Google went together to ensure that all Android patches are sent out, a vulnerability like the one described above would not be fixed. This is because neither Google nor the company that built your phone can correct the code provided by Qualcomm or MediaTek or any of the other vendors that provide parts that contain a bit of code needed to work properly.
Google can not fix what it does not do itself. Samsung or OnePlus or any other company can not either.
Fortunately, companies like Qualcomm, MediaTek and Nvidia are really good when it comes to quickly patching vulnerabilities and passing the patches to their customers. Qualcomm, for example, patched the exploits of the audio decoder and then forwarded everything Google needed to Google and also forwarded everything the phone maker needed.
Of course, this is probably a condition of any service contract, but the timeliness and complicated work of finding and correcting an error or exploitation is still a big deal, and whatever you may think of a company that supplies microprocessors – or even if you think never on them at all – they deserve some recognition.
You also have to do the right thing
Some of us can not wait to get some kind of update. Whether it’s for an app or a security patch or even the next version of Android, we’ll keep an eye on it and install it as soon as possible. Some of us even sign up for beta access to try it out before it’s ready.
But for many people, installing an update to their phone is just a pain. That usually means you have to restart your phone and you do not even seem to get any fat from doing so, so the notification is just swiped away. It’s coming back, and you can “do it later.”
Do not be the person who ignores and never installs updates. A safer and more private experience depends on us all doing it.
Do not be that person. As you can read above, patching software is an endless process that involves a lot of hard work and everything is done to make your phone and online experience more secure. Sometimes it forces changes on people that they might not like or that app developers are not ready for, but no company spends time and money building software patches because it’s fun.
You are also not the only one who is affected when it comes to poor safety. People around you do not want to be busy without anyone knowing, and if a malicious app can gain access to your contacts, the privacy of others may be invaded. Yes, it can happen. Anything can happen when you have a lot of people looking for a way to create problems in a system as complicated as the software that runs a smartphone.
When you see that announcement of an update, remember how hard so many different teams worked, why they did it, and how it will only take a few minutes for you to get on board and install it.