Android Update Infrastructure
June 26, 2013 10:04 AM   Subscribe

I'm thinking about replacing my current mobile phone with an Android device and I'm having a hard time understanding how the Android update / security patch infrastructure for the core system is supposed to work.

I understand how this works on, let's say a computer running Windows XP: Until extended support ends in 2014 Microsoft will provide fixes which are downloaded by Windows Update from a Microsoft server. Or if I'm using debian squeeze I can expect fixes until May 2014. Updates are announced to the debian security mailing list and I use the package manager to install them. Compared to these examples the situation on Android seems quite a bit ... opaque.

Let's say there's a bug in the network stack or the default web browser or the Dalvik VM that can be (remotely) exploited. It is discovered and fixed in the source code. Next, according to [1] "OEM/carrier will push an update to customers"; Nexus devices will receive these updates directly from google [2].

In my case the phone (not a Nexus) would be store bought (unlocked) without any carrier customization. I would keep my current SIM and therefore of course my current wireless provider.
Would this phone receive a patch for that hypothetical vulnerability directly from the phone manufacturer (Samsung, HTC, ...) or is the provider (carrier) somehow involved in this process? I'm living in Central Europe if region matters.

Often I see advertisements for cell phones that have been released a few years ago and come with old version of Android for instance 2.3.x. I somehow doubt that the manufacturer still provides updates to keep those devices safe.
Is there some kind of list or project that provides information which devices don't receive (security) updates anymore?
It would help to find out which of the manufacturers are likely to discontinue support early on so I won't shower them with my hard earned money. ;) There's a blog entry [3] with some information; I would love more information in this direction.

Thanks for reading and for any answers or directions to relevant reading material!

posted by mirage pine to Technology (5 answers total) 1 user marked this as a favorite
Best answer: I don't have specific references off the top of my head here...feel free to skip my post if those are must-haves.

As for updating your phone - your carrier shouldn't be at all involved if you purchase it unlocked. There are software flags that specify whether your phone pays attention to the OEM update servers or the carrier update servers. So you shouldn't have any problem getting updates as soon as the manufacturer makes them available. How quickly that happens though...

As a general rule, manufacturers don't continue offering updates for very long, as devices and individual software versions have very short life-cycles. As you noted, some are better than others though. In general, you can probably count on one hand the number of updates your phone will receive in total, from introduction to market through end-of-life. Unless the bug is critical or the vulnerability so wide-open that it can't be avoided by issuing an alert and changing user behavior, manufacturers will roll security updates into version upgrades instead of issuing small patches that might break something else.

My suggestion, if you're looking for quick response to code base changes without a Nexus device, is to run a custom ROM. Many ROM developers use stock Android code and add their own customizations - so if Google updates their code to patch a problem, you'll see it trickle down to your ROM in a matter of days, not months as the OEMs and carriers tend to do. Even developers that patch, alter, and expand upon the OEM ROMs (instead of stock Android) still can and will incorporate any base code security patches into their ROMs where possible.

There are several custom ROMs to choose from, ranging from those that slightly tweak and improve your device's stock configuration, to those that opt for a near-vanilla Android implementation (with or without additional customizations), to those that impart their own vision of Android which is neither device-stock or vanilla Android.

If you go the route of running a custom ROM, I'd advise for a more recent device (to allow for future support as the ROM matures), but other than that, look at what hardware works best for you. If screen size and how it fits in your hand is most important, ignore everything else. If you consume a lot of media and will burn through batteries, removable/swappable batteries may be your primary goal. Perhaps expandable storage through a microSD card if you won't be streaming that media. Don't get too caught up in internal specs, because something better is always just around the corner.
posted by trivia genius at 10:45 AM on June 26, 2013

I was going to point you to The Understatement blog entry that you have as your item [3]. As far as I understand it, Android updates are a "collaborative process" between Google, the handset manufacturer, and the carrier - by which they mean that each entity gets to do their own independent QA tests before releasing it to the end users. If there are not enough active phones to justify all that expense - sorry.

But somehow iPhones don't require triple QA, and Apple can send out software updates even for a 2009 iPhone 3GS?
posted by RedOrGreen at 12:59 PM on June 26, 2013

RedOrGreen - I know the answer to this part!

It's because Apple manufactures the phones and can ensure that the software will run on their hardware. With the Android operating system, there are scads of manufacturers with different hardware configurations. I had an Android phone for several years and received exactly ONE update on it. It was infuriating to see other phones with lesser hardware receive OS updates adding new functionality while I got nothing.
posted by BrianJ at 1:13 PM on June 26, 2013

And now I've just realized that I totally misread your comment, so I'm kicking myself. Sorry, guys!
posted by BrianJ at 1:14 PM on June 26, 2013

I have a Droid DNA from Verizon. (It's the same as an HTC Butterfly except it doesn't have an SD slot. Also it's locked.) Twice now, Verizon has pushed out patches. A message appears on the screen saying to leave the phone on until the process is complete.

There's also a place in the control menus where you can manually try to update, but since my phone is up-to-date it doesn't do anything.

In both of those cases I was at home and I'm pretty sure it did most or all of its downloading through my wifi rather than using Verizon's network.

It says that it's running Android 4.1.1. I know that Android 4.2 is out, but maybe it hasn't been adapted to my phone, or maybe there's no official upgrade path.
posted by Chocolate Pickle at 1:48 PM on June 26, 2013

« Older This oath, I swear. Until I swear something else.   |   Help me remember this webcomic/illustrated story. Newer »
This thread is closed to new comments.