And while Google says it has made some progress in this area — Android issued security updates to 735 million devices from over 200 manufacturers in 2016 — about half of Android users still aren’t receiving important security patches.
“There is still a lot of work to do to protect all Android users: about half of devices in use at the end of 2016 had not received a platform security update in the previous year,” Android security leads Adrian Ludwig and Melinda Miller wrote in a year-in-review post. Android issued monthly security updates during that timeframe.
When phone makers discover vulnerabilities in their products — either through external reports from security researchers or through internal audits — it kicks off a race to patch the problem before it’s widely exploited. But in the Android ecosystem, which includes hundreds of carriers and manufacturers, pushing those updates out to every user is a complex process.
While Google-manufactured Pixel and Nexus phones and tablets receive automatic updates, hundreds of manufacturers that run Android on their devices don’t push security updates to their customers immediately.
This practice can leave customers waiting for months to get updates, and their devices are vulnerable in the meantime.