Google published monthly security updates for Android for about a year which manufacturers get in advance to push out to their devices after integrating and testing the patches.
While some manufacturers are quick to integrate new security patches, others are not so much.
My Xiaomi Mi4c phone is stuck on the July patch level for instance, which means that it has not received the August nor the recently released September patches yet.
Tip: you can check the patch level of your Android device in the following way: open the Settings application on your device and find the about link on the page. There you should find information about the Android security patch level.
Android Central reports that Google has broken down security patches for Android this month instead of shipping all patches in a single package.
Google released three patches this month for Android that fix various security related issues for all devices running the operating system.
- 2016-09-01 — patches for a pair of Critical remote code execution vulnerabilities, many serious Elevation of Privilege vulnerabilities, several Information Disclosure vulnerabilities, and a pair of Denial of Service vulnerabilities all within Android itself.
- 2016-09-05 — Everything in the 2016-09-01 patch, as well as patches for several kernel related Elevation of Privilege vulnerabilities, many Qualcomm driver-related vulnerabilities, and Elevation of privilege vulnerabilities found in other third-party drivers.
- 2016-09-06 — Everything in the 2016-09-01 and 2016-09-05 patches, as well as a fix for a Critical Elevation of Privilege vulnerability in the kernel shared memory subsystem and a fix for a vulnerability in a Qualcomm networking component.
The third patch, released on September 6, includes the patches released on September 1 and 5. If it is installed, it makes the device the securest.
While Google has not revealed why it changed how Android patches are provided to manufacturers, it appears that this is done for a number of reasons.
First, it provides manufacturers with options to prioritize patches and deliver some to their Android user base faster. Manufacturers may pick high priority patches over others, or speed up the process of updating devices by pushing out patches individually instead of in one large package.
Google too may provide manufacturers with patches faster. This becomes evident when you look at the different release dates for the September patches. The first set was released on September 1, the last on September 6.
Still, with all that said, it is still up to the manufacturer of the device to push out security patches in a reasonable time frame after they become available (that is 30 days before release).
While I really like my Xiaomi Mi4c phone, I won't purchase another device from the company because of the slow release of security patches and updates to newer Android versions.
The device is still stuck on Android 5.x (which it shipped with), while it is capable of running Android 7.x.
Unless manufacturers change their stance on providing updates for their devices, compartmentalizing security patches won't probably have a noticeable effect on the state of Android security.
Now You: What's the patch level of your Android device?