Unbeknown to most users, devices running supported versions of Android are supposed to get small amounts of new software every month, mostly security updates.
Unfortunately, as we pointed out in May, when and whether that happens is a matter of whim for each device’s manufacturer.
Updates for Google’s Pixel smartphones will arrive sometime this week – covering functional issues as well as security patches.
But if your device is made by another vendor, June’s Android patches could turn up any time from next month to some point later this year.
Given that June’s two patch levels (2019-06-01 and 2019-06-05) comprise only 13 CVEs plus another 9 from Qualcomm, this might not sound like that big a loss.
But if the same device is also missing previous updates, as many will be, the number of missing patches rises to dozens.
Amplifying the update confusion is Android’s version fragmentation, which gave Apple CEO Tim Cook cause to gloat when he mentioned at this week’s WWDC 2019 conference that the newest version of Android is still only running on 10% of Google’s mobile devices compared to 85% of iPhones running the latest iOS.
June patches
Despite the modest vulnerability count, the fact that 8 are marked ‘critical’ and 14 ‘high’ is good enough reason to want them as soon as possible, with 2 of the criticals (CVE-2019-2094 and CVE-2019-2095) affecting only version 9.
Seven are elevation of privilege (EoP), four are remote code execution (RCE), leaving the remaining flaws without designation.
By policy, Google doesn’t furnish much detail on individual flaws, but does mention that the most serious of this month’s vulnerabilities is in media framework which might allow:
A remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
Meanwhile, CVE-2019-2097 in the Android system could:
Enable a remote attacker using a specially crafted PAC file to execute arbitrary code within the context of a privileged process.
Luckily, the advisory continues, Google has had no reports that any of the serious flaws are being exploited.
What to do
Anyone looking to understand the difference between Android’s two patching levels should read the explanation we offered as part of April’s Android patch coverage.
Individual vendors often publish their own advisories that often offer clearer information than Google’s official Android updates. For instance, here are the June 2019 updates for Samsung, Nokia, Motorola, LG, and Huawei.
Spryte
Just so others know my Kindle Fire OS has had an update last week. Not sure if that is what you are talking about… or if there is a new one in the works.
John E Dunn
Kindles use the Fire OS, which is updated separately by Amazon.
Bryan
While we’re on the topic, can anyone expound** on how updates are issued/denied/distributed?
** (or know of a page which does so; I found legions of pages telling me how to check for an update)
Clearly the OS is updated with/by Google, but the process from there gets fuzzier to me the more I ruminate.
Each manufacturer gets a chance to relay or disregard the update, and then in turn so does each wireless carrier. …right?
So do carriers have DNS sinks for update [dot] android [dot] com? And then they cheapen the update with their proprietary app-du-jour before letting me have it? If so, how could they prevent me from bypassing them via WiFi and my own DNS?
Am I completely barking up the wrong tree, and update syrup is physically poured over my phone by gnomes at my bedside when I’m sleeping?
I’d really like to learn more about it, so if anyone can point me there–you’re awesome.
mbrazil
I don’t know in detail how the entire process works, and I’m sure it varies with each phone manufacturer and each carrier. However, one thing to keep in mind is that each version of the Android OS is modified by both the phone manufacturer and the carrier before it’s installed in your phone. Therefore, an Android update is not generic and must be customized to install and work properly with the version of Android on your specific phone (specific to manufacturer, model, and carrier). Downloading and installing the wrong version of an update could end up bricking your phone.
Bryan
Right, thanks; my “proprietary” comment alludes to the custom builds. I know they get a copy of the “base” update and then inject all their fluff before releasing to users. I’m curious about the mechanism, not so much technical details as an overview. I suppose I’m looking for an Android How It’s Made episode.
Can’t be as simple as polling update[.]android[.]com, running wget current.tgz, as that would be easily subverted by carriers, users, and attackers.
Assumptions I believe are safe:
– there must be a “phone home” function
– “home” varies as dictated by manufacturers and carriers (mostly carriers probably)
– a cert verifies the phone has reached the proper source
I checked StackExchange but didn’t find anything meaningful.
mbrazil
More than the manufacturers, the carriers are the obstacle that prevents Android updates from reaching consumers’ phones. I’ve contacted LG, the manufacturer of my phone, about Android updates, and they told me that they implement the updates and then forward them to the carriers. They don’t provide updates directly to consumers, because that would be in violation of their contracts with the carriers. A perfect example of how this system fails to work is that my carrier, Tracfone, NEVER provides any updates to customers’ phones no matter how long it’s been since the phone was issued or how many updates, critical or otherwise, have been released since the phone was sold to the customer. I’ve also contacted Tracfone about this, and after much discussion with a customer “support” rep, the rep finally admitted that Tracfone’s policy is to ignore updates and not provide them to customers. The rep also suggested that, if I want to have the most recent Android version and updates, my only recourse is to purchase a new phone.
Bryan
Your new phone purchase will then have brought the LG-Tracfone contract full circle.
Everyone is happy. Oh wait…
Dow
This is very frustrating. Naked Security reports that we need to update our Android phones. Samsung states that they’ve got updates for June, both from them and from Google, and yet T-Mobile has me on the April 1 security patch (which I just became available to me on the 26th of May). Ridiculous.
Bryan
Planned obsolescence won’t work if you’re able to just keep your old phone working.
Silly, silly Dow.
Dow
AH! Of Course!! [smacks forehead and wanders off muttering]
hengky
i am from Indonesia
my phone is xiaomi mi a1
after june 2019 patch update, come problem.
1. flashlight disabled in drag down menu
2. camera rotation horizontal became vertical, but the photo result is no problem.
i think because of this camera, Whatsapp error in accessing camera and ask me to restart the phone.