Studying Android’s November security bulletin, you’ll notice that there’s a fair amount to patch.
In total, there are 36 vulnerabilities assigned a CVE, and another 17 relating to Qualcomm components rather than Android itself.
Within Android, four rated are critical and 13 rated as high. If there’s a standout it might be CVE-2018-9527, simply because it’s a Remote Code Execution (RCE) vulnerability affecting all versions of from Android 7.0 (Nougat) onwards.
The other RCEs are CVE-2018-9531 and CVE-2018-9521, although both relate to version 9.0 (Pie), which mainly affects devices released since the summer.
CVE-2018-9531 turns out to be one of a clutch of CVEs arising from the Libxaac library, which Google says has been marked “experimental” and “and is no longer included in any production Android builds.”
Leaving aside the extra flaws added to the mix this month by Qualcomm, November looks very similar to every other month this year – plenty of fixes, exactly what one might expect.
The complicated bit
However, this being Android, things are never that simple because when these patches appear on your device – indeed whether they appear at all – will depend on several factors.
One factor is that November’s patches are for Android versions 7.0 and later: devices that either shipped with this after August 2016 or were upgraded later from an earlier version.
In other words, if your device runs Android 6.x, the three years Google commits to support that device with security updates ended in September and now you’re on your own.
Another factor is how quickly the device maker or mobile network gets around to making the November update available to customers.
To speed things up from the glacial patching of the past, in 2017 Google initiated something called Project Treble that allowed vendors to apply security patches without having to refresh the entire OS.
Unfortunately, vendors other than Google can take anything from one to several months to apply these, while it’s even been claimed that some simply lie about the patch version.
It’s possible the delay has something to do with the difference between Android’s Framework updates (the one managed by Google itself, increasingly through its own firmware over-the-air servers) and those relating to the components that are part of the vendor’s hardware and software for each device.
To that end, Android’s monthly updates work on two patch levels, one identified by the first day of the month (i.e. 1 November), and one by the fifth of the month (5 November).
If your phone mentions the fifth of the month (Settings > About Phone >scroll down to Android Patch Level) that means you have both the Framework updates and the vendor updates up to and including the current month.
If, however, it you see the first day of the month, that means you have the Framework updates for that month but the vendor-specific updates only up to the previous month (we told you it was a bit complicated).
Unlike Apple with its small family of devices designed by itself, Android devices are made by numerous vendors, each of which has different models running different versions of Android.
For now, the dream of every Android device getting a guaranteed monthly update for security vulnerabilities is getting nearer whilst appearing frustratingly just out of reach.
Steven
What you can now to assure regular Android security updates that are in sync with the updates issued directly by Google is get yourself an Android One certified cell phone. Google pushes out monthly security updates to both their own cell phones and all other Android One certified cell phones. Better yet is to get an Android One rated cell phone that is also approved by Google for use with their Project Fi cell phone service. Project Fi approved cell phones are Android One rated cell phones which support both GSM and CDMA so these cell phones will work on any cell phone provider network such as far as I can tell but look into Project Fi as your service provider as it works great. I am just a happy Project Fi user, otherwise no connection or affiliation.
Anonymous
on a non google phone near you in around 6-12 months time if you are lucky enough to have a vendor who cares, or a carrier who cares.