Skip to content
Naked Security Naked Security

Latest Android security updates, and Google to fix patch delays for Pixel

Google's May security update for Android is out – but will you be lucky enough to get it this week? If you own one of a Pixel device, then yes.

Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month?

If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own smartphones made by other vendors, that security update could be anytime between this month and several months hence.

It’s a confusing and unsatisfactory situation Google’s been trying to solve for several years, and this week it detailed how it plans to improve things in the next version of Android, currently known as ‘Android Q’.

Currently, Google’s security updates arrive via phone makers as updates that incorporate elements proprietary to each model and vendor. Inevitably, this takes time.

According to details released at the Google I/O 2019 developer conference and in an interview with The Verge, the company’s ‘Project Mainline’ for Q will adopt a radically different approach, updating a list of 14 OS modules over-the-air straight from the Play Store.

Reportedly, those modules are:

  • ANGLE
  • APK
  • Captive portal login
  • Conscrypt
  • DNS resolver
  • Documents UI
  • ExtServices
  • Media codecs
  • Media framework components
  • Network permission configuration
  • Networking components
  • Permission controller
  • Time zone data
  • Module metadata

In other words, updating these elements will be done at Google’s direction, getting rid of the middleman.

However, an unspecified number of modules will still be updated via monthly patch cycle. It will also only be for devices that shipped with Android Q. Anyone who runs an older version (apparently, including Android 9 devices updated to Android Q) will need to update via the conventional channel.

Perhaps the biggest question mark of all is that, according to The Verge, device makers won’t be compelled to adopt the scheme. Presumably, because it’s a desirable feature, Google is assuming the majority will want to be on the inside.

This month’s Android patches

It’s a relatively light patching load this month, with only 15 CVEs, including 4 remote code execution (RCE) flaws rated critical, 10 rated high and 1 moderate across the two patch levels, and 2019-05-01 and 2019-05-05 (see last month’s coverage for an explanation of the difference between the two patch release dates).

Severe flaws include the RCEs in the System, CVE-2019-2045, CVE-2019-2046, and CVE-2019-2047. However, Google rates the worst as being CVE-2019-2044 in the Media Framework, which it says could:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

There’s also the usual bundle of fixes for proprietary Qualcomm components, which this month is also a modest 15, including 4 rated critical.

Bear in mind that if your Android device is earlier than version 7.x, you don’t get any of these updates and you’re on your own.

If your Android device runs 7, 8, or 9 and isn’t a Google Pixel, the May updates will appear – at some point.

12 Comments

I find it highly amusing that you concluded with the final sentence stating: “If your Android device runs 7, 8, or 9 and isn’t a Google Pixel, the May updates will appear – at some point.”. That “some point” will very likely be on or around the 13th of Never for anyone who has any phone other than a this years model.
Why bother publishing an announcement about these alleged security updates? Just how many Pixel phones are there compared to Samsung, LG, and Motorola?

Well, I have an ASUS TF700T (2009), a Moto X Pure (2015) and a Moto X (2013). All of them are patched up to 2019. How? I have custom ROMs on them, and their maintainers integrate the patches and update their ROMS. I’m on Pie for all but the ASUS, which is 7.1.2.

So, those update announcements are useful to me.

“Bear in mind that if your Android device is earlier than version 7.x, you don’t get any of these updates and you’re on your own.”
Imagine if computers were like that.. Oh your 2000 dollar machine? Buy a new one or risk getting pwned.. Infuriating.

Most computers and software advertise end of life dates but as you rightly say repurposing mobile hardware is not usually easy.

Well, I have an ASUS TF700T (2009), a Moto X Pure (2015) and a Moto X (2013). Root and flash is how to re-purpose.

“Bear in mind that if your Android device is earlier than version 7.x, you don’t get any of these updates and you’re on your own.”
Imagine if computers were like that.. Oh your 2000 dollar machine? Buy a new one or risk getting pwned.. Infuriating.

Just purchased a Nokia 6.1 with Android One, it updated to Android 9 on day 1 and this morning has a notification to install the May security patch.

Boy is this article WAY off base. I have a Pixel 3XL. It’s May 15th. No update.

I have the Pixel 2XL, and I’ve not received OTA updates for months. I’ve resorted to sideloading to get them (just did May 2019). See google’s OTA image sight for details (https://developers.google.com/android/ota).

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?