Android security: Your phone's patch level says you're up to date, but that may be a lie [UPDATE]
You might be one of those people who keeps an eye for any updates on your Android Smartphone and check for updates monthly just to find out that your device is “up to date”. However, depending on which device you have that might be a lie. The biggest problem with Android is what is known as android fragmentation. Basically, Google makes the updates and then gives it to each Android phone manufactures. It is up to the manufactures of the phone to test the updates with their phones (to ensure that it does not break their customized version of android) and then push the updates to each phone (upon carrier approval). Some are better than others at pushing these updates. Users who want to monitor the patch state of their device can use SRL's free patch verification app, SnoopSnitch.
The following is a chart of top manufactures and the updates their phones are pushed.
Security Research Labs' table shows the average number of missing critical and high-severity patches before the claimed patch date.
Image: Security Research Labs
There is some good news on the Android front. Google's Project "Treble" is working on a re-architecture of Android to dis-entangle the OEM customizations from the OS code, making updates far less involved for OEMs... and thus much more likely to occur.
According to Steve Gibson of GRC: "Essentially... everyone wants everything to be patched, but OEMs – who really just want to sell and forget electronics to consumers -- have been complaining about how much of their resources are being tied up by this continuing patch activity. So Google is responding to make it much less troublesome."