As of August 2015 Google has started to push monthly security patches for their Nexus phones and they have committed to do this for all their Android devices three years after launch. I am a Nexus user myself since a few months back when I bought a LG Nexus 5X and I really like the fact that the manufacturer is constantly supporting the device I am using. My previous Android phones has been manufactured by SonyEricsson, Sony and Samsung but I have never owned a “flagship” device since I really don’t see the point of spending more then 5000 SEK (roughly $600) for having bleeding-edge hardware and I rather buy a 3500 SEK ($400) mid-range that I can wear and tear. In my experience every mid-range phone gets a couple of updates in the beginning of its life cycle and one major update that bumps the Android version after, roughly, a year. For instance my SonyEricsson Xperia X10 mini-pro (God, I really loved the keyboard!) was shipped with 1.6 and then bumped to 2.1 and my Samsung Galaxy S4 mini was shipped with 4.2 and then bumped to 4.4.2.
If we take the Galaxy S4 mini (GT-I9195) as an example it was released June 2013 with Android 4.2 (Jellybean) with an update to 4.4.2 (KitKat) starting to roll out one year later June 2014 and the last update I have received was built in April 2015. If we then take a look at the security bulletins published by Google we can quickly identify a whole myriad of critical security issues that this phone is vulnerable to, most notably the stagefright bug that was announced in the summer of 2015.
This is really problematic. Currently people in general don’t think about the security of their devices but I think that this will have to change quite soon. Who are the users of old (more then two years) mid-range phones? I would assume that it is the technology illitarate masses that aren’t so cautions and can by accident install malware etc.
The thing that really bugs me is that the manufacturer doesn’t have to make a commitment for providing decent support of their products. The logical thing would, in my mind, be that the Android version is kept during the life cycle of the product and a customer would receive applicable security updates and bug fixes until a date specified at product launch. If I buy product X with a number of features I don’t see how I can claim that I am entitled to future features that didn’t even exist at the time of purchase. I can on the other hand claim that I need the product to work as intended (receiving bug fixes) and be secure (receiving security patches). Of course products like the Nexus devices would receive the latest version since they are marketed as a product that will have the latests software for a couple of years.
I am very well aware of the pains for rolling out updates to smart phones since I have worked in the telecom field for a couple of years and I know that each model has waaay too many flavours in order to please different operators and markets around the globe. But I don’t see this as an excuse to the ignore customers that has a phone for three years.
When the first ransomware hits Android users in a large scale I hope that we will have a debate on this topic.