Android patches are now reaching users faster and more reliably than before, according to research from SRLabs.
The German cyber-security firm collected information on patch delays using its ‘SnoopSnitch’ security scanner app installed on over 500,000 Android smartphones. SRLabs found that the Android ‘patch gap’ — the time between when Google formally publishes a security update and when manufacturers release it to their phones — has shrunk from 44 days in 2018 to 38 days in 2020.
A 15 percent decrease in the patch gap is definitely progress, but researchers note that the gap can vary widely between manufacturers. According to SRLabs’ data, Google, Sony and Nokia are among the fastest with zero-day patch delays. Huawei, LG and Samsung come next with six, 12 and 14-day patch gaps respectively.
Other manufacturers deliver patches within one month. Those include Motorola with a 15-day patch gap, Lenovo with a 21-day gap, Asus at 23 days, OnePlus at 25 and HTC at 30.
SRLabs also notes that the variations in the gap have to do with the number of devices a manufacturer has to patch as well as the level of customization the manufacturer adds to Android. Further, companies can have a zero-day patch gap because Google makes security updates available to manufacturers about a month before posting them to the Android Security Bulletin website. As such, manufacturers can begin working on patches and have them ready before the patch becomes public.
On top of that, the research shows that some manufacturers have larger patch delays because they prioritize newer devices.
Additionally, the research revealed that manufacturers have reduced the number of skipped bug fixes in patches. While this was more common in 2018, SRLabds says most manufacturers rarely skip patches. In 2018, the average was 0.7 skipped patches per device, but that has fallen to 0.3 with most manufacturers keeping the number below 1.