We’ve all heard it before: the best thing you can do to keep your computer safe from hackers is to update regularly. Software companies push updates to fix known flaws in their operating systems, and hackers routinely search for old software versions so that they can take advantage of known security flaws that no one’s bothered to patch yet.
So it’s a little unnerving to hear that Motorola, maker of some of the world’s best Android phones, doesn’t really think that making Android security updates available in a timely manner is particularly important.
To be absolutely clear, Android as a platform has a problem with updates and security updates. Unlike iOS devices, which get the update as soon as Apple has tested it, there’s a few more steps to the Android update process. Google has to issue an update, which manufacturers then have to tweak, cell carriers have to mess with a little, and then the update finally gets pushed to customers.
It’s a painstaking process that takes months of time, and serious money for the hardware manufacturers that they’ll never see back. But timely updates are also the cornerstone of good mobile security. With major flaws like Stagefright being revealed every year — flaws that can only be fixed with a security patch — updates that get pushed in days or weeks, not months, are important.
This is where Motorola comes in. As first spotted by Ars Technica, the company has decided not to commit to monthly Android security updates, even for its newest devices. When asked to comment on this story, Motorola didn’t address specific questions about security concerns, and stuck to the line that monthly updates are “difficult”:
Motorola understands that keeping phones up to date with security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it’s difficult to do this on a monthly basis for all our devices. It is often most efficient to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade.
As we previously stated, Moto Z Droid Edition will receive Android Security Bulletins. Moto G4 will also receive them.
Everything in the statement is technically true: issuing fewer updates is certainly “most efficient” for Motorola, and cranking out monthly updates for a number of devices is difficult.
But the statement is symptomatic of a pretty cavalier attitude from many Android manufacturers towards security. With profits difficult to find in the high-end smartphone business (if you’re not called Apple, that is), spending money issuing free security updates is a difficult ask.
Google is aware of the reputation Android has for poor security (compared to iOS), which is why it created the Android Security Bulletin program to issue monthly security updates. But if manufacturers refuse to commit to the program — and Moto seems to be leading the charge here — it’s not going to do much to fix Android’s “toxic hellstew” of vulnerabilities.