Latest Android security updates, and Google to fix patch delays for Pixel

Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month?

If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own smartphones made by other vendors, that security update could be anytime between this month and several months hence.

It’s a confusing and unsatisfactory situation Google’s been trying to solve for several years, and this week it detailed how it plans to improve things in the next version of Android, currently known as ‘Android Q’.

Currently, Google’s security updates arrive via phone makers as updates that incorporate elements proprietary to each model and vendor. Inevitably, this takes time.

According to details released at the Google I/O 2019 developer conference and in an interview with The Verge, the company’s ‘Project Mainline’ for Q will adopt a radically different approach, updating a list of 14 OS modules over-the-air straight from the Play Store.

Reportedly, those modules are:

  • APK
  • Captive portal login
  • Conscrypt
  • DNS resolver
  • Documents UI
  • ExtServices
  • Media codecs
  • Media framework components
  • Network permission configuration
  • Networking components
  • Permission controller
  • Time zone data
  • Module metadata

In other words, updating these elements will be done at Google’s direction, getting rid of the middleman.

However, an unspecified number of modules will still be updated via monthly patch cycle. It will also only be for devices that shipped with Android Q. Anyone who runs an older version (apparently, including Android 9 devices updated to Android Q) will need to update via the conventional channel.

Perhaps the biggest question mark of all is that, according to The Verge, device makers won’t be compelled to adopt the scheme. Presumably, because it’s a desirable feature, Google is assuming the majority will want to be on the inside.

This month’s Android patches

It’s a relatively light patching load this month, with only 15 CVEs, including 4 remote code execution (RCE) flaws rated critical, 10 rated high and 1 moderate across the two patch levels, and 2019-05-01 and 2019-05-05 (see last month’s coverage for an explanation of the difference between the two patch release dates).

Severe flaws include the RCEs in the System, CVE-2019-2045, CVE-2019-2046, and CVE-2019-2047. However, Google rates the worst as being CVE-2019-2044 in the Media Framework, which it says could:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

There’s also the usual bundle of fixes for proprietary Qualcomm components, which this month is also a modest 15, including 4 rated critical.

Bear in mind that if your Android device is earlier than version 7.x, you don’t get any of these updates and you’re on your own.

If your Android device runs 7, 8, or 9 and isn’t a Google Pixel, the May updates will appear – at some point.