Android security updates: Patching to perfection

The larger the codebase, the more likely it is that code has vulnerabilities. Android does a fairly good job at keeping devices patched based on the latest known vulnerabilities. Still, a complex ecosystem of manufacturers and developers means that Android security updates aren’t always available. 

For companies that use custom-built devices running modified Android versions, Android security updates are even more crucial. Unfortunately, most custom Android versions don’t have the supporting infrastructure necessary to carry out these updates. 

The good news is that Android security updates are possible, even for custom devices. 

Preventing Android vulnerabilities

A rule of thumb exists in software development that the larger the codebase, the more bugs it’ll have. With a disk space requirement of 250GB, it’s incredible that Android doesn’t have more vulnerabilities.

Yes, vulnerabilities are found every month, but an active community backed by OEMs with a vested interest in maintaining Android secure means the bugs get addressed as rapidly as possible. Google also offers a $15,000 bounty in their Vulnerability Reward Programs (VRP) to anyone who discovers a severe code vulnerability. 

Unfortunately, “as rapidly as possible” is sometimes not very rapid at all—it depends on the vulnerability, the underlying cause, device and version. 

The complex Android ecosystem and its connection to frequent updates

The complex AOSP ecosystem of developers, manufacturers, and systems can slow down the Android security update releases. This ecosystem means we get plenty of flexibility to create new devices and choose from different vendors. It’s great for competition, innovation, and the contribution of so many parties ensures accountability when vulnerabilities are discovered. Unfortunately, it also means that end-users are at the mercy of any one of the links on that chain when it comes to Android security updates. 

For example, although Google might release an update to the basic Android open-source project (AOSP) code one month, that update might conflict with code at the OEM level, forcing the OEM to delay sending updates to users—or perhaps even never sending it if the update conflicts too heavily with core OEM functionality. 

How can I update my Android security?

Android security updates typically happen automatically on commercial devices. However, if you’ve disabled automatic updates, you can navigate to the “Security” section of your device’s settings and trigger a manual Android security update there. If your device no longer receives updates, you’ll need to upgrade to a newer Android version. 

Android security updates for custom-built devices

The matter becomes far more complicated when dealing with custom-built devices that use a custom version of Android. 

Many excellent reasons exist for using custom versions of Android—such as the custom Android versions for industrial and professional use cases provided by emteria or various open-source solutions. These reasons mostly come under the headings of “customization”, “flexibility” and “cost savings.”

Custom Android devices provide far more flexibility over the type of hardware you can use as well as which Android version you use. For example, you might want to use an earlier version of Android that is compatible with your app version and which is better suited for weaker hardware configurations. A custom Android version would allow you to do that. 

Unfortunately, open-source custom Android versions are notorious for their lack of Over-the-Air software updates because such immense infrastructure is required to carry out those updates. 

If the open-source custom Android version you’re using does have Android security updates ready, you’ll likely need to perform a manual ROM update to get those updates onto your device. 

However, if you’re using a custom Android version built by emteria, you’ll receive updates regularly and over-the-air because emteria has the necessary support and infrastructure to provide this service. 

Understanding the Android security patch level

Android security updates typically occur every month for commercial devices, and these updates are separate from Over-the-Air software updates or OTA firmware updates for Android version upgrades. 

Although Android security updates for commercial devices are also delivered using OTA technology, they only contain fixes for disclosed bugs and vulnerabilities. 

Each Android security update has a version number called security patch level. 

What is the security patch level in Android?

The security patch level of a device refers to the version of the Android security update that device has received. Although the number appears to be in a YYYY-MM-DD format, it’s actually in a YYYY-MM format followed by either a “01” or “05” to specify the type of security update.

Breaking down the YYYY-MM security patch level version number

Patches ending in 01 and 05 are actually released on the same day. 

Patches ending in 01 address current Android vulnerabilities inside Android itself—the Android Open Source Project (AOSP). These 01 patches are vendor-independent. 

Those patches that end in 05 address are:

Whenever Google releases a new security patch, it issues an Android Security Bulletin listing out the known vulnerabilities that the patch fixes. Each of these vulnerabilities has a CVE (Common Vulnerabilities and Exposures) number. 

For example, the March 2024 security patch was released on March 04, 2024. Looking at that month’s bulletin, we see the details of the 01 and 05 updates, showing that 01 relates only to the Android framework, while 05 contains fixes for various proprietary components, including:

Additionally, individual OEMs might release their own patches for vulnerabilities related to that specific device, such as Samsung releasing a patch for Samsung devices. 

Google provides Android security patches for AOSP for 3 years and upstream Linux kernel patches for 5 years. Vendor-specific Android security patches might be supported for a longer time span (e.g. Samsung = 5 years, emteria = Extended long-term support possible based on custom requirements).

Kudos to Kamila Wojciechowska's article on medium which explains in depth how Android updates work and provides insights that are locked behind NDAs and other agreements.

How to check security patch level in Android?

Discovering the patch level of your device depends on what Android version you’re running. The easiest way is to open settings and search for “security.” Click on “Security updates” or similar. Then check the number next to the security level to see if you have the latest Android security update. 

How to update Android security patch level manually?

To perform an Android security update manually on a commercial device, open settings in your device and search for “Security,” which will reveal a “Security update” or similar menu item, depending on your device. Click that item to update your device manually. 

Emteria provides simple Android security updates for custom devices

Although anyone with the skills can develop their own custom Android version, the version must be maintained and frequently updated. It’s impossible to create perfect software, and releasing software out into the world with no possibility of easily updating it is a recipe for disaster. 

A lack of a robust update infrastructure can lead to Android data security breaches, resulting in heavy fines for enterprises. 

Emteria provides enterprise-grade custom Android versions that can also be used privately. We carry out frequent Android security updates for many versions of Android, including:

• Android 14 security updates
• Android 13 security updates
• Android 11 security updates

These updates can happen automatically or manually on your devices, and you maintain full control of which option to use. 

To learn more about emteria and how to use it for your devices, contact us today for a live demo.