If you purchased an Android phone recently, chances are that it prompted you to install a security update or two at some point. You may have noticed that these updates don’t typically add much in the way of new functionality. Instead, they tend to be pretty small in size — around a few hundred megabytes or so. Notably, they’re also independent of the larger version updates (like Android 12) that bring a slew of new features.
Despite how uneventful they might seem, though, security updates are obviously pretty important. As you’d expect, having your personal device exposed to potential data leaks and malicious attacks isn’t ideal.
So in this article, let’s quickly go over what security updates are, how they work, and when you should expect the next one to arrive on your Android smartphone.
What are Android security updates?
The core Android operating system, or AOSP, is open-source. What this means is that Google develops and maintains the project, but any third party can also volunteer to audit the code, submit suggestions, and modify it for their own use. The latter is precisely why a Samsung phone runs much different software than a Xiaomi or OnePlus device. In a nutshell, manufacturers build their own features on top of the base provided by Google.
Read more: What is AOSP?
Why does this matter? Well, every now and then, security researchers uncover new bugs and vulnerabilities in the Android operating system and submit a disclosure report to Google. Once the issue is identified, Google develops a patch and merges the updated code with the open-source Android project.
As the name implies, security updates are primarily aimed at keeping your smartphone secure from malicious actors.
However, it’s not exactly feasible to roll out a new software update for each and every vulnerability. Most bugs and security loopholes are pretty minor and will likely not affect the vast majority of individuals immediately. Furthermore, researchers don’t typically make exploits publicly known until a patch is released. This is known as responsible disclosure.
To that end, multiple patches are typically bunched up into one larger package that reaches your smartphone in the form of a security update. Google notifies device manufacturers of these impending fixes ahead of time so they can all try and release an update simultaneously. In reality, though, most Android users don’t get an update every month, as we’ll discuss in the next section.
Multiple patches are typically bundled together and included in a single Android security update release every month.
Besides the core Android operating system, exploits and vulnerabilities can crop up in several other areas too. Take your smartphone’s chipset or display, for example, which was likely made by a third-party company like Qualcomm, Mediatek, or Samsung.
These components communicate with the Android operating system through proprietary code, where similar exploits can be uncovered over time. To that end, it’s important that they also receive routine security patches from their respective manufacturers.
Once the patches are ready, however, it’s up to your device’s manufacturer (and carrier) to deliver them to your device. Some newer smartphones receive updates monthly, while others may only get a new patch every quarter or so. As part of the Google Mobile Services agreement most manufacturers sign, though, they have to provide security updates for the first two years of the device’s lifecycle, at least.
See also: What is stock Android?
How to decode Android security patches and what they contain
Generally speaking, Google puts out two “levels” of security updates every month: one that ends in 01 and the other in 05. The former includes fixes for all AOSP-related issues, while the patch level ending in 05 addresses issues associated with third-party components and proprietary code. Each month, Google also publishes a security bulletin describing the contents of patched vulnerabilities on the Android website.
Take the October 2021 security bulletin, which contains dozens of patches. Each one is labeled by a Common Vulnerabilities and Exposures (CVE) identifier and categorized by its severity. The page also details how each vulnerability could affect Android devices. For example, an RCE, or remote code execution exploit, could let an attacker run malicious commands on the device.
While this information is invaluable for public transparency, most end users don’t need to know the specifics. And most devices will have even more vulnerabilities that are device or manufacturer-specific in nature. In other words, you won’t know the exact details of all patches included in any given month’s security update.
Device manufacturers typically include updates for their own proprietary components in their security patches too.
It’s worth noting that most security patches don’t include feature updates or changes to the device’s overall user experience. Those come in the form of regular software updates every year, like the jump to Android 12., although most manufacturers take additional time to roll out core updates to their devices. That said, a few manufacturers do bundle minor feature refinements and bug fixes in their security updates from time to time.
Device OEMs like Samsung, Nokia, and even Google themselves all develop their own versions of the monthly security patches. This is because they either have to include fixes for additional device-specific exploits or exclude certain patches that don’t affect their devices. You can usually find update notes on the manufacturers’ respective websites, like this page for Samsung.
Security updates through the Play Store
Calvin Wankhede / Android Authority
Newer phones that run Android 10 or later are also capable of getting critical security updates through the Play Store. This is down to Project Mainline — a Google-led initiative that modularized the Android operating system to make incremental updates easier. It essentially allows certain parts of the operating system to receive updates through the Play Store, in addition to full-blown firmware updates from the device manufacturer.
Google can use the Play Store as a delivery channel for critical security updates, bypassing device makers and carriers.
Since both delivery methods are independent of each other, your phone may display two different patch dates. The exact details are usually found under Settings > About Phone > Android Version, as pictured above. The idea with having two update channels is to allow older devices to continue receiving critical patches via the Play Store. This will shape up to be especially important if a major exploit like Stagefright crops up again.
How often should you expect security patches?
Kaitlyn Cimino / Android Authority
Coming back to regular security updates from Android manufacturers, you can typically expect to receive them for a few years — longer than feature updates. Take the Samsung Galaxy Note 8, for example. It received Android 9 — its final major feature update — in February 2019, roughly two years after the phone’s release. However, it continued to receive quarterly security updates until mid-2021.
The exact update schedule differs from one brand to another. Even devices from the same manufacturer may follow different update cycles.
Starting with the Pixel 6 series, Google has promised to offer security updates for five years — a full two years longer than the three-year commitment for Android version updates. Samsung, the largest Android OEM globally, offers four years of security updates on all of its devices released after 2019. Other brands, including Xiaomi, Nokia, and OnePlus, don’t offer the same level of consistency across their product portfolios. However, most of them do promise a minimum of two years of security updates these days.
Google and Samsung currently provide the longest software support period. Most other vendors end security updates after two to three years.
As for frequency, new and high-profile devices like Samsung’s Galaxy S21 tend to receive patches relatively often — once every month or two. Devices on the opposite end of the spectrum (read: inexpensive smartphones and tablets) may occupy a lower priority on the manufacturer’s update cycle. Still, an update should come along once every few months or so.
It’s important to note that these timelines are simply manufacturer promises and can change at any time. Over the years, we’ve seen a handful of devices reach their end-of-life date sooner than expected. Others have gone on to receive both security and feature updates for several years longer than originally promised. Needless to say, if your device’s security is an important factor for you, consider brands that have a good track record with updates for your next smartphone purchase.