Security updates are reaching Android users faster and more reliably than in previous years. In research published this month, German cyber-security firm SRLabs said the Android patch gap has gone down from 44 days in 2018 to 38 days today.
The term Android patch delay, or patch gap, refers to the time from when Google formally publishes a security update on its website, and until a smartphone vendor (OEMs, or original equipment manufacturers) integrates the patch into its firmware.
SRLabs says it collected information on patches delays using its SnoopSnitch security scanner app installed on more than 500,000 Android smartphones.
While the company reported that the patch delay has gone down by 15% in the last two years, the patch gap varied wildly across smartphone vendors, with some better than others at integrating the Google-provided security patches into their customized Android OS versions.
Researchers said Google, Nokia, and Sony were the fastest at integrating the monthly Android Android security updates into their customized customized Android OS releases, while Xiaomi, htc, and Vivo were the vendors lagging behind the most.
"Some vendors, including Nokia and Google, are able to patch exceptionally fast," the SRLabs team said, pointing out that these companies have a negative patch rate.
Negative patch rates, such as the case of Nokia appear because Google makes security updates available to vendors a month before they're posted on the Android Security Bulletin website.
Vendors like Google, Nokia, and Sony have a zero or a negative patch gap because they work to prepare the upcoming security updates even before the patch becomes public.
This allows these companies to ship a security update for their devices as soon as the official Android Security Bulletin goes live on Google's website.
SRLabs researchers say that some OEMs achieve such fast patching turnarounds because they either manage a vanilla Android release or because they have fewer devices models on the market, simplifying and streamlining the patching process compared to vendors that use highly customized Android versions or have a large portfolio of devices to maintain.
In other cases, delays in patching arise from vendor decisions. For example, from the graph below, it is obvious that Xiaomi prioritized patches for recent devices while leaving its Android 8 devices to the wayside.
However, the SRLabs team says that its investigation also surfaced good news, with vendors cutting down the patch gap compared to a similar study the company performed in 2018.
The previous study also found that some vendors were also lying about their patch gap, in the sense of declaring a "security patch level" but actually skipping fixing some bugs that were included in the said patch level.
SRLabs said that this has stopped, and now most Android OEMs rarely skip patches.
The security firm says that in 2018, they found an average of 0.7 skipped patches per device, but this number has now gone down to 0.3, with most vendors (except) Huawei keeping the number of skipped patches at a number below 1.