Google recently released the February security update for Pixel devices, which closes a hole that would allow malicious PNG files to “execute arbitrary code within the context of a privileged process.” In simpler terms, the code can run at a high level and steal your info—all you need to do is open the file. That’s it.
That means any PNG that comes to you—be it in an email, a messaging client, or even over MMS—could potentially hijack the system and steal valuable data. That is, on any phone that isn’t a Pixel, because they’re protected now. Samsung, LG, OnePlus, and most other manufacturers’ handsets are still susceptible to this bug. We have to start holding manufacturers to a higher standard when it comes to security updates. Period.
I currently have four Android phones within arm’s reach: Pixel 2 XL, Pixel 1, Samsung Galaxy S9, and OnePlus 6T. The two Pixels are patched and protected with the February update, but the S9 and 6T are only on the December security patches. That means any newer vulnerabilities—like this PNG one, for example—are unpatched on both of these handsets. Considering that Samsung Galaxy devices are among the most popular phones on the planet, this is troubling.
But it’s not just an issue because of the current problem. This is a dynamic problem that is a constant concern—or at least it should be. As long as there are new vulnerabilities, delayed security updates will always be an issue. So, to put that in simpler terms: this will always be an issue because vulnerabilities are guaranteed.
While Android “fragmentation” has long been an issue (since the platform was introduced, essentially) when it comes to full OS updates, this should not apply to security updates. These are not “new features are cool, and I want them” updates, these are crucial data-protecting updates. Regardless of whether they’re small or not, this isn’t something that should be overlooked by any consumer. Ever.
RELATED: Fragmentation Isn’t Android’s Fault, It’s the Manufacturers'
Currently, manufacturers are doing a terrible job of protecting their users, full stop. While not getting full OS updates (or even point releases) is annoying at best, not getting security updates is unacceptable. It sends a message that can’t be ignored: it says that your phone manufacturer doesn’t care about your data. Your info isn’t important enough for them to protect.
Security updates aren’t huge like full OS updates or even point releases. They’re released monthly by Google, so they’re much smaller and easier to bake into the system—even for third-party manufacturers. Again, there’s no real excuse not to make this a priority.
Last year Google made it requisite that manufacturers offer at least two years of security updates for handsets. (Pixel phones are guaranteed to get three years.) The issue with that? It only requires “at least four” updates within a year. That’s quarterly, not monthly—and it’s exactly what most manufacturers are doing. The bare minimum. And it’s just not good enough.
Why? Because new vulnerabilities are exposed all the time. I don’t want my data to be potentially compromised while I wait for my phone’s manufacturer to get around to cooking up three months worth of security fixes in one update—I want them as soon as Google releases them, and you should too.
This PNG vulnerability is just one example. Month after month these types of issues are discovered, and with most manufacturers pushing out security updates months later, that leaves your data exposed for much longer than is acceptable.
While I wish there were an easy answer on how to fix this, unfortunately, there isn’t. Until manufacturers start to take your info more seriously, there’s only one real answer: buy a different phone. Apple and Google have routinely proven that they care about users’ data, so iPhone and Pixel handsets are both excellent choices for users who want to do everything they can to protect their data.
As cliche as it sounds (and I’m honestly sick of hearing it): it’s time to vote with your wallet. Don’t buy phones from manufacturers that don’t care about your data. That’s the only way they’re going to know this is serious.