If you run a Google Pixel handset, your phone is safe from a security hole that can completely drop a PNG file system. If you use almost all other Android phones, your phone is vulnerable. This is a problem.
Google recently released the security update for Pixel devices in February, which closes a hole that allows malicious PNG files to "perform arbitrary code in a privileged process". In simpler terms, the code can run at a high level and steal your info ̵1; all you have to do is open the file. It is.
This means that the PNG that comes to you – whether in an email, a messaging client or even over MMS – might hijack the system and steal valuable data. It's on all phones that aren't a pixel because they're protected now. Samsung, LG, OnePlus and most other manufacturers' phones are still sensitive to this bug. We need to start keeping manufacturers at a higher standard in terms of security updates. Period.
I currently have four Android phones within reach: Pixel 2 XL, Pixel 1, Samsung Galaxy S9 and OnePlus 6T. The two pixels are patched and protected by the February update, but S9 and 6T are only on the security patches December . This means that all newer vulnerabilities – such as this PNG, for example – are unchanged on both phones. Considering that Samsung Galaxy devices are among the most popular phones on the planet, it's worried.
But that's not just a problem because of the current issue. This is a dynamic problem that is a constant concern – or at least it should be. As long as there are new vulnerabilities, delayed security updates are always a problem. So, to put it in simpler words: this will always be a problem because vulnerabilities are guaranteed.
While Android "fragmentation" has long been a problem (since the platform was introduced, essentially) for complete OS updates, this should not be applied to security updates. This is not "new features are cool, and I want them" updates, this is important data protection updates. Whether they are small or not, it is not something that should be overlooked by any consumer. Ever.
RELATED: Fragmentation is not Android's Fault, it's manufacturers
Currently, manufacturers are doing a horrible job of protecting their users, completely stopping. Although complete OS updates (or even point issues) are not annoying at best, getting security updates is not unacceptable. It sends a message that cannot be ignored: it says your phone manufacturer doesn't care about your data. Your information is not important enough to protect.
Security updates are not large as full OS updates or even point releases. They are released every month by Google, so they are much smaller and easier to bake into the system – even for third-party manufacturers. Again, there is no real excuse for not prioritizing this.
Last year, Google made it necessary for manufacturers to provide at least two years of security updates for phones. (Pixel phones are guaranteed to get three years.) The problem with that? It only requires "at least four" updates within a year. It is quarterly not monthly – and that's exactly what most manufacturers do. The minimum minimum. And it's just not good enough.
Why? Because new vulnerabilities are exposed all the time. I do not want my data to be compromised, while waiting for my phone's manufacturer to come around to cook up three months worth of security updates in an update. I want them as soon as Google releases them, and you should. This PNG vulnerability is only an example. Month after month, these types of problems are discovered, and with most manufacturers, security updates later months leave your data much longer than is acceptable.
I wish there was a simple answer to how to fix this, unfortunately there is not. Before manufacturers start to take your information more seriously, there is only one answer: buy another phone. Apple and Google have routinely proven that they care about user data, so iPhone and Pixel phones are both great choices for users who want to do everything they can to protect their data.
As a cliche as it sounds (and I'm honestly sick to hear it): it's time to vote with your wallet. Do not buy phones from manufacturers who do not care about your data. This is the only way they will know this is serious.