So basically to summarize, Google embargoes security patches for four months so OEMs can push out updates more slowly. And if those patches were immediately added to an open source project like GrapheneOS, attackers would gain info on the vulnerabilities before OEMs provide updates (the GrapheneOS project can see the patches, but they can't ship them). But a lot of patches end up being leaked anyway, so the delay ends up being pointless.
This is ridiculous. Makes one wonder about the state of OEM development. It's not hard to build a CI pipeline for android. There is no good reason OEMs can't be running test builds of ROMs with security patches within hours, and have QA done in a day or two, or a week max.
i don't understand googles rationale here, what is the point in giving wind to the hackers sails while also driving home the narrative that android is a less secure system, especially after the recent changes related to the security of the latest iphone?
1. Release binary-only updates (opt-in).
2. Let the community (a) make GPL source requests for any GPLed components and (b) let the community reverse engineer the vulnerabilities from the binary updates.
3. Publish the source once everything is public anyways.
Which just shows how utterly ridiculous all this is.
One thing that seems positive is that it is now possible to release binary patches earlier than before, isn't it? My understanding is that before, OEMs had to wait for 1 month, and now they can release the binary patches right away.
I see a lot of people saying how the whole thing is completely ridiculous, but this part seems like a win.
> Android security patches are almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.
Android is is over 15 years old and Google still hasn't fixed the update mess. Google should be in charge and ship security updates, not OEMs. You don't see Dell responsible for Windows security updates.
I wish we had more choices beyond Android and iPhone.
I think this thread makes it quite clear that Android is not a secure OS, period. Like, maybe it’s safer on a Pixel with Google’s own distribution, but even still, Graphene is claiming that Google’s team is stretched thin and isn’t fixing issues from 2024.
20 comments
[ 2.2 ms ] story [ 67.6 ms ] threadI agree with their points in the thread, but could Graphene "become" an OEM to get access to the security patches sooner? Just curious.
[0] https://grapheneos.social/@GrapheneOS/115164297480036952
Also, if they're asking an OEM to release the patches, why can't they become an OEM to do that?
1. Release binary-only updates (opt-in). 2. Let the community (a) make GPL source requests for any GPLed components and (b) let the community reverse engineer the vulnerabilities from the binary updates. 3. Publish the source once everything is public anyways.
Which just shows how utterly ridiculous all this is.
To my recollection, they always maintained that being open-source doesn't matter for security, after all
I see a lot of people saying how the whole thing is completely ridiculous, but this part seems like a win.
Android is is over 15 years old and Google still hasn't fixed the update mess. Google should be in charge and ship security updates, not OEMs. You don't see Dell responsible for Windows security updates.
I think this thread makes it quite clear that Android is not a secure OS, period. Like, maybe it’s safer on a Pixel with Google’s own distribution, but even still, Graphene is claiming that Google’s team is stretched thin and isn’t fixing issues from 2024.
Meanwhile, Apple is allegedly building the most secure devices you can connect to the Internet: https://techcrunch.com/2025/09/11/apples-latest-iphone-secur...
If NSO group develops exploits, why would they have early access?