Android Vendors Need to Minimize the Patch Gap
The patch gap is the length of time it takes for a patch from a vendor for a known flaw to reach device manufacturers. In June and July of this year, Google’s Project Zero (GPZ) discovered five vulnerabilities in the Arm Mali GPU driver. Arm released patches in July and August, but when GPZ recently examined major Android handsets, none of them had applied the fixes.
It has been an ongoing problem for Android users that updates to the operating system need to first pass handset makers and carriers, leading to long delays in the availability of patches, and in some cases, making patches unavailable at all for some handsets. Your best bet is a handset that is part of "Android One" which also avoids preinstalled bloatware.
Google does patch its Pixel phone faster than other Android-based phone vendors much of the time, so it does seem odd that Google’s own Project Zero found the flaws and Google still hasn’t patched them on the Pixel phone. This undermines one of the claimed benefits of choosing a Pixel phone.
Google has started work on doing several things to make the patch gap smaller. One of the significant issues is how forked the Android Linux Kernel is from the Linux Kernel. Check out Project Mainline to see how they are trying to address this. One of the other projects that Android has been working on is Android One. The biggest challenge will be proprietary drivers from the Smartphone makers. This is something Google will not be able to control entirely. Unfortunately, this is where Google Pixel and Apple may have the edge. Is this an area that needs to be addressed with regulation? Will regulation slow things down unnecessarily? It’s a complicated problem to solve. Maybe it's best left to the hands of the consumer if that means that we sacrifice smaller players or cheaper devices.
When it comes to Android, just as with Windows, there are multiple manufacturers to choose from. When assessing them, be sure to factor in both their plans for delivering updated versions of the OS and security patches, as well as deployment of firmware updates to their hardware components. Also make sure you have lifecycle replacement plans for mobile devices just as you would for more traditional IT; for Android devices that will be about three years.
If "patch gap" is the "time if takes for a patch from a vendor ... to reach device manufacturers," then "patch lag" is how long it takes for it reach your device. Lag is what is more important.