Motorola says monthly security updates are too hard

Motorola will not be providing monthly security updates for its Android smartphones, according to a statement the company gave to Ars Technica. While Google provides Android manufacturers with official Android security updates on a monthly basis, but Motorola says the amount of testing and approvals needed to deploy them makes this difficult.

Motorola's statement was as follows:

"Motorola understands that keeping phones up to date with Android security patches is important to our customers. We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade."

Motorola smartphones (including the new Moto G4 Plus and upcoming Moto Z) will still receive security updates, but not on Google's schedule. Ars Technica notes that the Moto Z is still running the May security update, meaning its missing two months of fixes and patches.

Founder and CEO of Whitehack Adrian Wood says that while Motorola's actions aren't ideal, it's a problem that also exists across the wider Android landscape.

"At the best of times, attackers are two steps ahead on mobile platforms when it comes to mobile malware," Wood told CyberShack.  "In some ways, Motorola is not unique in its statements, consumers face a problem when purchasing an Android in that they – apart from when they purchase a Nexus – can't be sure when a vendor will actually patch their phone."

Wood says this problem is even worse when customers purchase their Android device directly from a telco, as a further level of testing (and therefore delays) is added to the equation.

"In the past few years there have been around a dozen of high-profile [Android] exploits publicly known in the security community. If these issues are out in the wild, on websites, on apps that you may download and Motorola is holding back a patch for financial reasons then your privacy and security is at risk too."

These problems stem from how Android is utilised by hardware manufacturers, who each put a unique twisted on the operating system in order to further differentiate their phones. As such, when Google releases an update, manufacturers need to optimise it each of their individual smartphones. That being said, Motorola has become known for using close to unmodified versions of Android for its smartphone, which makes the company’s decision somewhat more confusing.

Woods says that Google and Android manufacturers need to take further steps to reduce the delay in getting security updates to end users, as "the threat posed by malware is basically growing every day, and has been for several years".

Select Samsung, LG, and Nexus devices currently receive monthly security updates, although this is typically limited to flagship devices.