An chart released by @SecX13 compared the performance of mobile phone manufacturers when providing security updates. While Samsung is the leading Android phone manufacturer worldwide, the company receives middling scores in the report, with weeks of delays before the first rollout of security patches, and delays for worldwide availability of security patches measured in quarters. Support timelines for Samsung phones range from 1-2.5 years, depending on the model of phone.
In the interest of completeness, the chart also includes iPhones as well as smartphones running Windows Mobile released by Microsoft or Nokia. Because of the effects of vertical integration, these phones receive updates immediately from the manufacturer when available. Apple provides the longest support for security updates at five years (excluding the iPhone 5C, which received 4), though this is not without problems. Microsoft continues to provide security updates for Lumia devices, though the last Lumia phone was released two years ago.
While Google-branded devices such as the Pixel and Pixel 2 should naturally follow this pattern, Google uses a staged rollout system for updates, which can delay update delivery by up to two weeks, though there may now be a way to override the staged rollout.
For phones sold through carriers, updates are delayed further. Essential, the phone company run by Android co-founder Andy Rubin, does not use staged rollouts, making it, on average, faster than Google’s own ability to deploy updates. However, as of last December, it appears only 50,000 Essential phones had been sold.
Blackberry is ranked third among Android device manufacturers in the chart, with security updates available weeks after their publication, across different models. Blackberry is susceptible to delays from carriers, though the company honors their guarantee of two years of security updates.
Nokia (as HMD Global) and Sony are ranked just behind Blackberry, though official availability of Nokia phones stateside is limited. While Sony is a major smartphone player in Japan and Europe, the company has had difficulty making a meaningful impact in the US market due to difficulties working with carriers, and an unexplained problem that prevented the company from shipping phones with fingerprint sensors (though they can be enabled by flashing a different region ROM to the phone.) Sony’s 2018 lineup, including the XA2 and XZ2 series do include fingerprint support, though it was moved from the power button.
Rounding out the bottom of the list are Blu and Wiko, both of which are effectively imprints of Shenzhen-based ODM Tinno Mobile. Device support ranges from 1-1.5 years, with no security updates available within a month after publication. Marginally better than those two are HTC and Huawei, which do manage timely security updates on limited phones in specific circumstances.
While the report specifically addresses security updates, the difficulty of building updates in general is one that Google has sought to fix with the release of Android 8.0 (Oreo). Devices that ship with Oreo or higher are obligated to support Project Treble out of the box, which will allow device manufacturers to streamline the update process, as the overhead of building updates is lessened.