Android's Update Problem
The Android smartphone ecosystem has a huge problem with deploying timely updates to Android phones and tablets. These lack of updates, especially security updates, needlessly and negligently exposes Android devices to malware infection.
When a vulnerability is discovered in any operating system, be it Windows, MacOS, iOS (Apple devices), Android, or whatever, the company that develops that OS will patch (fix) the vulnerability and issue an update to all their customers. These updates are usually automatic so you don't have to do anything to receive them and be protected.
But Android devices, by the hundreds of millions, go unpatched for long periods of time or they're not patched at all. That's the topic of this article.
Google is the company that develops and maintains Android. Even though Google generally patches vulnerabilities as they are discovered, the ecosystem in which Android operates needlessly delays the actual deployment of those updates.
Android not feeling so good
Wowzers! Why is that?
That's a really big question. Let's start at the beginning, shall we? Yeah, I know, it sounds like you're in for a long read. It's really not that long and a little history is always interesting.
How did Android come about anyway?
A very brief history of smart phones
Back in June 2007, Apple caught the mobile phone world flat-footed when they released the iPhone -- a time when most people used "candy-bar" phones or flip-phones like the Motorola Razr. The closest thing to a smartphone -- and it wasn't very close at that -- was the Blackberry. A phone that could do email and had a rudimentary browser.
The iPhone was singularly revolutionary -- nothing less than a tectonic shift in mobile technology. The hype was so loud and relentless that it was dubbed the "Jesus Phone" for its promised humanity-shifting influence. Turns out that hype was right, it is indeed humanity-shifting. A majority of the world's population owns a smartphone today. Consider how different the world would be today had the smartphone never been invented. But I digress...
Anyway... People bought the iPhone like crazy with long lines snaking around the stores that sold them. There was nothing else even close to it. Apple had the entire smartphone market pretty much to themselves for a good two years at least. Other manufacturers scrambled to develop their own smartphone and OS to compete with Apple but they were all wildly casting about and floundering. It was a pivotal moment in the mobile industry and an existential threat to manufacturers, driving many out of business and others to be swallowed-up.
With competitors trotting out various devices, all doomed to fail, the competitive bloc needed a savior to unify their response to Apple. Certainly, no existing phone manufacturer could be trusted to develop the needed OS. Competition was cutthroat and besides they lacked the skill to do so.
Google was probably the only non-device-aligned company large enough to quickly pull-off the development of a device-agnostic OS that all the phone makers could get behind. Microsoft was a nonstarter as they were very late to the mobile game and, indeed, have since officially abandoned it. This continues to be probably Microsoft's greatest corporate blunder.
To sweeten the deal, giving bickering manufacturers added incentive to use Android, Google opened Android and gave the phone makers and wireless carriers wide latitude over modifications to Android. And it was free. It was the easiest way to get widespread adoption even though the manufacturers had no real alternative. And that was the deal with the devil -- the fateful decision that led to today's Android security nightmare.
So herein lies the problem
Phone manufacturers are in the phone-making business. The wireless carriers are in the wireless signal, bandwidth, and tower/antenna business. The modifications that phone makers and carriers perform on Android aren't done to make Android better or more secure. They are done to sell their ancillary services and for marketing-centric differentiation, period. So they aren't particularly interested in testing and deploying non-revenue-generating security updates coming from Google. They'd rather you just buy a new phone.
And since the manufacturers and carriers are an (uncooperative) integral part of the update process, well then, updates are very slow in coming, if at all.
Here's the pipeline of steps that an update, such as a security patch, traverses on it's way to your phone.
Apple:
Apple Update > Your phone
Android:
Google Update > Phone Maker > Wireless Carrier > Your phone
The Phone Maker and Wireless Carrier steps shown in red is where those updates, including critical security updates, languish and sometimes die. Phones that have not reached end of life (more on this below) may receive these updates or they may not. Even if they do, those updates can sometimes take months to make its way through the update pipeline and onto your phone.
Getting timely updates is pretty dang important because bad actors are always on the search for device vulnerabilities they can exploit.
It's not that Android itself is necessarily less secure although there is some discussion on that. The problem is lack of updates. On the present course, there could eventually be an Android security Armageddon. A day of reckoning where the sloppy practices of today and years past will come home to roost, unless phone makers and carriers decide to embrace proper security update protocols. They may yet do that if their survival instinct ever kicks in. But so far they haven't and there's little indication that will change any time soon. C-Suite executives rarely give security concerns proper attention.
Apple is very different in this regard. Since Apple both manufactures their devices and develops the OS, they have total control top to bottom and are able to deploy security fixes whenever necessary -- without needing any cooperation from phone makers and only minor cooperation from wireless carriers. This is a critical advantage to iPhone (and iPad). It's enough of a reason all by itself to avoid Android in favor of iPhone.
Malware Malaise
Malware can be designed to do any number of nefarious tasks: Pilfer your passwords, steal sensitive data, add your device to a botnet, track everything you do including recording your phone calls, text messages, track your location using the GPS receiver, spread to other devices using yours as a springboard (Typhoid Mary), "brick" your phone by overwriting the phone's firmware, encrypt your data (ransomware), and really any number of other things of the bad actor's choosing.
Mind you, this risk is fairly low, especially on Apple devices. But it's not zero.
Fragmentation -- A big problem you've never heard of
Fragmentation is when there are multiple hardware and/or software versions and inconsistencies in the installed user base (people with phones). As of this writing, the Android ecosystem has over 4,000 distinct device models (hardware) across many dozens of brands. And there's numerous major versions of Android OS (software) as well, making for even more distinct combinations. This aggravates timely deployment of updates because of the QC (Quality Control) needed to ensure patches don't break something else.
Fragmentation also makes it difficult for developers to take advantage of hardware features that aren't common. It's one of the bigger complaints that developers have regarding the Android ecosystem. That means if your shiny new Android phone has a relatively uncommon hardware feature (that you may particularly like) there's a good chance that feature won't be fully realized to its potential.
It's not uncommon for the installed base of Android phones to be on older versions of Android OS. Indeed, the Android version that ships on any particular phone may well never to upgraded to the next version.
Again, here is where Apple is very different. As of this writing, Apple has released less than a hundred iPhone models (not counting things like various amounts of storage or color of device) since its introduction way back in 2007 thus fragmentation is essentially non-existent. And when iOS is upgraded, the rate of uptake to already-sold and eligible iPhones is nearly universal.
This lack of fragmentation makes it easier to develop for iOS devices since developers can expect certain hardware features to be present and for most Apple devices to be on the latest iOS version. For example, all iPhones from the 5S onward have a fingerprint sensor*. This also makes it easier for Apple and developers to update and support older devices.
* Most newer iPhones have FaceID and eliminated the home button which housed the fingerprint sensor in earlier models. Instead, these models employ facial recognition using a new advanced camera. But app-writers don't have to worry about that as it's handled by the operating system.
Device end of life
End of life (EOL) refers to when a product no longer receives support by the manufacturer (It doesn't mean that it just quits working).
Android phones have a comparatively short product lifetime before reaching EOL. If you purchase new flagship Android phone that's a newly released model, you'll likely get upward 3 to 4 years of support before EOL. Lower end models might only be a year or two.
Apple, on the other hand, extends support much further back. iPhones all receive between 5 and 6 years of support. And sometimes upward 8 years depending on how aggressively Apple culls older phone models when they release a new major iOS version. If a particular model year of iPhone was comparatively more popular and included some major hardware improvements, then Apple may maintain support for a bit longer before finally culling it in a newer iOS release. That's where the "upward 8 years" comes from.
And, importantly, Apple updates the OS as well, not just bug fixes and security updates. That means older phones can get new features that might only come with a major OS update. That's nearly unheard-of for Android since actual boots-on-the-ground OS upgrades are quite rare on that platform.
The bottom line is that for people who don't download a bunch of apps then Android is probably okay.
But if somewhat better privacy and definitely better security and updates are important, then iPhone is the clear choice. Yes, iPhones are expensive. But you don't have to buy the latest model. Apple themselves usually have the previous model year available and you can use sites like swappa.com (which is safe) to buy a gently used phone.
And don't be concerned that a used phone might have someone else's files or viruses. That's not how used phones work. Part of the process in preparing a used phone for resale is wiping it which returns it to the factory-provided settings. Every vestige of the previous users environment is gone.
Dec 2025 update
I wrote the first draft of this article in 2015. Now, ten years later, I'm disappointed to see that all of the problems with Android that I described herein are still problems!
There's been some minor improvement in the length of the support life for some Android phones, but all in all, there's been no significant headway to rectifying any of the concerns I've expressed. In ten years!
Definitions
Vulnerability: This is a type of bug that could allow malware unauthorized access into a system. You might think of it as a "chink in a knight's armor", a small exposed weak spot in an otherwise impenetrable suit of armor where a swordsman may target his attack to harm the knight. Software systems may inadvertently contain hundreds (or more!) of such vulnerabilities, mostly waiting to be discovered.
OS or Operating system: This is the system software on a computer (phone, laptop, whatever) upon which everything else runs. Notable examples include Windows, MacOS, iOS, Android, and Linux, although there are others. All computers and devices in the consumer space have an operating system.