We often get asked which mobile phones our clients should go with for their SLT and their employees, so we decided to do a deep dive. We looked at security controls, the patching frequency and supportability periods for popular phone vendors in New Zealand to identify the leaders, and vendors that should be used with caution. While this is not an exhaustive research piece, we hope it provides some visibility of vendors that are focused on keeping their devices secure.
Problem Statement:
Google’s Android mobile operating system has a long-standing issue with patch delivery, as each vendor will release a proprietary version of the operating system to run on their phones. This has led to a large discrepancy in patch delivery for Android devices, often leaving a large portion of devices vulnerable to known exploits.
Google are running multiple projects to address inconsistent patching across phone manufacturers, which include separating the chipset manufacturers from phone manufacturers, and enforcing containerised modules that phone manufactures must use. This has led to a significant increase in the security of Android devices that are part of the Google Play store, but there are still phone manufacturers that are lagging behind.
Our Findings:
Patching Frequency:
Finding:
We selected 9 leading phone vendors to investigate patching frequency, for 7 major proprietary versions of the Android OS. We have listed the Security Patch Period and patching frequency for flagship and non-flagship phones.
| Vendor | Android OS | Security Patch Support | Flagship Security Updates | Non-flagship Security Updates |
|---|---|---|---|---|
| Pixel UI | 5 years | Monthly | Quarterly | |
| Samsung | One UI | 5 years | Monthly | Quarterly |
| Oppo | ColorOS | 5 years | Monthly | Quarterly |
| OnePlus | OyxgenOS | 4 years | Monthly | Quarterly |
| Nokia | N/A | 3 years | Monthly | Quarterly |
| Motorola | N/A | Up to 3 years (for flagship) | Monthly | Quarterly |
| Vivo | Funtouch OS | Up to 3 years (for flagship) | Monthly | Quarterly |
| LG | LG UX | 3 years | Sporadically | Sporadically |
| Huawei | EMUI / MagicUI | No commitment | Monthly | Quarterly |
Recommendation:
Our findings suggest that Flagship model phones are generally more secure due to frequent security updates. It is worth noting that some vendors provide extended support for flagship phones in comparisons with non-flagship phones.
Patching Cycle:
Finding:
Phone manufacturers run two patching cycles based on the model of the phone (Flagship vs non Flagship). High-end phones receive monthly security updates, while non-flagship phones receive quarterly security updates.
Since no vendor is running the base model of Android OS, there is an unavoidable delay of up to a month for the inclusion of security patches (non-Google Play services), for all models and manufacturer’s
Recommendation:
Flagship phones by Google and Samsung appear to be leading the way with security updates.
Google Play Services:
Finding:
Google Play Services is an integral security component of mobile devices, providing core services to supported OEM manufacturers without requiring customisation of the kernel. Less customisation to the kernel reduces the likelihood of an OEM introduced vulnerability.
Recommendation:
Huawei as a manufacturer are not able to implement Google Play Services due to US export laws, meaning they may lack security controls that other vendors are able to implement.
Apple Devices:
Finding:
Apple does not take a fixed approach to software and security updates, but in general, offers 5 years of software and security patching, and full maintenance for at least the next two major versions (released yearly).
While Apple provides less definitive clarity around the total length of support for their mobile phones/iOS versions, the simplicity of the ecosystem (compared to Android) makes information around each specific model/OS easier to locate and update.
Recommendation:
We recommend using an iPhone that is compatible with either of the latest two versions of iOS for the best security coverage (iOS 17 or iOS 16).