That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience.
When it comes to the consumer, it gets hard to identify if their device has been actually receiving the security update or not.
Research firm Security Research Labs has claimed that several mobile manufacturers are lying to their customers about missed Android security patches, as per a report by Wired. What they discovered was something they refer to as "patch gap". "Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks".
Device fragmentation has always been a challenge for Google when releasing updates for its Android platform, which is by far and away the most popular mobile software on the planet.
However, handsets from less known manufacturers like ZTE and TCL have a worse track record at pushing out security patches. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging". And some patches may have been missed, says Google, because the manufacturer removed the offending feature instead of fixing it with the patch. The manufacturers have allegedly been found to be lying to consumers about missed security patches. The "patch gap" varies between device and manufacturer, but given Google's requirements as listed in the monthly security bulletins-it shouldn't exist at all.
Other OEMs such as TCL and ZTE had missed four or more patches.
"We found several vendors that didn't install a single patch but changed the patch date forward by several months", Nohl further revealed.
Nohl agrees that exploiting Android vulnerabilities remains hard due to these security layers and points out an easier and more common route to compromising Android devices is through the use of malicious apps - either inside Google Play or outside the store. Nevertheless, the security company plans to update its SnoopSnitch app to show users the actual patch status of their handset.
Google told Wired, "some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security". The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.