Beating Expectations: Android Security Patching for PRIV

PRIV by BlackBerry

Soon after the release of PRIV late last year, we announced an aggressive patching strategy and plan that would put PRIV at the forefront of security hygiene across all mobile devices.  The importance of this patching commitment and process cannot be overstated; the complex nature of mobile operating systems demands this kind of field upgrade program to meet the needs of the most privacy and security conscious consumers and enterprises. This commitment, in addition to the vast investment and innovation in security technological enhancements to Android made by BlackBerry, is critical in delivering BlackBerry-level privacy and security to the Android world.  After four months of Android security bulletins, now is a good time to reflect on how BlackBerry has delivered on its patching commitment.

Google releases Android security bulletins – a list of vulnerabilities – on a monthly basis, and the timely release of patches for these vulnerabilities is needed to reduce the risk of their exploitation. The following table shows how the world’s Android OEMs (phone and tablet makers) have performed in their patching programs. Each cell shows how many days elapsed between Google’s public disclosure of the monthly vulnerability list and the availability of a corresponding OEM patch to address the list.  This number represents a time window in which users and enterprises are exposed to exploitation by attackers who have been handed a menu of juicy vulnerabilities, some of them critical – such as StageFright – on which to feast.

In the table below, green indicates no delay between public disclosure and patch availability; yellow indicates patch available within a week of exposure; red indicates patch available after more than a week (or not at all).  For each OEM, we reference their best-case scenario, i.e. the device receiving the earliest security patch (for OEMs with large device portfolios, patch timing is inconsistent).

android oem security patching schedule

(click on the above image to see larger version)

BlackBerry is the first OEM to deliver patches in line with Google’s public disclosure, closing the window of vulnerability exposure to customers. Other mobile device vendors can take weeks, months or even years to deliver security patches, leaving you and your business at risk. BlackBerry’s steadfast commitment to timely security updates is just one of the many reasons why BlackBerry continues to be the undisputed leader in mobile privacy and security.


For more about today’s IT security challenges and solutions, join us for our free Executive Panel: Security, Productivity, and the Cloud webcast April 27 at 11 a.m. EDT. You’ll gain key insight from David Kleidermacher, Chief Security Officer at BlackBerry, and John Hewie, National Security Officer at Microsoft Canada, on how to balance security with productivity, take more control over your data security and more. Reserve your place by registering today.

And if you want to know more about PRIV, check out what our fans are saying, look at the official PRIV product page and watch our how-to demos. If you are wondering where you can get your hands on a PRIV, check out our availability blog. Many carriers such as AT&T in the U.S. and Rogers and Bell in Canada are also offering PRIV at new, lower prices (as low as $299.99 on two-year contract in Canada or $21.34/month with zero down at AT&T)

About David Kleidermacher

I am dedicated to the vision of a trustworthy, scalable Internet of Things, including mobile devices, connected embedded systems, and cloud infrastructure. I oversee product security strategy as BlackBerry's Chief Security Officer. I am a leading authority in systems software and security, including secure operating systems, virtualization technology, and the application of high robustness security engineering principles to solve computing infrastructure problems. I earned my bachelor of science in computer science from Cornell University and am a frequent speaker and writer in the area of computer security, including delivering the 2014 Embedded World Conference Keynote, "Securing the Internet of Things" and author of the book "Embedded Systems Security", Elsevier 2012.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus