Soon after the release of PRIV late last year, we announced an aggressive patching strategy and plan that would put PRIV at the forefront of security hygiene across all mobile devices. The importance of this patching commitment and process cannot be overstated; the complex nature of mobile operating systems demands this kind of field upgrade program to meet the needs of the most privacy and security conscious consumers and enterprises. This commitment, in addition to the vast investment and innovation in security technological enhancements to Android made by BlackBerry, is critical in delivering BlackBerry-level privacy and security to the Android world. After four months of Android security bulletins, now is a good time to reflect on how BlackBerry has delivered on its patching commitment.
This post was originally published on Inside BlackBerry Blog.
Google releases Android security bulletins – a list of vulnerabilities – on a monthly basis, and the timely release of patches for these vulnerabilities is needed to reduce the risk of their exploitation. The following table shows how the world’s Android OEMs (phone and tablet makers) have performed in their patching programs. Each cell shows how many days elapsed between Google’s public disclosure of the monthly vulnerability list and the availability of a corresponding OEM patch to address the list. This number represents a time window in which users and enterprises are exposed to exploitation by attackers who have been handed a menu of juicy vulnerabilities, some of them critical – such as StageFright – on which to feast.
In the table below, green indicates no delay between public disclosure and patch availability; yellow indicates patch available within a week of exposure; red indicates patch available after more than a week (or not at all). For each OEM, we reference their best-case scenario, i.e. the device receiving the earliest security patch (for OEMs with large device portfolios, patch timing is inconsistent).
(click on the above image to see larger version)
BlackBerry is the first OEM to deliver patches in line with Google’s public disclosure, closing the window of vulnerability exposure to customers. Other mobile device vendors can take weeks, months or even years to deliver security patches, leaving you and your business at risk. BlackBerry’s steadfast commitment to timely security updates is just one of the many reasons why BlackBerry continues to be the undisputed leader in mobile privacy and security.