>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.
The problem is that each OEM releases 50 different models per year, vs Google (or Apple) that release 3 or 4 models.
If that truly is an issue then Android is a fundamentally broken OS.
How many different models of PCs get released? How hard is it to patch any of their OSs?
And then you install that 'security patch' and end up with a borked phone, apps that no longer work, new apps that you didn't ask for and so on.
Give me just the security updates please.
No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
Please try to e-recycle rather than normal land-fill trash.
I hoped with a move to Fuschia, Google would attempt to fix this, but unfortunately Fuschia on mobile is dead.
It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?
As Randall Munroe pointed out in https://blog.xkcd.com/2010/05/03/color-survey-results/, almost nobody knows how to spell "fuchsia" correctly. I only remember it by the mnemonic of it's fuck, but with an s.
I vote to just change the spelling to what almost everyone already thinks it is anyways.
It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.
> This [update] was rushed out to all Pixel users.
Pixel 8 here, still don't have the update. That's... not great.
I'd suggest you to use GrapheneOS.
Just go to the software update, touch the button, then touch it a second time, and that will give you all available updates immediately, regardless of your random position in the rollout process.
Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.
Could be model-specific. I got the update by doing that manually on my Pixel 8 Pro, that also happens to be on the beta track so there are a few confounders. But that is the way to get the latest software that is waiting to be released to your phone, without waiting.
This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?
> if I don't install any crap on my phone I am safe?
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
Is GrapheneOS affected?
GrapheneOS has patched this CVE back in September: https://grapheneos.social/@GrapheneOS/115647360248469626
From what I can tell, if you're running the latest security preview release[1] then it's already fixed: https://grapheneos.org/releases#2025120400
[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
While the information leakage/disclosure is a big issue, It feels like its still a big jump to get users to install off-Play Store APKs?
nice list of vulnerabilities and source changes
https://source.android.com/docs/security/bulletin/2025-12-01
My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.