[g_p]

Absolutely - userland is the easiest to exploit, as it's fairly common across all devices (thanks to CTS and standardisation of the runtime) - that's why stagefright was such a big deal!

Definitely agreed - I've thought about making such a list to give visibility of this before, but it would be more of a user-submitted list (perhaps with link-up to screen scraping of OEM web pages for the ones that list the latest version).

What held me back was the sheer complexity of working out whether a device still gets updates - take Samsung as an example; the user says "I have a Galaxy S6". Depending on their geographical location this might be a carrier-free G920I or G920F. If they are in the US, it could then be one of about 5 or 6 variants, and there's even a G920W8 for Canada.

User wants to know if "Galaxy S6" is safe and secure, but even different regional firmwares of the same SKU might not be getting pushed security updates. And some US carriers (Verizon, ATT) are notorious for not pushing out updates to users. And then finally when you figure out the version on a given phone, you need to try to decide if the fact the device is still on October 2016 security patch means it's unsupported or not.

Often Samsung are lagging 2 to 3 months behind on some SKUs, making it even harder to tell. The same is true for many other OEMs - Sony have a pretty complex system of ROMs for each region, meaning you have carrier and non-carrier ones, and they can be on different versions.

To make this happen, we'd ideally need a single worldwide firmware without carrier changes/tweaks/influence. Until then, I suspect it would be too complex to help users work out if their device was being supported.

[vbernat]

Starting from Android 6, it's easy to check if the device is up-to-date from an Android point of view: in "About phone", you have an "Android security patch level" section which should be match the current month.

[g_p]

Yes indeed - the downside of this is that it's hard to gather this information together in a way that lets you show people "which devices" are still maintained.

It is much better for users to know if they are on the latest build. Sadly though for (most/many?) devices, the answer is "it's not", and there's nothing they can really do about it, either due to OEM latency in releasing updates, or the OEM having abandoned their phone.

Samsung [1] and LG [2] pretty much say on their own websites that only certain phones will get updates promptly (or at all) - consider their full product ranges and the cheaper devices not even listed!

[1] http://security.samsungmobile.com/introsm.html

[2] https://lgsecurity.lge.com/security_updates.html > Depending on regions and carriers, updates may be released monthly, quarterly or irregularly.

[gsnedders]

I presume the OS can at least tell what exact model it's on, which means we could potentially at least have something (an app, given I guess Google will never ship such a thing) that says, "hey, this device isn't secure any more".

Now, obviously there's the problem with the time taken to ship fixes (do you say the device is insecure for the two-to-three months before a patch is shipped? do you say the device is insecure only six months after the exploit becomes public? etc.), so even this isn't that simple.

I still wonder about how well the "Android security patch level" will cope with OEMs and their often slow kernel updates (i.e., the fact there are OEMs that quickly release userland fixes, and very slowly release kernel updates).