[gsnedders]

I presume the OS can at least tell what exact model it's on, which means we could potentially at least have something (an app, given I guess Google will never ship such a thing) that says, "hey, this device isn't secure any more".

Now, obviously there's the problem with the time taken to ship fixes (do you say the device is insecure for the two-to-three months before a patch is shipped? do you say the device is insecure only six months after the exploit becomes public? etc.), so even this isn't that simple.

I still wonder about how well the "Android security patch level" will cope with OEMs and their often slow kernel updates (i.e., the fact there are OEMs that quickly release userland fixes, and very slowly release kernel updates).