Fun fact: Pixel 7 and Pixel 7 Pro didn't get a November update
Says September is the latest system update. Click check updates, says it's up to date, click check updates again, says it's preparing system update and hangs out for a while - then says it's downloading and installing a 781M update.
WTF?
Update: OK finally the update completes an hour later, even the reboot took longer than usual - says it's "updated to December 5, 2025"
This phone running Android 16 for a bit over a month now.
Rumor is the Pixel 7a December update rollout was paused due to a severe wifi bug. You might not want to upgrade manually at this time, even if you find images available for download.
(The rumor is somewhat weak, it's apparently everyone regurgitating one seemingly AI chat.. Google needs to state the reason publicly.)
Buying a device directly from Samsung may be different, but the manufacturer still has to usually convert the pure android update to their branch.
Still, trying to find a pure android phone is important. More manufacturers used to make them.
Example: https://www.androidauthority.com/best-smartphones-stock-andr...
Do these even exist? Last phones I'm aware about were Android One program, but it ended years ago.
The link suggests Google Pixel, but it's not pure android phone, it's full of Google junk software.
My fold 6 has the November "security patch level" or what does that refer to?
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
LineageOS has a build roster of current devices at this URL:
https://lineageos.org/Changelog-30/
The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).
Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).
If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.
Locking OS upgrades to a network vendor is substantially crazier. It creates pockets where the hardware vendor ships a security update but your network doesn't care to ship it and isn't incented to. It is BANANAS.
Sorry for the cynical take, but patronizing folks like this is worse than cynicism because it suggests that you actually believe what you're saying is true.
If you don't know what to do with it because your security standards are so high, just give it to someone with lower standards then you, or use it for some project that doesn't involve sensitive data. And if security is broken to the core, there is probably some vulnerability you can exploit to root your phone and do whatever you want with it, including installing a custom ROM.
Still, I agree with you on making it mandatory to provide an unlock method, at least for out-of-support phones.
Just silently enlisted into a "Residential VPN" and a background script that checks for the SSID "Iranian Research Facility" every time you turn your wifi on for some reason.
So the only exception is systems with open source drivers. Those are basically supported as long as the hardware architecture is and enthusiasts even have the option of adding support themselves. You can install the latest version of many Linux distributions on the first generation of x86-64 hardware from 2003 and some on 32-bit PC hardware going back to the 1980s.
It should literally be a crime that you can't do the same thing on a five year old phone.
The intention is to have a stable driver abi which should allow you to build an arbitrary OS on top (fuchsia itself is exceptionally modular and doesn't have a lot of opinions it imposes on products built above it). Of course similar to a Linux BSP not helping Fuchsia run, such a layer wouldn't enable you to run other OS on top that are not built on top of fuchsia. There is also a limit to what you can generalize in the OS layers as some products may implement private apis between themselves and specific hardware drivers. A stable ABI also implies that the drivers won't necessarily need to be open source, but if the goal is to keep the rest of the OS updatable even if drivers themselves are not updated, that is a necessary concession. There are also many other practical benefits to keeping drivers open source regardless of license obligations to do so. That all said I'm very optimistic about this direction regardless of these caveats.
Pixel 8 here, still don't have the update. That's... not great.
Now think that millions of people use the same OS on many different flavours, on different hardware, on multiple operators.
What an inneficient way of doing things.
Does it happen with iPhones?
https://grapheneos.org/releases#2025120400
https://github.com/GrapheneOS/platform_manifest/releases/tag...
https://grapheneos.social/@GrapheneOS/115666650605430196
not sure how soon it made it to a majority of devices, but i do have it rn
EDIT: I was wrong, it's actually first mentioned in https://grapheneos.org/releases#2025102200
oct 22? https://github.com/GrapheneOS/platform_manifest/releases/tag...
GoS has already deployed patches to some of the vulnerabilities you'll read about in January.
All the partnering vendors have access to the same bulletins.
Multi-billion companies like Samsung or Google had access to that since AT LEAST October. They chose to release these patches late. Some will release these patches months form now. Some, perhaps never.
So, the tiny team wins.
https://www.cve.org/CVERecord?id=CVE-2025-48572
https://android.googlesource.com/platform/frameworks/base/+/...
https://android.googlesource.com/platform/frameworks/base/+/...
>"In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed."
https://www.cve.org/CVERecord?id=CVE-2025-48633
https://android.googlesource.com/platform/frameworks/base/+/...
https://www.cve.org/CVERecord?id=CVE-2025-48633
Basically, just like most things these days, its all just local privilege escalation. This means that you have to install/run an app that has these exploits built in.
Soif you usage profile doesn't include downloading apps from untrusted sources, you don't need to worry.
No, its "If you ever need to install some random app from the play, you do need to worry"
I installed the Teams app and Torque Pro today. I am not worried. I've also got the Sherlock games (purchased way back when) that I have yet to install on my new phone.
Installing that app also will not worry me. These apps are trusted because of the authors, not because of the Play store.
Worry is not binary, it's a probability, and you are at high risk if you're installing every rando's app on your phone and low risk if you are not.
For sure that's not going to happen to an app released by a major company, but there are lots of less known app created by many different developers.
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
On the desktop JVM, I've seen bytecode that decompiled to a form more readable than the original source I got access to later...
In todays world, web based exploits are pretty rare. The only time you really see this happen is with full proprietary systems like IPhones because the software stack on those is all intertwined between kernel code and user code, and things like sending a text message with some formatted characters can lead to reboots of phones. But even then, to gain a full command line shell or steal secrets is either impossible due to attack surface, or requires the phone to be in a specific state, like fully factory reset.
The only real danger is chains of trust being compromised, as in some attacker manages to insert malitious code into an already trusted app that uses these exploits.
On a side note i get kick out of reading HN comments about exploitation and hacking. I think people firmly believe that with enough time, a hacker can figure out how to basically take over your phone given any exploit, no matter what it is.
Remember Kevin Mitnick's most successful approach, social engineering :)
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.
How many different models of PCs get released? How hard is it to patch any of their OSs?
If you want to go that route, each manufacturer is responsible for their own drivers for windows, linux, and possibly Mac (though if it’s novel enough, they will do it). Then think about the components that make up a PC. Motherboard, CPU, Memory Control, IO, OS, Audio, Video. Each of those needs to release patches. So its orders of magnitude more than any Android OS. It’s just pure laziness on the hardware manufacturers that don’t want to invest in software/support. They want Google to do that.
(E.g. Samsung still limits Now brief to latest devices even though it is a 99% software feature + 1% cloud with 0 hardware requirements.)
I bet this CVE's patched quicker on a samsung device running LineageOS than the stock OS.
The real difference is that Google has a more competent software development process and release process than other android OEMs, regardless of how many different devices they have.
That's core of the issue. Samsung takes Android, customizes per device and then tosses them into the world. So now they don't have 1 OS to update, they have 100s of OSes to update.
Can be a pain to move the whole suite to a new major (porting all their inhouse apps, getting all the hardware enablement from vendors updated to match, ...), but we're not dealing with a major upgrade here.
A security patch is "just" a matter of taking the last release, applying the diff, build, qa, release. No customization.
Give me just the security updates please.
Followed by a partial walk-back from Google in mid Nov 2025: https://android-developers.googleblog.com/2025/11/android-de...
I would say there is a substantial amount of users willing to install off-play Store .APKs. Substantial enough they're also willing to take a 'jump' and accept the risks/errors displayed
[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
https://source.android.com/docs/security/bulletin/2025-12-01
https://source.android.com/docs/security/bulletin/pixel/2025...
Of course that leaves security in the hands of the browser.
Every single Samsung product I've had to use is actively user hostile. Like a petty kind of hostile.
I've also not been terribly impressed by the UX changes Samsung has made recently, lots of questionable decisions there.
What other decent options are out there?
So no decent options for out-of-box experience.
But it's not. It's petty and abusive. For example, you can't see (I think it was) heart rate if you have a Samsung smart watch, but don't have a Samsung phone. They've gone out of their way to just not provide that, if you instead have a Pixel phone. And you need like 5 gigantic apps installed to manage it. Why is it not just one single Samsung wear app? Because they are abusive.
Personally have no reason to consider anything but an iPhone, even if it has to be used.
Denial of service doesn't sound so bad... Does a reboot of the device solve it?
But I mean, why do we only have two choices of OS for phones (I did not include GrapheneOS because it not easily available for the normie)? That is what is ridiculous. And why, in the US, do I only get three choices of flagship phones when in Asia they have like twenty? I hate this third world country I am living in.
