Android 10 is official and as of this writing it’s only available on a very small number of phones: Pixels and a fewothers. I’ll have a review up later today, but here’s a quick preview: it’s good, does a better job of protecting your privacy, but none of that matters if you can’t get a phone that runs it.
It’s difficult to maintain a sense of outrage over Android’s atrocious track record of providing upgrades to users year after year. We’re at the tenth version, after all, and the story on upgrades is the same today as it was a decade ago: first-party Google devices get updated quickly, everything else takes months or doesn’t get updated at all.
Command Line is our daily newsletter about personal tech. You should subscribe! We’re trying something a little different with the newsletter over the next few weeks, and I’m really eager to hear your feedback on it — please feel free to email me at dieter@theverge.com if you have thoughts. - Dieter
By subscribing, you are agreeing to receive a daily newsletter from The Verge that highlights top stories of the day, as well as occasional messages from sponsors and / or partners of The Verge.
It’s not entirely fair to say nothing’s changed, though. Google has strong-armed manufacturers and carriers into letting it push critical security patches out more quickly. And starting with Android 10, a new initiative called “Project Mainline” will mean some of the plumbing inside Android can be updated directly via the Play Store.
That’s all important, but it’s not what people want. They want the big updates. Yet the Android ecosystem seems designed to keep major OS updates from getting prepped and delivered to users. That’s because it is. And since this situation hasn’t changed in a decade, there’s an incontrovertible conclusion to draw:
Google can’t fix it. No one can.
The state of Android updates is still dire
Take the recent report from Counterpoint Research, which points out that Nokia is far and away the best manufacturer when it comes to issuing major OS updates (after Google and Essential, both of which have far fewer devices to support). It includes this revealing chart, which plots out the percentage of a company’s “portfolio” adoption of Android 9 Pie in the year since it’s been released.
The thing that jumps out at you in this chart is how far ahead Nokia is! But this is actually a chart about failure. Here, let me highlight the most important quadrants:
Six months after release, only one manufacturer managed to get half of its portfolio updated, and only two managed over a quarter. A full year after release, only three managed to break the 50 percent mark! And the two most important and largest manufacturers — Samsung and Huawei — ended up at around 30 and 40 percent, respectively.
The lion’s share of phones sold during that period were running the latest version, but very few existing phones were upgraded to 9. There’s a more traditional metric for measuring the install base of Android we can look at, too, and the numbers are equally bleak. That would be Android’s own distribution chart:
As of May, Android 9 Pie had just barely managed to crack 10 percent. That’s much better than in years past, but still awful.
Google can’t fix it
This is all a result of how the Android ecosystem works.
There’s an open-source group, Android, that nominally is separate from Google and has all the major players participating in it. They’re all free to take the core of Android and do with it what they will (within reason). Some of them apply minor customizations that are easy to move from version to version, some do stuff that’s much harder. Sometimes (often), there is diminishing value for a manufacturer to go through all that effort, especially on older phones. And on top of all that, carriers usually want to verify all those updates won’t mess with their networks, slowing the process down further.
That’s the simple version of why Android updates take forever. The slightly more complicated version is that when I wrote that Android is “nominally” separate from Google, what I really meant was “Google controls Android.” It applies vastly more resources to developing it and chooses what features will be included in every version. It also controls — or at the very least can apply serious pressure on — the entire Android ecosystem because it operates the Play Store and makes the most popular Android apps (Chrome, Gmail, and the like).
In other words, Google has two levers it can pull to try to get Android updates pushed out into this fragmented ecosystem more quickly. There’s a technical lever and a policy lever.
Let’s start with the technical lever, which Google has been pulling very hard on. I’ve already mentioned Project Mainline and monthly security patches, but the more important piece is Project Treble. Treble kicked off in 2017 as a multiyear effort to change how Android is built — to make it more modular, basically, so that it would be easier for manufacturers to build stuff on top of it.
From a technical standpoint, Treble counts as pressure. Google is dictating how manufacturers use Android on their own phones, potentially limiting what customizations they’re able to make in the name of getting updates out more quickly.
It’s been two years, though, and you’d like to think we’d be seeing more dramatic effects from Treble. And it is true that more companies are doing a better job of creating those updates. I would also note that more of them are participating in Android betas. But Android moves slowly — and Treble isn’t a magic fix. It’s possible that Google could just change Android so that it has sole control of pushing out updates, but that seems really unlikely.
What I mean by the “policy” lever is the mix of prodding, cajoling, encouragement, shame, and begging that constitutes Google’s attempts to keep the Android ecosystem in line. It has helped, but as with the technical lever there’s only so much Google can do here.
I could imagine a world where Google required phones that have the Google Play Store and Google Apps to update their phones in a timely manner. Google has used that cudgel before for various other ends, and that didn’t go well. It’s gotten the company into hot water with the European Union and forced it to create a browser ballot and unbundle apps.
This is just how it is, until it isn’t
The “nuclear” option for Google is to just jam either of those levers all the way to the max. I don’t see that happening. It’s not (just) that Google is too timid, it’s that doing so could actually cause more fragmentation. The stricter and more strident Google becomes with Android and its Play Store policies, the more likely certain companies are to simply say “forget this” and fork Android, like what Amazon does with its Fire tablets. That would be a disaster for Google.
It didn’t have to be this way. Microsoft, for example, created an ecosystem of multiple manufacturers, yet nevertheless had a firmer hand when it came to updates for Windows Phone. Then again, it’s possible that was a tiny part of why it failed — manufacturers were much more incentivized to make Android phones because they could do more to differentiate (or monetize) their own phones.
Even Google itself has managed to fix this issue, albeit in situations with much lower stakes. Wear OS, Chrome OS, and the platform that runs Google’s smart speakers all get updates directly from Google. Parts of Android, such as Android Auto, can’t be altered by manufacturers and get updated through the Play Store. Android itself, though, was set up wrong from the start.
Some Googlers are probably not super angry about all this, as it gives Pixel phones a strong advantage over every other phone. But I wouldn’t go so far as to say that Google as a whole is happy about how Android updates work. I just don’t think that the company believes it can push either of those levers much further.
Then again, Google has very tentatively gone around some carriers to just implement RCS messaging on its own. Maybe there are creative ways to mix policy and code to fix this — but I can’t think of any, and I doubt all of the geniuses at Google can either. If they could, I think they would have by now, and we’d all be updating our phones to Android 10 today.
There’s a real juxtaposition between Android 10’s release and Huawei’s confirmation that it’s going to continue to ship Android phones without knowing the details of what software it will be allowed to use. I don’t think enough people are aware of just how big a shake-up we are headed for if nothing changes.
Well, I bet you Samsung is very aware. Dan Seifert reviews the smaller Galaxy Note 10. I also have been using this for the past week or so and I agree with everything Dan says here. It’s really not an upgrade over the Galaxy S10 unless you want that stylus. It’s great, but so is saving a few hundred dollars!
That huge iPhone vulnerability we talked about last week was apparently targeting a specific group — and really you should not be breathing a sigh of relief. Instead, be even more chilled about the larger story of surveillance and oppression here. And if you use Android, well, that was targeted, too.
We had some lols about Dorsey’s Twitter hack last week, but stop laughing and start checking your own security. Add a PIN to your phone number today. Also use 2FA. Also use a password manager so you don’t ever reuse passwords. Also, yeah, security is a pain, but it’s worth it. I usually set aside one Saturday every few months to just sit down, binge Netflix, and go through the section of 1Password that suggests password changes and watches for hacks.
A PDF document is circulating that claims to reveal the ‘Apple Software Development Resource’ guide, which supposedly includes details for internal employees and contractors about Apple’s plans for rolling out iOS 13 …
Try Amazon Prime 30-Day Free Trial
Conveniently, the PDF states that Apple will release iOS 13 for all current devices on September 23rd, and it would apparently be the exact same build developers were seeded as iOS 13 beta 8. The iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max would ship with iOS 13.0. The iPadOS update would purportedly come out on the same date. macOS Catalina would become available later, although a date is not given.
It says iOS 13.1 and iPadOS 13.1 would be released in October, alongside some new iPad models. It claims that four new watches matching model numbers previously identified by the Eurasian Economic Commission will be announced at the event next week.
The details of the file were first shared by an ‘AppleBeta2019’ Twitter account. However, we believe the document is a fake and forgery. There are lot of inconsistencies. Official Apple documentation always refers to the ‘developer program’, but this file repeatedly mentions the ‘development program’. It regularly switches between referring to the final product names of devices, like iPhone 11 and iPhone 11 Pro, and their corresponding model numbers. It also uses odd contractions like ‘iPodT’ instead of iPod touch.
It seems very unlikely that anyone creating such a document would be aware of marketing names and include said branding in the document, whose only purpose is to mention the software rollout plans. Moreover, files intended for the eyes of retail stores often including watermarking and fingerprinting techniques to help Apple detect leaks — this PDF seemingly lacks any such identifying markers. We also find it hard to believe that Apple will not release another beta seed of iOS 13.1, as this document claims that build 17A5821e is being released to the public in October. This is equivalent to the build iOS 13.1 beta 1, which the wider community universally agrees is very buggy and not ready to be released to the world.
All in all, we don’t put much stock in this supposed leak. However, it has received a lot of traction overnight with a lot of media coverage. We wanted to share our alternative perspective on the matter.
Apple will officially announce the iPhone 11 and iPhone 11 Pro lineup, new Apple Watch finishes, and maybe some other stuff at its media press event on September 10. Stay tuned to 9to5Mac for all the news.
Google Drive for Android’s dark theme began appearing for some users with the Material Theme redesign in April. Thanks to a new theme setting, it’s now more widely available for users not running Android 10.
In Settings, there is a new “Choose theme” menu that presents the three standard options for Android apps: Dark, Light, and Set by Battery Saver. It’s set to the latter by default, but users now have the ability to manually enable the darker look.
The Google Drive dark theme is quite straightforward and switches the stark white background to a deep gray. Lighter shades are used for the search field, while the bottom bar retains its transparency. A softer blue accent color is also used throughout, with icons for file types getting the same lighter treatment. The “Home” feed is still quite bright due to document previews.
The standalone Android clients for Google Docs, Sheets, and Slides have yet to be updated with a dark theme at this point, and only gained their Material Theme revamps last month. Hopefully, a darker look is in the works and that it won’t take four months.
Google Drive’s dark theme setting has been slowly rolling out over the past several weeks. It should be widely available with version 2.19.332.01.40 or later, and comes following Android 10’s launch on Pixel devices yesterday.
Google rolled put the stable version of Android 10, and the update is now available for the Pixels. There's a lot to like, including a system-wide dark theme, Smart Reply, granular location-sharing controls, a new gesture navigation system, and so much more.
With the stable OTA now available, Pixels owners around the world are downloading the update. But as is often the case with these things, it looks like several users are seeing lengthy install times with phones stuck on the boot screen with the Google logo.
As reported on Google's product forums, the Android 10 installation seems to be stuck at the boot screen for anywhere between 30 minutes to six hours. It doesn't seem to be limited to one device either, with users on the first-gen Pixel, Pixel 2, Pixel 3, and the Pixel 3a reporting issues with the install.
If you're facing a similar issue on your Pixel and are unwilling to wait, there are a few things you can do. You can manually sideload Android 10 by following these instructions, or revert to Pie to try the Android 10 OTA update again. To do so, you'll have to boot into recovery mode by pressing down on the power button and volume down keys simultaneously. Once you're in the recovery mode, navigate to Reboot system now by using the volume up/down keys, and hit the power button to reboot your phone.
If that doesn't work or you're unable to go into recovery mode, force a reboot multiple times by pressing down on the power button, following which you should be able to boot back into Android 9 Pie. Try installing the update a second time to see if it goes through.
I installed the update on my Pixel 2 XL, Pixel 3 XL, and 3a XL, and while it took slightly longer on the Pixel 2 XL (about 10 minutes at the boot screen), I didn't run into any issues. I'd recommend waiting at least a half hour at the boot screen for the install to finish before trying a force reboot.
Did you run into any issues when installing the Android 10 update? Let me know in the comments below.
We may earn a commission for purchases using our links. Learn more.
Tens of thousands of servers around the world are believed to be hosting a vulnerability that would allow an attacker to remotely commandeer them.
The team at Eclypsium says it has discovered a set of flaws it refers to as USBAnywhere that, when exploited, would potentially allow an attacker to take over the baseboard management controller (BMC) for three different models of server boards: the X9, X10, and X11.
BMCs are designed to be a sort of always-on remotely accessible "computer within the computer" that allow admins to connect to a server over the network and perform critical maintenance tasks, like updating the OS or firmware.
Ideally, BMCs are locked down within the network in order to prevent access by anyone outside of the company. In some cases, larger companies even opt to use their own BMC firmware that is fine-tuned for their datacenters and applications.
In a few cases, however, those BMCs are left open to the internet and can be managed over a web interface - usually very easily since they aren't typically designed with security in mind. Here is where the vulnerabilities discovered by SuperMicro come in.
The target of the attack is the virtual media application that Supermicro uses for its BMC management console. This application allows admins to remotely mount images as USB devices, a useful tool to manage servers but also a security liability.
"This means attackers can attack the server in the same way as if they had physical access to a USB port, such as loading a new operating system image or using a keyboard and mouse to modify the server, implant malware, or even disable the device entirely," Eclypsium said.
"The combination of easy access and straightforward attack avenues can allow unsophisticated attackers to remotely attack some of an organization’s most valuable assets." The team found four different flaws within the virtual media service (on TCP port 623) of the BMC's web control interface.
They included the use of plaintext authentication and unauthenticated network traffic, as well as weak encryption and an authentication bypass flaw in the X10 and X11 platforms that allows new clients on the virtual media service to run with the old client's permissions.
Can we talk about the little backdoors in data center servers, please?
According to Eclypsium, the easiest way to attack the virtual media flaws is to find a server with the default login or brute-force an easily guessed login. In other cases, the flaws would have to be targeted.
"If a valid administrator had used virtual media since the BMC was last powered off, the authentication bypass vulnerability would allow an attacker to connect even without the proper username and password," the report explains.
"Given that BMCs are intended to be always available, it is particularly rare for a BMC to be powered off or reset. As a result, the authentication bypass vulnerability is likely to be applicable unless the server has been physically unplugged or the building loses power."
What's worse, Eclypsium believes that tens of thousands of servers contain this vulnerability and are open to the internet. A quick Shodan search on port 623 turned up 47,339 different BMCs around the world.
Fortunately, there is a fix out. Eclypsium said it has already contacted Supermicro and the vendor has released an update to fix the vulnerabilities. Organizations are advised to contact their server vendor and make sure they are running the latest version of the BMC firmware. ®
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/19164630/Time_Taken_by_Top_10_Manufacturers_to_Upgrade_Portfolios_to_the_Latest_Android_Version_768x603.png)
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/19164669/6_months_50_percent.png)
:format(webp):no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/19164684/Screen_Shot_2019_09_03_at_12.14.34_PM.png)
