"...For a week, Apple said nothing about any of the reports. Then on Friday, it issued a statement that critics are characterizing as tone-deaf for its lack of sensitivity to human rights and an overfocus on minor points...."
Oh, please! “...lack of sensitivity to human rights...”? Apple fixed the problem and aided human rights in doing so. A lesser company would have bragged about that. So now Apple is accused of insensitivity because they didn’t brag about it? Give me a break!
"...For a week, Apple said nothing about any of the reports. Then on Friday, it issued a statement that critics are characterizing as tone-deaf for its lack of sensitivity to human rights and an overfocus on minor points...."
""I have a hard time with companies that are working very hard to engage in the market inside of China, and engaging in projects where intellectual property is shared with the Chinese, which is synonymous with sharing it with the Chinese military, and then don't want to work for the U.S. military," Dunford said on Nov. 17 at the Halifax International Security Forum in Canada."
"...For a week, Apple said nothing about any of the reports. Then on Friday, it issued a statement that critics are characterizing as tone-deaf for its lack of sensitivity to human rights and an overfocus on minor points...."
""I have a hard time with companies that are working very hard to engage in the market inside of China, and engaging in projects where intellectual property is shared with the Chinese, which is synonymous with sharing it with the Chinese military, and then don't want to work for the U.S. military," Dunford said on Nov. 17 at the Halifax International Security Forum in Canada."
Sundar Pichai's Google has ethics issues in China.
Good misdirection, don't acknowledge the Ars article and just do the Whadabout Shuffle instead.
Nothing about "Google helping China" other than a some person who read about a military meeting that made some indirect connection but decided it would make this cool article if he said was something malicious going on "well they work with A who does research for B who might also work with C who has China company connections so might actually be a Chinese agent in disguise? So Google must be deliberately helping the Chinese military.
TBH stretching so far to make a connection, any connection, and that's the best you can find is reassurance Google is NOT attempting to assist the military in ANY country much less China . In the second reference it's all because they were a co-founder of the of open-source foundation that some Chinese companies also belong to? To be honest the foundation has a pretty impressive list of members. RedHat? IBM? BroadCom? Rackspace and Nvidia, LSU, CalTech, University of Florida, SETI, University of Oxford, Clemson and more than a hundred others. I don't think they're all out to help the Chinese, do you?
Google isn't the one with an ethics problem in China.
This particular hack was extremely complex (please read the report), and worked on iOS only. No doubt the Chinese tried to attack an probably managed to attack Android as well, but there are no credible reports (that I have heard of).
The ethically correct choice on Google's Project Zero side would have been to publish what they were publishing - a very detailed and interesting walkthrough of the iPhone exploit - but preface it with "Android and Windows were targeted on the same sites, but we want to focus on the iOS exploit here because (bla)... "
Your point about GPZ clarifying their intent stands, but at the moment the information is that Android and Windows were NOT targeted by the same sites. Those OSes may have been targeted on different sites serving the same social population; right now we just don't know.
This particular hack was extremely complex (please read the report), and worked on iOS only. No doubt the Chinese tried to attack an probably managed to attack Android as well, but there are no credible reports (that I have heard of).
Chinese Govt: I am going to spend a few $M on an iOS exploit for this minority even though 90% of Chinese users are on Android. I am going to spend $0 on android.
How likely is that?
If indeed they spent nothing on Android then I'd be really worried as an Android user - it would mean they already own Android and know what's going on on those devices anyway. It would mean all Android devices are already hacked. As for Windows, open market prices for zero days are much lower than iOS so of course they'd do Windows on the side.
The ethically correct choice on Google's Project Zero side would have been to publish what they were publishing - a very detailed and interesting walkthrough of the iPhone exploit - but preface it with "Android and Windows were targeted on the same sites, but we want to focus on the iOS exploit here because (bla)... "
They needed to mention this. Otherwise, given the political nature and business impact of the message, they were lying by omission.
If they only wanted to report on the tech details, as is a valid choice for a GPZ blog, they needed to preface it with that sentence. Only a short mention.
GPZ isnt' required to explain every exploit, and there may be reasons to keep Android/Windows under wraps anyway, maybe not all is fixed, etc.
Or even worse, Android wasn't even targeted which would indicate a wide scale compromise of the entire Android platform in China. If you think about it not too unlikely given Google's contentious relationship with China, their lack of control over modifications made to Android, Chinese manufacturers having to submit to government demands, Chinese users not really caring very much about privacy (yet)... all these factors make an attack thinkable where Chinese government is deep into all Android update servers, Android second party stores, Android updates, etc, they could have a full global level exploit chain going on there. And GPZ would probably know about it but due to being unable to stop it, they wouldn't disclose it.
Whoops.
As I said in my post, I have no doubt the Chinese tried to, and likely succeeded to, hack Android as well. We just don't know, so we can't say what would have been "the right thing to do". Or can you link to such a credible report? Maybe Apple should invest in their own Project Zero?
Well to be honest the entire "Chinese" angle is pretty fishy. Maybe, maybe not. TechCrunch said "sources" said it was the Chinese. Then 1000 websites repeated that based on TC reporting (which in turn is based on unnamed "sources"). So who can really know?
That Apple is saying it was the Chinese gives it somewhat more credibility - but maybe they, too, just got it from TC. Or from an anonymous tipster. It's no better than gossiping housewives.
This is Spy stuff, and so people are going to misdirect.
As I said if Android wasn't targeted then that would make no sense except if all of Android is compromised anyway.
Common sense. Common sense is, in my experience, more accurate than "sources" in many cases. Because sources may have reasons to create misdirection. In this case, getting caught red-handed, whoever the guilty party is has all the reasons and likely also the means to plant a few red herrings.
So when you say "we just don't have credible information" - other than the iOS report from Ian Beer, there's no credible sources for anything anywhere.
I never claimed TechCrunch or Ian Beer was credible. But the original Project Zero report and Apple's (admittedly angled) response seems legit. Again, it is highly likely that Android was targeted as well - but we don't know . "Common sense" gave us flat Earth, Trump and Brexit.
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
[citation needed]
Not sure why you need a citation since this is well published fact that very few android phones are running the latest code base, by definition anything not running the latest code base has open exploits. Are you asking since you truly live in a rose color world and think Google/Android are nothing but perfect, or do just think people are making up stuff.
Just to be fair, here are all the exploits for iphones but if you read carefully, most all said they were fixed in various versions of the latest code or they exist on old code bases which are not longer in the use.
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
[citation needed]
Not sure why you need a citation since this is well published fact that very few android phones are running the latest code base, by definition anything not running the latest code base has open exploits.
To be clear those are not the fault of the OS. Google Android is likely close or equal to iOS WRT security today.
So both of the major mobile OSes are exceptionally secure.
A lot of OEM's have not pledged to offer security updates on a regular basis though which can be problematic even if so far it hasn't seemed to be much of an issue. In general all the horrid Android exploits breathlessly announced here over the years as "unfixable, billions at risk!" have failed to blossom.
Fortunately Google's pressure on OEM's to be more proactive with rolling out those monthly Google Android security updates is finally making inroads with Samsung, Nokia, Moto, One Plus and others being pretty darn good about it now. It can only improve right?
As it well should.
Dodging bullets isn't the way to run a company when the shield is right in front of the OEM's, they only have to pick it up. .
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
[citation needed]
Not sure why you need a citation since this is well published fact that very few android phones are running the latest code base, by definition anything not running the latest code base has open exploits. Are you asking since you truly live in a rose color world and think Google/Android are nothing but perfect, or do just think people are making up stuff.
Just to be fair, here are all the exploits for iphones but if you read carefully, most all said they were fixed in various versions of the latest code or they exist on old code bases which are not longer in the use.
I was referring to this: "This makes Android the least secure operating system on the market today", closely followed by "most devices do not receive updates to fix the most extreme security updates" Just spitting out a CVE list does not make those statements true. I do not have any rose colored glasses, as I tend not make such blanket statements.
The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.
There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
Yeah! Google really blew there credibility by not mentioning that Android had the same exploit.
Except that it didn't.
This particular hack was extremely complex (please read the report), and worked on iOS only. No doubt the Chinese tried to attack an probably managed to attack Android as well, but there are no credible reports (that I have heard of).
https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/ Highlights how Android AND Gmail tracking code was all over the same websites Prōject Zero had notified Apple about. It Is incomprehensible that Google would have notified Apple about the iOS exploits and not found these obvious Android and Gmail exploits. For Google to overstate the iOS problem and completely whitewash any threat to Android and Gmail users is, in my view, criminal. Google’s denial in September of any knowledge of any attack on Android appears more of a lie when Volexity states “In mid-August, Volexity identified new malicious code on the websites of the Uyghur Academy, Turkistan Press, Turkistan TV, and Istiqlal Haber.” This was code particularly targeting Android and Gmail. I like a lot of how Google has expanded our access to knowledge, but in this instance, they stink, and they stink real bad!
The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.
There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
Yeah! Google really blew there credibility by not mentioning that Android had the same exploit.
Except that it didn't.
This particular hack was extremely complex (please read the report), and worked on iOS only. No doubt the Chinese tried to attack an probably managed to attack Android as well, but there are no credible reports (that I have heard of).
That's not at all what the article states. Read it again. The Gmail "exploits" are not exploits at all but phishing expeditions, and there no evidence of any successful "Android exploits" on any of those 11 sites which is a great reason for Project Zero not to say there were. TBH it might have looked worse for Apple had they mentioned the unsuccessful attempt to compromise Android at one site. BTW, wouldn't that tend to disprove Google was trying to embarrass Apple as they did not mention it, nor did Apple for that matter?
Your link discusses both old (2018/early 2019) and new compromised sites found roughly three weeks ago and the new ones primarily depending on users being phished, not necessarily exploits tho at least one of those was involved might have experienced an attempt even if unsuccessfully as it tried to use a Google Chrome exploit already closed in 2017 with the v.60 update. The link is right there in the article.
"Android Mobile Users Targeted
In mid-August (2019), Volexity identified new malicious code on the websites of the Uyghur Academy, Turkistan Press, Turkistan TV, and Istiqlal Haber...
The sample analyzed by Volexity does not appear to have any means of persisting on the system that it’s running on, nor does it appear to accept further commands...
Volexity has identified similarities to but has not yet verified that the exploit being employed in this attack is the Chrome Turbofan remote code execution vulnerability that was reported via the SecuriTeam Secure Disclosure program and is covered in an advisory here."
At the end of the day no OS is 100% secure, but both iOS and Google Android are very, very secure nonetheless.
Chinese Government loading spy apps into Tourist phones. Why even go to the trouble of malware and exploits!
Well that would complete the circle for them. Access to any Apple devices connecting within China (The servers used by Apple are under Chinese control and not Apple and the carriers also storing location and use detail within those same servers) and combine that with installing software intended to identify Muslim sympathizers if not more on any Android phones carried by visitors into their country. That would render nearly every mobile device used within that country at least partially accessible to Chinese authorities "for lawful purposes".
China has been especially problematic for both iOS and Android security and extends to even hacking the telecom services in other countries frequently traveled by targeted groups such as the Uighur's.
The advice for years has been to carry burner phones when visiting either China or Russia. This is one of the reasons as regular travelers already knew. For that matter some high-profile folks are advised to do the same even travelling to the US as there's rumors of some phones here being subject to compromise at the border.
I'm sure China is an amazing country to visit, deserves to be on a lot of bucket lists. Just leave your regular laptop and smartphone at home, tho a properly configured Chromebook is reportedly considered more secure than just about any other option if you must carry a computer.
FunFact: The two most insecure and exploitable Apple services are reported to be Safari and iMessage.
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
[citation needed]
Not sure why you need a citation since this is well published fact that very few android phones are running the latest code base, by definition anything not running the latest code base has open exploits.
To be clear those are not the fault of the OS. Google Android is likely close or equal to iOS WRT security today.
So both of the major mobile OSes are exceptionally secure.
A lot of OEM's have not pledged to offer security updates on a regular basis though which can be problematic even if so far it hasn't seemed to be much of an issue. In general all the horrid Android exploits breathlessly announced here over the years as "unfixable, billions at risk!" have failed to blossom.
Fortunately Google's pressure on OEM's to be more proactive with rolling out those monthly Google Android security updates is finally making inroads with Samsung, Nokia, Moto, One Plus and others being pretty darn good about it now. It can only improve right?
As it well should.
Dodging bullets isn't the way to run a company when the shield is right in front of the OEM's, they only have to pick it up. .
Lets be clear here, Yes Google has been trying to get OEM's to use the latest code base and update existing hardware. However, most times OEM's can not update their code since it will break the phones due to any numbers of reasons. The main reason is the fact Google code updates are not compatible with the OEM;s stack and silicon and hardware choices. This is major issue and google can not do anything fix this since they have been unwilling to make sure their code works with the multitude of hardware combination and choices that OEM are using and Google was been unsuccess to get anyone to use their reference design (thus the reason the make their own phone).
Apple made this very clear in the iPhone 11 and iOS 13 announcement yesterday, they came right out and said they control the silicon, hardware, software and service and ensure there is 100% compatibility which does not require developers to do a things to ensure security of the phone and user data. Google can not say this and you can not claim all Android based hardware in the market is secure. We know if an Apple product was hacked we would all hear about it, the same is not true for Andriod things happen and no one screams about it since they learned to except less since they got it for free most times.
There is a second level of complexity around this, which is the Cellular providers. Most all require any new code on a phone be approved by them before it can be updated on the phone. This process is long and involved and if they find any issue they tell the OEM to try again. The Cellular companies will not let any phone on their next work without some level of approval before it gets pushed out since they do not want customers coming to them if there is a problem. 10 years ago Apple was smart enough and held to their gun and did not want any provider involved in the approval of Apple code on the phones (this was one of the reason Verizon refuses to do a deal with Apple at first they want control over the code updates and release). Apple support their own phones and owns any problems due to phone and provider has not say so in Apple products.
For these reasons there is lots of phone which are not running the latest code and Google can not claim nor can you that the phones running android do not pose any risk. Your statement about the OEM's doing a better job is not accurate Google own data back this up with only 10% of the install base being on the latest version 90% of the install base have a version with known issue or worse, the list of exploits are for the Android code base it does not address the modify code base of the OEM's
Google does not get to point fingers when it comes to security. Its own Android operating system rarely gets updated on most devices even to fix the most extreme security issues. When it does get updates they often reach users many months after they were initially released. This makes Google Android the least secure operating system on the market today.
[citation needed]
Not sure why you need a citation since this is well published fact that very few android phones are running the latest code base, by definition anything not running the latest code base has open exploits.
To be clear those are not the fault of the OS. Google Android is likely close or equal to iOS WRT security today.
So both of the major mobile OSes are exceptionally secure.
A lot of OEM's have not pledged to offer security updates on a regular basis though which can be problematic even if so far it hasn't seemed to be much of an issue. In general all the horrid Android exploits breathlessly announced here over the years as "unfixable, billions at risk!" have failed to blossom.
Fortunately Google's pressure on OEM's to be more proactive with rolling out those monthly Google Android security updates is finally making inroads with Samsung, Nokia, Moto, One Plus and others being pretty darn good about it now. It can only improve right?
As it well should.
Dodging bullets isn't the way to run a company when the shield is right in front of the OEM's, they only have to pick it up. .
Lets be clear here, Yes Google has been trying to get OEM's to use the latest code base and update existing hardware. However, most times OEM's can not update their code since it will break the phones due to any numbers of reasons.
You're confusing full OS version updates with monthly security updates and patches. The requirements to deliver security updates is contractual, the largest falling under those revised Google OEM terms as of last January while all the others who manage to activate at least 100K devices are obligated as of January this year. Yes that leaves the smallest of the small OEM's currently exempt tho they'd be smart to do it anyway at least from a marketing perspective.
Security updates are separately delivered and are not bound to the most recent OS version. You appear not to be aware of that.
haha, even apple itself also creating false statement. Dont ever feel your phone is water resistance. even though phone never fell into the pool or sink, and is still working, doesnt mean your phone went through the test paper inside the phone.
Comments
""I have a hard time with companies that are working very hard to engage in the market inside of China, and engaging in projects where intellectual property is shared with the Chinese, which is synonymous with sharing it with the Chinese military, and then don't want to work for the U.S. military," Dunford said on Nov. 17 at the Halifax International Security Forum in Canada."
https://theintercept.com/2019/07/11/china-surveillance-google-ibm-semptian/
Sundar Pichai's Google has ethics issues in China.
Nothing about "Google helping China" other than a some person who read about a military meeting that made some indirect connection but decided it would make this cool article if he said was something malicious going on "well they work with A who does research for B who might also work with C who has China company connections so might actually be a Chinese agent in disguise? So Google must be deliberately helping the Chinese military.
TBH stretching so far to make a connection, any connection, and that's the best you can find is reassurance Google is NOT attempting to assist the military in ANY country much less China
.
In the second reference it's all because they were a co-founder of the of open-source foundation that some Chinese companies also belong to? To be honest the foundation has a pretty impressive list of members. RedHat? IBM? BroadCom? Rackspace and Nvidia, LSU, CalTech, University of Florida, SETI, University of Oxford, Clemson and more than a hundred others. I don't think they're all out to help the Chinese, do you?
Google isn't the one with an ethics problem in China.
Or can you link to such a credible report?
Maybe Apple should invest in their own Project Zero?
Again, it is highly likely that Android was targeted as well - but we don't know .
"Common sense" gave us flat Earth, Trump and Brexit.
https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/
and if you do not like third party data here is Google's own data
https://developer.android.com/about/dashboards/
Most Android phone are not up to date with the latest code base
Here is the list of exploits which can affect all those older code bases
https://www.cvedetails.com/vulnerability-list.php?vendor_id=1224&product_id=19997&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=2250&sha=1bd76566e804bd0baf4aa6ef43598ed24565b5b6
Just to be fair, here are all the exploits for iphones but if you read carefully, most all said they were fixed in various versions of the latest code or they exist on old code bases which are not longer in the use.
https://www.cvedetails.com/vulnerability-list.php?vendor_id=49&product_id=15556&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=1654&sha=1efc6556e916c71709f3dc8581fc744a48152068
Apple's installed base 90%+ are on IOS 12 unlike Android.
https://mixpanel.com/trends/#report/ios_12/from_date:-162,report_unit:day,to_date:0
So both of the major mobile OSes are exceptionally secure.
A lot of OEM's have not pledged to offer security updates on a regular basis though which can be problematic even if so far it hasn't seemed to be much of an issue. In general all the horrid Android exploits breathlessly announced here over the years as "unfixable, billions at risk!" have failed to blossom. Fortunately Google's pressure on OEM's to be more proactive with rolling out those monthly Google Android security updates is finally making inroads with Samsung, Nokia, Moto, One Plus and others being pretty darn good about it now. It can only improve right? As it well should.
Dodging bullets isn't the way to run a company when the shield is right in front of the OEM's, they only have to pick it up. .
Just spitting out a CVE list does not make those statements true.
I do not have any rose colored glasses, as I tend not make such blanket statements.
Your link discusses both old (2018/early 2019) and new compromised sites found roughly three weeks ago and the new ones primarily depending on users being phished, not necessarily exploits tho at least one of those was involved might have experienced an attempt even if unsuccessfully as it tried to use a Google Chrome exploit already closed in 2017 with the v.60 update. The link is right there in the article.
"Android Mobile Users Targeted
In mid-August (2019), Volexity identified new malicious code on the websites of the Uyghur Academy, Turkistan Press, Turkistan TV, and Istiqlal Haber...
The sample analyzed by Volexity does not appear to have any means of persisting on the system that it’s running on, nor does it appear to accept further commands...
Volexity has identified similarities to but has not yet verified that the exploit being employed in this attack is the Chrome Turbofan remote code execution vulnerability that was reported via the SecuriTeam Secure Disclosure program and is covered in an advisory here."
At the end of the day no OS is 100% secure, but both iOS and Google Android are very, very secure nonetheless.
https://www.forbes.com/sites/zakdoffman/2019/07/02/chinas-latest-xinjiang-spying-smartphone-app-targets-tourists-instead-of-locals/#5eafd3412f90
Chinese Government loading spy apps into Tourist phones. Why even go to the trouble of malware and exploits!
China has been especially problematic for both iOS and Android security and extends to even hacking the telecom services in other countries frequently traveled by targeted groups such as the Uighur's.
The advice for years has been to carry burner phones when visiting either China or Russia. This is one of the reasons as regular travelers already knew. For that matter some high-profile folks are advised to do the same even travelling to the US as there's rumors of some phones here being subject to compromise at the border.
I'm sure China is an amazing country to visit, deserves to be on a lot of bucket lists. Just leave your regular laptop and smartphone at home, tho a properly configured Chromebook is reportedly considered more secure than just about any other option if you must carry a computer.
FunFact: The two most insecure and exploitable Apple services are reported to be Safari and iMessage.
Apple made this very clear in the iPhone 11 and iOS 13 announcement yesterday, they came right out and said they control the silicon, hardware, software and service and ensure there is 100% compatibility which does not require developers to do a things to ensure security of the phone and user data. Google can not say this and you can not claim all Android based hardware in the market is secure. We know if an Apple product was hacked we would all hear about it, the same is not true for Andriod things happen and no one screams about it since they learned to except less since they got it for free most times.
There is a second level of complexity around this, which is the Cellular providers. Most all require any new code on a phone be approved by them before it can be updated on the phone. This process is long and involved and if they find any issue they tell the OEM to try again. The Cellular companies will not let any phone on their next work without some level of approval before it gets pushed out since they do not want customers coming to them if there is a problem. 10 years ago Apple was smart enough and held to their gun and did not want any provider involved in the approval of Apple code on the phones (this was one of the reason Verizon refuses to do a deal with Apple at first they want control over the code updates and release). Apple support their own phones and owns any problems due to phone and provider has not say so in Apple products.
For these reasons there is lots of phone which are not running the latest code and Google can not claim nor can you that the phones running android do not pose any risk. Your statement about the OEM's doing a better job is not accurate Google own data back this up with only 10% of the install base being on the latest version 90% of the install base have a version with known issue or worse, the list of exploits are for the Android code base it does not address the modify code base of the OEM's
Security updates are separately delivered and are not bound to the most recent OS version. You appear not to be aware of that.