We have ranted often about Samsung's confusing and slow software update policy. Things have certainly been looking up, especially with the latest update that rolled out to the Galaxy S7 and Galaxy S7 edge, but it seems that apart from major upgrades, Samsung isn't taking monthly security patch updates seriously either. The company has clearly said that the monthly security updates that Google mandated last year only go out to its flagships, but it's not making sure that every region gets every month's security patch on time and before the next month arrives.
Case in point: our Galaxy S7 edge here in the Netherlands is still sitting on the February 1 security patch. Meanwhile, over in Germany Samsung has pushed out two software updates since the launch of the device in the country. The Netherlands will probably get the latest update in the coming days and then be on the April 2nd security version like other devices, but that doesn't excuse the fact that devices in the region were left vulnerable to whatever exploits were discovered in the month of February.
To make sure it wasn't a bug in our firmware database, we went through Samsung's Smart Switch app and checked for an OTA, but there isn't any update available for Dutch users. This is the case in many regions, both with new and existing devices. Take India, for example. The Galaxy Note 5 and Galaxy S6 edge+ got their last Android 5.0 update in December in the country, and then directly skipped to Marshmallow three months later.
That's a lot of time between security patches, and considering the Indian models got Android 6.0 right on the day the Galaxy S7 and Galaxy S7 edge were made available in the country, it looks like Samsung deliberately put many users at risk. Well, in addition to keeping them from the latest and greatest that Android has to offer just so their latest flagships could see some sales.
Do these region-specific security updates have to do with the fact that the latest exploits only affect these regions? We doubt that is the case, and we have reached out to Samsung for an official comment on what looks like a huge oversight. We will update this post with a statement should we get one; in the meanwhile, let us know what Samsung flagship you are using and whether you have the latest Android security patch (you can check in the Settings » About device » Software update menu).
Update: Samsung has given us an official statement on the matter. It seems like the security updates are dependent on the region, but that still doesn't explain why markets like India, where carriers don't sell locked devices, don't get security updates for three months and why major updates are released right on the day of the newest flagship launch.
We can assure customers they are not in any risk. Customer security is our top security. The rollout of security updates varies both by market and according to individual carrier approvals. We are continuing to work closely with our carrier partners to bring security updates to our customers in the very near future
Update II
Responding to our inquiries, Samsung Netherlands now states that the Galaxy S7 and Galaxy S7 edge did in fact ship with the March security patches. Confusingly, it was only the information displayed by the devices that showed the February 1 security patch. While, for example, Samsung in Germany did push out an extra patch containing both the security update and the correct information, the Dutch phones were, so to speak, secretly up to date without displaying this. At this point, we can neither confirm nor deny whether this is correct.
Needless to say, Samsung does admit that the situation was confusing for Galaxy S7 users in the Netherlands. It is similar to how the company sometimes brings changes from a newer version of Android without changing the Android version number, and it is something that Samsung should really fix going forward.
