The Factory images and OTA ZIPs for July 2016 are now available for the full line of supported Nexus hardware (still waiting for the Pixel C). They're a little behind schedule this month, possibly because it was Independence Day in the United States on Monday, or possibly to leave time for some late-breaking security patches that may have been added in the eleventh hour. The Android Security Bulletin covers the list of vulnerabilities addressed with this set of updates, and for the first time it includes two separate lists: one dated July 1st and the other dated July 5th.

No devices have fallen off the official support list this month, but it's probably the end of the road for the 2013 Nexus 7. It has been three years since the second generation Nexus 7 was released, and as per the end-of-life schedule for Nexus devices, Google has fulfilled its commitment to security OTAs. The Nexus 10 fell off the list a couple of months ago, surviving a few months beyond the three-year mark because it was still sold in the Play Store all the way until October 2014, after which it was promised 18 more months. The 2013 Nexus 7 was removed at the same time. Google may choose to continue releasing updates, but it is purely optional from this point on.

  • Pixel C – (not yet updated)
  • Nexus 6P – MTC19X
  • Nexus 5X – MTC19Z
  • Nexus 6 – MMB30K and MOB30O
  • Nexus Player – MOB30P
  • Nexus 9 LTE – MOB30P
  • Nexus 9 Wi-Fi – MOB30P
  • Nexus 5 – MOB30P
  • Nexus 7 2013 Wi-Fi – MOB30P
  • Nexus 7 2013 3G – MOB30P

The standard list of security patches, dated July 1st, includes fixes for 2 critical issues, 11 high severity issues, and 9 moderate issues. Most of these are centered around potential targets in either some of the communications libraries (e.g. OpenSSL and Bluetooth) or the media libraries (e.g. Mediaserver and libpng). The second list is dated July 5th and includes 7 critical issues, 18 high severity issues, and 7 moderate issues. The thing that makes this list unusual is that it's made up entirely of device specific issues related to drivers for just about every proprietary binary package that goes into any Nexus. This includes drivers for Wi-Fi, GPU, USB, camera, and more from Qualcomm, MediaTek, and NVIDIA. In all likelihood, there was probably a vulnerability in the code for the driver model that was used in all of these proprietary binaries. To fix it, each would have to be rebuilt and a new version distributed. If you're a ROM developer, be sure to grab the latest Nexus binaries.

The downloadable factory images and OTA ZIPs are available at the pages linked below. Once Google pushes the source code to AOSP, we'll also post the developer changelog for this round of patches. Note, the details of the driver changes are likely to remain confidential and will not appear in AOSP.

UPDATE: 2016/07/11 2:50pm PDT BY

Add the Pixel C to the list - its July security update factory and OTA images are now available, build MXC89K. Just use the links below to find them.

Source: Google Nexus factory images, Google Nexus OTA ZIPs, Binaries for Nexus Devices, July 2016 Android Security Bulletin