This story was originally published and last updated .
Dealing with regions, staged rollouts, dates, and more
Ranking devices by their record with security updates turned out to be a bit difficult. There are many variables to consider, including different rollout dates for different countries, delays with carrier models compared to their unlocked equivalents (though Samsung and other OEMs sometimes update their unlocked devices later), and availability of first-hand information.
While some companies make public announcements the day an update starts to roll out — for example, OnePlus publishes a forum post for each update — most do not. That means we have rely on user reports from social media (Twitter, Reddit, etc.) and independent news coverage to find dates for releases. Most of our data about the Sony Xperia 1 came from XperiaBlog, for instance.
With those factors in mind, we decided to narrow the scope of this article and set reasonable guidelines.
First, we trimmed our data to focus on rollout dates for devices in the United States. Most Android phone manufacturers have different update schedules for different regions, but because most of our readership is based in the US, using data about how quickly Motorola released an update to a phone in Brazil wouldn't be helpful. In some instances, the reports didn't specify what region the rollout occurred in (especially with information posted to Reddit/Twitter), but if we found evidence that the US release occurred on a different date, we looked for data elsewhere.
Second, we're tracking rollout dates for the carrier-unlocked variants of each phone, except where otherwise specified. We're well aware that most people in the United States buy their phones directly from a carrier, but taking into account the independent delays that each carrier adds to the update process would have made the data less concise and helpful.
Third, the starting date for each patch is when Google published the Android Security Bulletin. Near the start of each month, Google releases a public page about the fixes included in that month's security update. The publishing date of the bulletin is the baseline date we use to calculate the delay for each device. Google usually provides code for security updates to OEMs a while before the page goes live, but considering the publish date is when the general public becomes aware of the patched bugs, it's a good place to start.
Fourth, the data we've collected for each device starts in January 2019, or when the phone was released (whichever comes last). For example, even though the Pixel 3 was released in late 2018, we're only looking at updates released since January 2019. We're also not penalizing skipped months if the phone wasn't released yet in that month.
Finally, we're only looking at the flagship devices of each major phone manufacturer that releases phones in the US. We're well aware that Xiaomi, Oppo, and other companies exist, but including phones from every major global phone maker is simply too much for us to keep track of at this time.
All that is to say there is a little bit of wiggle room in our results. It's possible the Twitter report of an update was posted a few days after the actual rollout began, or the vast majority of phone owners received a certain update much later because the rollout was paused.