Share your experience!
Bought a Xperia XA2 this year. It's on the same patch level as when it was bought, 50.1.A.13.123, stable and working well, as far as I can tell. As we all know, just after a release there can be some minor things to fix, and those are often included in these updates. Nothing odd.
What is odd, however, is that going forward the only way to get security updates is to, at some point, accept an OS upgrade. Even if this can create new problems, or simply make the phone look less good. (It is possible that there is too much work to create security patches for several Android versions, but releasing a security patch must certainly include less work than a new OS version.)
This is, more or less, what the world have seen for Xperia XA2:
50.1.A.4.76
50.1.A.4.102 1 January 2018 Android security patch
2018-03: 50.1.A.5.59 1 March 2018 Android security patch
2018-06: 50.1.A.10.40 1 June 2018 Android security patch
2018-08: 50.1.A.10.51 1 July 2018 Android security patch
2018-09: 50.1.A.13.83 1 September 2018 Android security patch
2018-12: 50.1.A.13.123 1 December 2018 Android security patch
2019-02: 50.2.A.0.342 Android 9, Didn't work so well.
2019-04: 50.2.A.0.352 Android 9, incl. 1 February 2019 Android security patch
2019-05: 50.2.A.0.379 Security patch: 1 May 2019, for Android 9
Several security patches during 2018, this year not so good ... Sony Mobile's pages says the phone is up to date, with a patch that is 5-6 months old, i.e. December 2018. And if anything arrives, that will probably be together with a system upgrade to 9 incl. blue blobs in the Notification panel.
We can't rely only on updating apps via Google Play to keep a device as secure as possible. Xperia XA2 is, together with a couple other Sony mobiles, on the list of Android Enterprise Recommended devices. With this follows a couple of requirements, among them: Security update support: 90-day security updates. (And that's for a minimum of three years.)
Why even bother participating in the Android Enterprise Recommended programme, if you can't keep security patches comming within 90 days? That's with or without system updates (OS upgrades).
P.S. You have one of the most convoluted log in processes; it is quite common that people block some scripts or cookies when browsing, but, obviously, adding exceptions for sites they visit often (and trust), such at sites they register an account. In this case it was extra hard since one is sent of from sonymobile to sony.com and then back etc.
I know sony are retrenching from some markets but I think they are doing the same thing with the xa2 my UK-H3113 is still on oreo 123 update from the 1st Dec 2018
Hi. Yes, I know. That said, I think in some of those markets it was already a bit difficult to buy a Sony mobile. I also know that they have merged the mobile division with TV, audio and camera businesses, hopefully they will gain some strength from this and come back in more markets.
In this case it's also Europe, the Nordic region.
I know they cut a quarter of their workforce here last autumn, but in May this year they mentioned that they will open a global research centre here, patents, 5G, 6G etc. not so much related to this, but they also mentioned they would get global responsibility for software updates, something that has previously been shared with Japan and China. And their CEO has said that Sony smartphones are here to stay.
Five Sony XperiaTM smartphones recognized under Android Enterprise Recommended program
Am from Portugal friend, and sony isn't don't update since dezembre 2018..
Sony have forgotten that some xa2 have not been updated to pie or had security updates since December 2018
When will affected Sony Android based products receive a security patch for the severe QualPwn vulnerability?
https://amp.thehackernews.com/thn/2019/08/android-qualcomm-vulnerability.html
Good question. But it is far too early, in the world outside Google phones, it seems.
I was going to post a follow up to a thread I started here, at the end of this month if Xperia XA2 by then hasn't seen any updates.
Sony mobile doesn't mention what is included in their updates, changes fixes etc., but different sources on the net can usually tell us which Android security patch that has been included.
The first year, 2018, went quite good it seems, not updates every month, but at least trying to stick to the 90 days. As I understand it there were even improvements to the camera in December.
Then came Android 9, Oreo. It didn't go as well; a limited patch for some region in February, major problems for some. Then along came the May update, in late May beginning of June. This was the first contact with Android 9 on XA2 for the many. Some have still experienced one or several problems, some improvements with recorded sound in videos, but several are complaining. (I don't know myself, I'm sticking to Android 8, December security patch for the moment; then I don't know if people have tried a complete reset, when trying solve their phone problems; a new OS isn't just a monthly patch.)
After that silence. They released new phones this year, top segment and middle segment; it started well for them, they have got both the June and the July Android security patches.
I thought, after all the problems reported with Android 9 on XA2, that perhaps they would try to get an update out, and with it include the June security patch, but they didn't. (That said, Sony mobile has had some tough months or years.)
Today the 1 May security patch for Android 9, mentioned above, that was released together with updates from Sony late May/early June, is 101 days old (i.e. 50.2.A.0.379). At the end of the month (30/8), the June update, which XA2 has NOT received this far, will be 90 days old, and then Sony isn't sticking to what they have said.
I agree with you and several others, I would like to see security patches as soon as possible. For a phone such as XA2, which Sony has decided should participate in the Android Enterprise Recommended programme, even if it is a middle segment phone, it isn't enough with a security patch every third month or worse. Even better would be if they fixed their version of Android 9 so it worked with XA2 without problems and with at least as good performance as when it was working late 2018, since upgrading to Android 9 is the only way to get the security patches.
See also this thread:
/t5/Xperia-XA2/Security-patches-is-a-requirement/m-p/1375896
@jokre wrote:When will affected Sony Android based products receive a security patch for the severe QualPwn vulnerability?
https://amp.thehackernews.com/thn/2019/08/android-qualcomm-vulnerability.html
Today, 13 August, it is less than 17 days left to 30 August, at which time it would be 90 days since the 1 June Android security patch, that didn't arrive, and the current security patch is 104 days old. During the time since the last update to XA2 from Sony, 50.2.A.0.379 which included the 1 May patch, in late May early June, other phones, "flagships" and middle segment phones, have seen both the June and the July security patches.
According to, for example, the xperia blog Sony has now started to send out new updates to a bunch of phones, including XA2. About time! However, according to them it is still not known, if the new update, 50.2.A.0.400, will include the security patch for August, or if it will be the July update (as is the case for the older phones XZ1 & XZ Prem.); Xperia 1, 10, XZ2, XZ3 and L2 will be receiving an August patch included in the update it seems.
That said, the CVEs discussed in the article that @jokre linked to above (CVE-2019-10538, CVE-2019-10539, CVE-2019-10540) are included in the security patch level of 2019-08-05, not in the 2019-08-01 security patch level. So even if XA2 is to get an August security update (and hopefully some non-security related tweaks to fix issues people have seen), it will probably be at the 2019-08-01 patch level (as Xperia 1, 10, XZ2, XZ3); Xperia L2 for some reason gets the 2019-08-05 patch level (as it did with the May update).
I can confirm my xa2 (customised uk H3113) got the 50.2.A.400 update this morning and its now on security update 1st August
As per https://source.android.com/security/bulletin/2019-08-01 , Qualpwn isn't patched on the last update available (August 1st). That would leave this phone vulnerable for the next 90 days; my opinion is that it is bad enough to deserve an out of band update (and I am in fact switching phones because of it).
Fwiw I'm on that same August 1st update for a uk dual SIM h4113 xa2.