How Android phones hide missed security updates

Google might split Android security patches to deliver fast updates

According to a two-year study conducted by Security Research Labs (SRL) on more than 1,200 Android phones, many are missing security patches. Yes and no. While it's disgraceful for the companies to misrepresent a security patch level, SRL points out that often chip vendors are to blame: devices sold with MediaTek chips often lack many critical security patches because MediaTek fails to provide the necessary patches to device makers.

The lengthy wait for a fix has placed Google on a bad light and the best possible explanation for it is that Google will hope to release the fix through the next-gen Android system, Android P. Android P is expected to make its official release in late June and it is likely to iron out on every problem inside Oreo.

It can get worse that that, Nohl told Wired's Andy Greenberg. "Sometimes these guys just change the date without installing any patches". The "patch gap" varies between device and manufacturer, but given Google's requirements as listed in the monthly security bulletins-it shouldn't exist at all. SRL says that it had tested the firmware on around 1,200 Android phones, looking for whether or not patches had been applied, which led to it finding devices that had changed the dates forward without actually adding the patches in. One theory points to the chipsets these handsets are running, as there seems to be a correlation between particular SoCs and the availability of security updates: Snapdragon-based phones and those running Samsung's Exynos chips may only have one recent fix missing, while those built with MediaTek chips average almost ten. Nevertheless, the security company plans to update its SnoopSnitch app to show users the actual patch status of their handset. In other words, some device makers have been claiming that their phones meet a certain security patch level when in reality their software is missing required security patches. "It's small for some devices and pretty significant for others".

In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem.

Or so you'd think. It appears Motorola may not be living up to its promises.

The team at SRL labs put together a chart that categorizes major device makers according to how many patches they missed from October 2017 onwards. But that number starts creeping up higher as we look at hardware from LG, HTC, Motorola, and ZTE - the latter's phones averaging four or more absent patches.

Bringing up the rear were ZTE and TCL, whose phones had an average of more than four missed Android security practices.

But hacking an Android device is harder than it seems, as Android phones come with a broader set of security measures like address space layout randomization and sandboxing.

Related:

Comments


Other news