Updates on Android have long been a mess. Despite Google’s best efforts to improve security and make updates easier for everyone, it’s rare that an OEM can actually keep up with everything Google is doing. According to a new report, though, some have just been saying they’re up to date, without actually putting in the work…
The best gifts for Android users
A report from WIRED today cites Security Research Lab researchers who have spent two years keeping tabs on Android security updates. At a coming event in Amsterdam, they plan to present their findings, and it’s pretty discomforting.
For quite some time, Google has been putting together monthly security patches for the Android operating system, sealing the cracks on problems in the OS. To make it easy for users to check their level of security, Android added a handy section in the settings to identify the patch level based on the date. These SRL researchers took the time to “painstakingly” check and ensure that the patches applied to a device actually lined up with those dates.
In short, Android OEMs failed big time here. In many cases, a “patch gap” was found, with devices showing a specific date for security updates, but missing “as many as a dozen” of the patches from that update.
SRL tested 1,200 devices from a dozen manufacturers to gather these results over 2017. Phones came from Google, Samsung, Motorola, HTC, ZTE, TCL, and many others.
While most flagships didn’t struggle much here, just about everyone was a culprit. Google’s own Pixel 2 and Pixel 2 XL devices were, of course, safe, but top-tier flagships even from the likes of Sony and Samsung were missing patches to some extent. The table below breaks down the numbers a bit.
The problem here isn’t just a matter of neglecting updates, though. It’s extremely (annoyingly) common that OEMs just don’t update devices for a bit, and then update their devices later on. Rather, what’s happening in some cases is that OEMs are changing the security update date on the device without actually installing the associated patches, effectively lying to customers.
Several vendors apparently “didn’t install a single patch but changed the patch date forward by several months.” The researchers described that as “deliberate deception,” but thankfully found that it wasn’t very common.
In most cases, the researchers simply believe that these missing patches are just accidentally missing from updates, which is somewhat understandable as there are a lot of patches in each update. Another possible cause could be the chipset of a device, with MediaTek powered devices missing an average of 9.7 patches, while Qualcomm was at just 1.1.
However, this is still a pretty huge problem, as it makes it nearly impossible to tell the level of security on a device. To help remedy that, SRL is releasing an update to its Android app, Snoopsnitch, which checks to ensure your device actually has as many patches as it is supposed to.
Google has already commented on this matter to WIRED, stating that one possible cause for the findings could have been testing with uncertified devices, which are held to a lower security standard. Further, Google argued that missing patches could be due to a specific phone not offering an affected feature, or an OEM simply removing an affected feature rather than patching.
The company concluded its statement saying:
This is important research. We’ve launched investigations into each instance and each OEM to bring their certified devices into compliance when we’ve been able to reproduce their findings…[but] each instance really needs further investigation.
These missing patches may not be the end of the world for Android security, as both Google and the researchers brought out that “hacking” Android is far more complicated than just exploiting missing security patches.
Update: Google has provided us with a statement regarding this matter, as follows.
We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.
What do you think about these findings? Will they influence your next smartphone purchase? Drop a comment and let know!