Some Android phone makers have lied about having fully up to date security patches

By Cal Jeffrey · 7 replies
Apr 12, 2018
Post New Reply
  1. It would seem that your brand-spanking new Android phone is not as secure as you think it might be. According to a two-year study conducted by Security Research Labs (SRL) on more than 1,200 Android phones, many are missing security patches. Even worse is the fact that the manufacturers of these handsets are lying when they say that their firmware is fully updated.

    SRL researchers Karsten Nohl and Jakob Lell back engineered phones from Google, Samsung, HTC, Motorola, ZTE, TCL, and others checking at the source-code level to see if all the patches were present. What they discovered was something they refer to as “patch gap.”

    These are places in the code where updates should be but are not. While the phone’s software may claim to be fully up-to-date, the researchers found security patches missing in most devices. On some phones, the patch gaps numbered in the dozens.

    Some manufacturers fared better than others. Sony and Samsung devices were found to have only skipped 0-1 security update. Xiaomi, OnePlus, Nokia jumped as many as three patches. Huawei, HTC, Motorola, and LG were found to be lacking up to four, and ZTE and TCL were missing more than four updates in many cases. Not surprisingly, all Google phones were found to have every patch released present.

    The researchers did find a correlation between skipped patches and chipsets, however. According to the study, phones with Samsung-made chips had much fewer skipped updates. MediaTek chipsets, on the contrary, had an average of 9.7 missing security patches.

    "You should never make it any easier for the attacker by leaving open bugs that in your view don’t constitute a risk by themselves, but may be one of the pieces of someone else's puzzle."

    Google told Wired, “some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security.”

    Scott Roberts, Android’s product security lead also noted that security patches are only one level of protection built into Android devices.

    “Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important,” he said. “These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging.”

    The takeaway here is that even though a new phone might not have every single patch, the Android OS is still tough to hack. The researchers agree with this assertion. However, does this excuse manufacturers who say their devices are fully updated when they are not?

    As Nohl puts it, "You should never make it any easier for the attacker by leaving open bugs that in your view don’t constitute a risk by themselves, but may be one of the pieces of someone else's puzzle. Defense in depth means install all the patches."

    Permalink to story.

  2. Uncle Al

    Uncle Al TS Evangelist Posts: 4,164   +2,637

    Yep, anything to save a buck but let some enterprising young fellow file suite and watch them scramble to get it done!

    IAMTHESTIG TS Evangelist Posts: 1,482   +602

    This was one of the reasons I switched to iPhone a year ago... just got tired of the poor software update support from the carriers and manufacturers. Updates seemed to be directly proportional to the sales volume of the device.
    onestepforward and trparky like this.
  4. merikafyeah

    merikafyeah TS Booster Posts: 160   +101

    LineageOS FTW! Don't be held "hostage" by your vendor/carrier. Take updates into your own hands.
    axiomatic13 likes this.
  5. trparky

    trparky TS Evangelist Posts: 354   +219

    Another example of "winning" in the Android camp. And people wonder why I went to the iPhone. Oh yeah, it's because of this crap.

    You see, I live in the US where the carriers don't give a crap about you.

    US carriers be like... "Updates? What are those? Don't you want that new shiny device over there?"
    Me: "No, I want you to deliver the updates for my less than year old device."
    US Carriers: "FU! Buy a new device instead! We need to pander to our stockholders."
  6. axiomatic13

    axiomatic13 TS Addict Posts: 175   +98

    Being on Googles Project Fi for my famalies phones means I am all up to date. But for my Nexus 9 tablet I agree with merikafyeah above. LineageOS is what I use on that device!
  7. wiyosaya

    wiyosaya TS Evangelist Posts: 2,836   +1,383

    Looks like if you are considering an android phone that gets regularly updated, you have to do a bit of research and not buy from the vendors that do not issue regular updates even though their phones might be cheaper.
    Last edited: Apr 13, 2018
  8. onestepforward

    onestepforward TS Rookie Posts: 23   +14

    I was reading only yesterday that even Google's Pixel phones only get guaranteed 2 or 3 years of updates. That is just a pitiful ripoff!

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...