Published: Sat, April 14, 2018
IT&Software | By Alfonso Woods

Android phone makers allegedly lied about missed security patches

Android phone makers allegedly lied about missed security patches

And while it may be that some of the updates are missed by accident, the researchers feel that some smartphone vendors are deliberately misleading their customers over the patch status.

"Most patching gaps are probably the result of genuine difficulties to keep track of all necessary patches in Android, the Linux kernel, the chipset, and hardware drivers", SRL founder and study co-author Karsten Nohl told Android Authority in an email.

One of the interesting revelations from the research is that even major vendors such as Xiaomi and Nokia (which promise swifter updates) had on an average between one and three missing patches, whereas HTC, Motorola, and LG had missed between three and four patches. Typically, the phones with MediaTek processor were missing on 9.7 security patches which look to be a grave concern and needs to be looked into. But what happens when you discover that some Android phone manufacturers - and alas, seemingly even Google themselves - skip these patches and just adjust the date displayed on your phone settings?

Most non-Google Android phone makers (except for Sony) were once bad at keeping up with security patches. Fast forward till today, there is still no fix for the problem and some users are already hating on Google for not addressing the issue swiftly. If that's the case, then the situation is a little bit of a gray area.

While Sony and Samsung phones were found to have missed few patches, on average, devices made by TCL and ZTE had on average four or more missed updates they claimed to have installed. "It's small for some devices and pretty significant for others".

Researchers found Google, Samsung, and Sony phones to be the most complete in terms of security patches, with TCL and ZTE phones having the most missing patches.

That's because crucial patches are commonly skipped over by some of the most prolific players in the smartphone market, according to in-depth findings from Security Research Labs (SRL). For example, Samsung's 2016 J5 accurately reported what was and wasn't installed, but its 2016 J3 said all patches were up to date when 12 weren't actually installed.

"Security updates are one of many layers used to protect Android devices and users", said Scott Roberts, security lead for Android products, in a statement to Wired. While Android users have expressed a general displeasure over delayed patches, blatantly lying about updates is something new, and leaves the smartphones vulnerable to known hacking techniques. Again, the Android vendors run their own series of tests on various devices before rolling out for general use.

Shortly after these findings were announced, Google said that it'd be launching investigations into each of the guilty OEMs to find out what exactly's going on and why users are being lied to about which patches they do and don't have.

Like this: