Published: Fri, April 13, 2018
IT&Software | By Alfonso Woods

Android phone manufacturers lying to users about missed security patches

Android phone manufacturers lying to users about missed security patches

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap".

Even though Google has managed to establish Android as the top smartphone operating system in the world, it has failed on a major front that ensures the security of your smartphone.

These smartphone makers have created a false sense of security among their users. For J5 customers, those who checked the status of their devices' security were aware of which patches were installed and which were not. What they discovered was something they refer to as "patch gap".

Android phone makers could also potentially "miss a patch or two by accident", according to SRL's Karsten Nohl. Even if you have a flawless device but it is not receiving timely OS updates, there are chances it will feel outdated and vulnerable to issues even before the standard two-year cycle. HTC, Huawei, LG and Motorola missed between 3-4 patches whereas TCL and ZTE missed more than 4 patches.

One measure of security a user has when using an Android device is when you get the monthly security patches from Google.

Android has typically been more vulnerable to attack that Apple's iOS platform, however Google has pumped a huge amount of resources into tackling security protection on its devices. The entry segment devices on the other hand hardly receive any regular security update let alone the OS updates.

Other OEMs such as TCL and ZTE had missed four or more patches. In our test results we found that the Redmi 5 has missed 5 claimed patches and the test result in inconclusive in 48 patches.

Even more alarming than the number of missed patches is that Security Research Labs states that some vendors weren't just foregoing the patch updates, but going so far as to actively alter the date and version number of the patch to show as if the security update was applied even when it really wasn't. SRL says that it had tested the firmware on around 1,200 Android phones, looking for whether or not patches had been applied, which led to it finding devices that had changed the dates forward without actually adding the patches in.

Android P will allow cleartext connections to specific domains, but Google said developers should use these only for legacy cases to avoid traffic being tampered with. For any device that received at least one security patch update since October, SRL wanted to see which device makers were the best and which were the worst at accurately patching their devices against that month's security bulletin. Android has a lot of manufacturers, and hardly any OEM can keep up with Google's pace of releasing security patches. Missing multiple patches can cause a series of vulnerabilities in a phone's software. Google says that some of the devices in the study may not have been Android certified devices, which means that Google's standards of security would not apply to them. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.

Like this: