Some Android OEMs lied about applying security updates

Share

Fast forward till today, there is still no fix for the problem and some users are already hating on Google for not addressing the issue swiftly.

That's according to a two-year-long study by Security Research Labs (SRL), finding a so-called "patch gap", Wired reports.

Even more alarming than the number of missed patches is that Security Research Labs states that some vendors weren't just foregoing the patch updates, but going so far as to actively alter the date and version number of the patch to show as if the security update was applied even when it really wasn't. As a result, users are led into a false sense of security. "Sometimes these guys just change the date without installing any patches", Nohl says. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl said.

While Nohl says that it was possible that manufacturers accidentally missed a patch or two, this was certainly not the case in every instance of misreporting.

SRL and Wired didn't mention exactly which Android phone makers employ this tactic.

Samsung's budget J3 smartphone. "It's small for some devices and pretty significant for others", SRL founder Karsten Nohl was quoted as saying.

Conversely, SRL also found that Samsung's mid-range J5 device contained all the advertised security patches. This can be seen in the image of the table below which lists off what OEMs were missing patches and how many of them were missed. For J5 customers, those who checked the status of their devices' security were aware of which patches were installed and which were not. Sony and Samsung devices were found to have only skipped 0-1 security update. Still, Google has some work to do to get third-parties in line.

Updates and security patches on Android have always been a serious issue.

It's widely known that Android devices receive the latest updates after a gap of few weeks following the Google's official release. In a somewhat better grouping, each Xiaomi, OnePlus and Nokia phone tested had between one and three missed patches. Google's phones seem to be safe, however, as the Pixel and Pixel 2 series did not misrepresent what security patches they had. Compared to flagships, cheaper phones are found to be skipping more patches, which also tend to use cheaper chips.

Google added that some devices may be skipping updates because they are uncertified, which means that they are not required to meet certain security standards. One theory points to the chipsets these handsets are running, as there seems to be a correlation between particular SoCs and the availability of security updates: Snapdragon-based phones and those running Samsung's Exynos chips may only have one recent fix missing, while those built with MediaTek chips average almost ten.

"Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important", he said.

Share