Some Android phone makers have lied about having fully update security patches

Share

Most other major Android phone makers fall somewhere in between.

It can get worse that that, Nohl told Wired's Andy Greenberg. Sometimes these guys just change the date without installing any patches. You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it. The devices which use the processors from Taiwan's MediaTek miss out 9.7 patches from their phones. For some features, the app needs to be run on rooted Android phones, but the security patch analysis will work on all phones using a Qualcomm chipset. SRL Labs is going to release an update to its Android app SnoopSnitch that will let users check their phone's code for the actual state of its security updates, but it is unlikely that users will manually check for patches.

This OnePlus phone seems to be in decent, if outdated, security shape. According to the firm there have been almost a dozen patches that were skipped by certain OEMs, which means that some users, and likely a large number of them considering how many Android phones are out there and how many vendors weren't applying the patches as regularly as Google intended, were continuing to use phones that weren't up to date and weren't able to protect their users from current (at the time) security risks that Google was pushing out these patches for. However, does this excuse manufacturers who say their devices are fully updated when they are not? The more alarming detail is not that the security patches had been missed, but rather the number of times that the patches weren't applied.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap".

Or so you'd think.

Nohl and researcher Jakob Lell found that even companies like Sony and Samsung missed a patch every now and then, but it wasn't consistent across models. It appears Motorola may not be living up to its promises.

LG, Motorola, Huawei, and HTC missed 3-4 patches, and Nokia, OnePlus, and Xiaomi skipped 1-3 patches on an average. For any device that received at least one security patch update since October, SRL wanted to see which device makers were the best and which were the worst at accurately patching their devices against that month's security bulletin. While we hope to learn a bit more about exactly which phones are missing which fixes, there's also another concern beyond just knowing whether or not your phone is actually secure, and that involves the degree to which manufacturers have been misleading their users.

Share