Several Android Manufacturers Have Been Caught Lying About Security Patches According to Researchers
One of the many reasons for Android to be deemed as insecure is because of an irregular update cycle. The update system on the platform has continued to be a mess despite Google’s best efforts to improve security and make updates more accessible to everyone. In the end, it falls upon the individual manufacturer, which can often be challenging for many companies. A new report sheds light on findings that are far worse than we thought. Several manufacturers only pretended to stay on par with updates without actually putting any work into it.
A report from Security Research Lab, who have spent two years keeping tabs on Android security updates presented their findings, and it’s pretty discomforting. Google has been putting together monthly security patches for the Android operating system, to patch any vulnerabilities they find in the operating system. And, the company has made it easy for users to keep tabs on which security patch they're on.
Very often, just the date was moved forward
The researchers took the time to check and ensure that the patches applied to a device actually lined up with those dates and several Android OEMs failed big time in that regard. Across several instances, a “patch gap” was found, with devices showing a specific date for security updates, but missing “as many as a dozen” of the patches from that update. The researchers tested 1,200 devices from a dozen manufacturers to gather these results over 2017. The results were shocking, with devices from industry giants such as Google, Samsung, Motorola, HTC and ZTE up on the list.
As expected flagships didn’t struggle much here, but the same can't be said about everyone else. Google’s own Pixel 2 and Pixel 2 XL devices were found to be safe, but top-tier flagships from just about everyone else was missing patches from time to time.
The problem here lies in more than just neglecting updates. It stems from the practice employed by some OEMs, who don’t update devices for a bit and then update their devices later on. Technically, there's nothing wrong with that but what’s really happening is that in some cases, OEMs are changing the security update date on the device without actually installing the associated patches, effectively lying to customers.
Devices running MediaTek chips were affected the most
A few vendors didn't install the patches at all, and just moved the date forward, which can only be described as “deliberate deception,” but thankfully found that it wasn’t widespread. In most cases, the missing patches were accidentally missing from updates. It doesn't excuse the behaviour but is somewhat understandable as there are a lot of patches in each update. Another possible cause could be the chipset of a device, with MediaTek powered devices missing an average of 9.7 patches, while Qualcomm was at just 1.1.
It is still a huge problem, as it makes it nearly impossible for users to tell the level of security on a device. The firm is releasing an update to its Android app, Snoopsnitch, which checks to ensure your device has as many patches as it is supposed to. Google cites that one possible cause for the findings could have been due to testing with uncertified devices, which are held to a lower security standard. Further, the missing patches could be due to a specific phone not offering an affected feature. It could also be due to an OEM removing the affected feature rather than patching it.
These missing patches may not be the end of the world for Android security, as “hacking” Android is far more complicated than just exploiting missing security patches. It is upon manufactures to ensure that the vulnerabilities, if any, are patched in a timely and complete fashion.