Android phone makers allegedly lied about missed security patches

Sheri Evans
April 13, 2018

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap". It further argued that modern Android phones come with security features that make them hard to hack even when they do have unpatched security vulnerabilities.

That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience. It is being further reported that the companies who are boasting their sales on the factor that they will roll out timely updates are lying to its users. Overall, they identified a so-called "patch gap". Even if you have a ideal device but it is not receiving timely OS updates, there are chances it will feel outdated and vulnerable to issues even before the standard two-year cycle.

Phones with Mediatek chipsets are far more likely to deceive users about the latest updates. On the other hand, in the OnePlus 5T the test result was inconclusive in the case of 5 patches but the handset has not missed any patch. Outside Google's flagship phones like the Pixel and Pixel 2, even top-tier manufacturers sometimes claimed that patches were installed when they weren't, and with lower-end producers like LG, TCL and ZTE, four or more patches were often absent.

While many of these missed security patches may not be inherently unsafe in isolation, hackers typically chain together multiple security holes to reach their goal, taking over devices and stealing data.

Failing to update their smartphones with the latest security updates is one thing, but SRL found that some simply lie about installing any patches at all. "We found several vendors that didn't install a single patch but changed the patch date forward by several months". Other handset makers have to examine each update and, if necessary, tailor them to fit each of their own devices.

Compare Samsung Galaxy S9 Vs iPhone 8 Vs Google Pixel 2 XL
Google's Pixel series of smartphones are exempt from this issue

One of the interesting revelations from the research is that even major vendors such as Xiaomi and Nokia (which promise swifter updates) had on an average between one and three missing patches, whereas HTC, Motorola, and LG had missed between three and four patches. By skipping patches, some devices may still be vulnerable to Android attacks, despite the firmware date showing that it shouldn't be an issue.

Nohl agrees that exploiting Android vulnerabilities remains hard due to these security layers and points out an easier and more common route to compromising Android devices is through the use of malicious apps - either inside Google Play or outside the store.

A Google spokesperson sent us the following statement.

"Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important", he said.

Irma, Maria, Harvey, And Nate Retired As Storm Names
In the Atlantic and Eastern North Pacific, male and female names alternate alphabetically and the lists are used every six years. Irma lashed the Caribbean and the US, making seven separate landfalls as it tore across the islands and the Southeast US.

Two dead after Knox County house fire
Peter and Joy had only just completed a £2k refurbishment, and have since been forced to live with relatives and at a hotel. A fire sent a Gaffney house up in flames and claimed the lives of several pets while the homeowners were out of town.

Comedy Central's 'Broad City' to end after upcoming fifth season
Young Professionals: At age twenty-four, David Litt became one of the youngest White House speechwriters in history. The final season of the local comedy series doesn't have a specific premiere date, but is expected in "early 2019".

Other reports by

Discuss This Article