Android phone makers allegedly lied about missed security patches

Sheri Evans
April 13, 2018

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap". It further argued that modern Android phones come with security features that make them hard to hack even when they do have unpatched security vulnerabilities.

That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience. It is being further reported that the companies who are boasting their sales on the factor that they will roll out timely updates are lying to its users. Overall, they identified a so-called "patch gap". Even if you have a ideal device but it is not receiving timely OS updates, there are chances it will feel outdated and vulnerable to issues even before the standard two-year cycle.

Phones with Mediatek chipsets are far more likely to deceive users about the latest updates. On the other hand, in the OnePlus 5T the test result was inconclusive in the case of 5 patches but the handset has not missed any patch. Outside Google's flagship phones like the Pixel and Pixel 2, even top-tier manufacturers sometimes claimed that patches were installed when they weren't, and with lower-end producers like LG, TCL and ZTE, four or more patches were often absent.

While many of these missed security patches may not be inherently unsafe in isolation, hackers typically chain together multiple security holes to reach their goal, taking over devices and stealing data.

Failing to update their smartphones with the latest security updates is one thing, but SRL found that some simply lie about installing any patches at all. "We found several vendors that didn't install a single patch but changed the patch date forward by several months". Other handset makers have to examine each update and, if necessary, tailor them to fit each of their own devices.

Compare Samsung Galaxy S9 Vs iPhone 8 Vs Google Pixel 2 XL
Google's Pixel series of smartphones are exempt from this issue

One of the interesting revelations from the research is that even major vendors such as Xiaomi and Nokia (which promise swifter updates) had on an average between one and three missing patches, whereas HTC, Motorola, and LG had missed between three and four patches. By skipping patches, some devices may still be vulnerable to Android attacks, despite the firmware date showing that it shouldn't be an issue.

Nohl agrees that exploiting Android vulnerabilities remains hard due to these security layers and points out an easier and more common route to compromising Android devices is through the use of malicious apps - either inside Google Play or outside the store.

A Google spokesperson sent us the following statement.

"Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important", he said.

Winona teen faces multiple drug charges after traffic stop early Sunday morning
A man from Portsmouth was arrested on drug charges involving methamphetamine, the Scioto County Sheriff's Office says. He was taken into custody and brought to Sparta Police Department headquarters, police report .

Los Angeles prosecutors review Kevin Spacey sex assault case
After getting the boy drunk, Spacey then "stuck his hand inside my son's trousers and grabbed his genitals", she told BBC . According to CNN , the LASD reports that the allegations involved an adult male and took place in West Hollywood in 1992.

Soulcalibur VI Trailer Sees the Return of Siegfried and His Massive Sword
SoulCalibur VI has never looked more dynamic or intense with eye popping graphics powered by Unreal Engine 4. Check out the trailer above and Soul Calibur VI is looking to launch in 2018 on the PS4, Xbox One, and PC.

Other reports by

Discuss This Article