Are hardware makers doing enough to keep Android phones secure?

Pat Wise
April 13, 2018

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. Security updates are one of many layers used to protect Android devices and users.

According to a report by Wired, such incidents were not one offs either. The "patch gap" varies between device and manufacturer, but given Google's requirements as listed in the monthly security bulletins-it shouldn't exist at all.

A Google spokesperson sent us the following statement.

Even more alarming than the number of missed patches is that Security Research Labs states that some vendors weren't just foregoing the patch updates, but going so far as to actively alter the date and version number of the patch to show as if the security update was applied even when it really wasn't.

Backpage.com and CEO plead guilty to charges in Texas
Magistrate Judge Bridget Bade says attorneys have agreed on the terms of release, but other details must be ironed out. For his cooperation, he will serve no more than 5 years in prison under a California plea agreement.

Here Is Everything Mark Zuckerberg Promised to Follow Up on With Washington
Cambridge Analytica insists it deleted the harvested data as soon as it was informed it breached Facebook's terms of use. Lujan had clearly done his homework and investigated how to gain access to a record of data collected about non-users.

A'ja Wilson taken number one overall by Las Vegas in WNBA Draft
Her brother, Darnell, is a defenseman for the Edmonton Oilers after being the seventh overall pick in the 2013 NHL Draft. Texas guard Ariel Atkins battles with ME guard Julie Brosseau for a loose ball during an NCAA game last month in Austin.

In some cases, the researchers attributed it to human error: Nohl believes that sometimes companies like Sony or Samsung accidentally missed a patch or two. Unsurprisingly, Pixel phones are the best, accurately indicating that they're up to date with security fixes, and devices from Samsung and Sony aren't far behind, maybe only missing one fix out of a larger batch. Outside of the Google Pixel and Google Pixel 2, the tests revealed that even high-end flagship models made by the top manufacturers had Android security patch updates skipped over, even if the update was credited on the phone. It further argued that modern Android phones come with security features that make them hard to hack even when they do have unpatched security vulnerabilities. Does that necessarily mean that TCL and ZTE are at fault? Lesser known manufacturers, on the other hand, missed out on many more. Yes and no. While it's disgraceful for the companies to misrepresent a security patch level, SRL points out that often chip vendors are to blame: devices sold with MediaTek chips often lack many critical security patches because MediaTek fails to provide the necessary patches to device makers.

Due to these findings, SRL has updated its SnoopSnitch app, allowing Android phone users to get an accurate breakdown of which updates have and haven't been installed.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap". The problem with Android is that while Google may push out regular software updates, it is left to these manufacturers to push them out to their devices.

That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER