Some Android OEMs Reportedly Skipping Security Patches

Some Android OEMs Reportedly Skipping Security Patches

To coincide with the release of the report, SRL has launched an app called SnoopPitch, which it says helps Android users find out if their handsets are neglecting security.

Wired reports the existence of these "patch gaps" with manufacturers missing up to a dozen security patches, even while telling users all known issues have been addressed.

Nohl and Lell reverse engineered the operating system code of about 1,200 Android smartphones to check if the devices really contained the security patches that companies said they did.

Nohl agrees that exploiting missing patches remains hard for hackers, who are more likely to use methods like rogue apps snuck onto the Google Play Store or less secure third party sources.

Phones from TCL and ZTE were missing four or more of the advertised security patches. This can be seen in the image of the table below which lists off what OEMs were missing patches and how many of them were missed.

But if you just want to just not worry about it (we feel you), the tail-end of Google's statement asserts that you can do just that: "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging". Over the past few years, Google has pushed its OEM partners like smartphone manufacturers to be more aggressive with their updates, but it's been an uphill battle.

Google added that some devices may be skipping updates because they are uncertified, which means that they are not required to meet certain security standards. Outside of the Google Pixel and Google Pixel 2, the tests revealed that even high-end flagship models made by the top manufacturers had Android security patch updates skipped over, even if the update was credited on the phone.

"We found several vendors that didn't install a single patch but changed the patch date forward by several months", Nohl says."That's deliberate deception, and it's not very common".

Nevertheless, the SRL founder reckons that Android device owners can take solace in the security measures on their phone.

As an example, testing SnoopSnitch on (my personal) Sony Xperia XZ1, with stock, un-rooted Android 8.0 (Oreo) with the March 1, 2018 security patch level shows 34 patched vulnerabilities and 20 inconclusive vulnerabilities. For example, Samsung's 2016 J5 accurately reported what was and wasn't installed, but its 2016 J3 said all patches were up to date when 12 weren't actually installed. Companies such as Google, Samsung and Sony had the best record of installing the patches, whereas Chinese vendors including Lenovo's Motorola, TCL and ZTE had trouble rolling them out.

Xiaomi, OnePlus, and Nokia were found to have between one and three missed patches, though again there were few samples of Nokia phones. After the release of an update, chipset makers adjust the updates as per their requirements and then pushes it to smartphone manufacturers. Google is working with SRL to delve deeper into its test results.