Over the last few years, Google has been making efforts to keep Android secure by frequently pushing out security patches to Pixel devices, and handing them over to third-party Android phone makers so that they can keep their customers up to date. Unfortunately, it looks like many manufacturers are doing a poor job of it, with security researchers this week saying that many vendors simply skip patches and tell users that they are up to date.
Karsten Nohl and Jakob Lell of Security Research Labs spoke with Wired this week, outlining a two year long research effort in to 1200 Android devices. What they discovered is that many Android OEMs have a “patch gap” and simply update the date shown on firmware to make it look like users are up to date.
“We find that there's a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others. Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best”, Nohl said.
To get these findings, 1,200 phones from a dozen different OEMs were tested, ranging from heavy weights like Samsung, HTC and Motorola, to lesser-known brands like ZTE and TCL. While Google's Pixel devices have a flawless record with security patches, the researchers found that even top-tier phone makers claimed to have security patches installed, when they were actually missing.
The core issue seems to be that vendors aren't just neglecting security patches, but they are actively telling users that they have patches installed that aren't present in the firmware: “We found several vendors that didn’t install a single patch but changed the patch date forward by several months”, Nohl added. With this kind of inconsistency in place, it is harder for users to actually know if their device is secure or not. By skipping patches, some devices may still be vulnerable to Android attacks, despite the firmware date showing that it shouldn't be an issue.
In the end, the researchers found that vendors like Google, Sony, Samsung and Wiko were missing 0-1 patches on average. Meanwhile companies like Nokia, OnePlus and Xiaomi were missing 1-3 patches on average. HTC, Huawei, LG and Motorola were found to be missing 3-4 security patches on average, meanwhile TCL and ZTE tend to miss more than four security updates each year.
It is worth noting that some of the devices tested may not have been ‘Android Certified'. This is the program Google puts in place to ensure vendors stick to Google's security standards. Still, Google has begun working with Security Research Labs to further investigate the findings.
KitGuru Says: Given the number of well-known attacks that can be leveraged against Android devices, keeping on top of security patches in important. Hopefully this research will help Google and vendors tighten up their practices in the future.