Researchers say some Android phone makers hide missed updates

Share

The researchers found there is often a hidden "patch gap" between what the manufacturers tell the users and what they actually do to the software - some simply tell people they have updated the phones without actually patching anything.

As reported by Wired, SRL tested phones from big name companies, the likes of Samsung and HTC, as well those from smaller companies. Latest research at Security Research Laboratory in Germany has discovered that many vendors of android are wrongly informing customers that their devices are continuing the most recent updates. As a result, users are led into a false sense of security.

"We found several vendors that didn't install a single patch but changed the patch date forward by several months".

Not only do some vendors fail to push these security patches, or delay their release, but sometimes they just let the users think that their smartphone's security is fully up-to-date. The devices which use the processors from Taiwan's MediaTek miss out 9.7 patches from their phones.

The results are worrying as it has emerged that numerous manufacturers would increase the level of security patches indicated on smartphones without actually applying the patches to the system, thus leaving a gap between the actual level of protection and the declared one.

Conversely, SRL also found that Samsung's mid-range J5 device contained all the advertised security patches. The team cited the Samsung J5 2016 as being honest about the lack of patches, while the J3 2016 lacked 12 patches (including two deemed "critical") despite claiming to receive every security update in 2017.

Keep in mind that security patches have to be executed on multiple individual levels from the phone manufacturer to the OS maker (Google) to the component makers as well. While their updates are complete, according to SnoopSnitch, their actual ability to deliver updates is limited, as support lifetimes for Wiko phones are only between 1-1.5 years, with no security updates available within a month after publication by Google, according to findings in February by SecurityLab.


Indeed, Google is the source of Android's security patches.

The internet giant has also adapted the voice function to work better on slow connections, even as basic as 2G networks, according to Google Africa Chief Marketing Officer Mzamo Masito.

Android robot on Google campus. On some phones, the patch gaps numbered in the dozens.

Xiaomi, Nokia, HTC, Motorola and LG all made the list, as well, while TCL and ZTE fared the worst in the study, with, on average, not having installed more than four of the patches they claimed to have installed on a given device.

Nohl and Kell pointed to security features in Android such as memory address space layout randomisation (ASLR) and application isolation making exploitation of devices complex.

"Google Go is created to address these issues and provide a seamless experience irrespective of the device or network the user is on", she said.

Share