Android smartphone makers lying to customers about security patches
13 April 2018
If you have been led to believe by your smartphone manufacturer that your Android smartphone is up-to-date and is free of bugs, you may want to check again.
An eye-opening research by Security Research Labs has revealed how Android smartphone manufacturers have been letting their customers know that their devices have been updated with the latest security patches, even though they miss out on applying all the patches provided by Google.
Historically, all Android device users knew that their smartphones’ manufacturers did not always update their devices beyond a certain version of Android. A very small percentage of Android devices actually ran the latest version and OEM devices usually received critical updates several months after such updates were made available for Google’s Nexus or Pixel devices.
For example, exactly a year ago, just 3 percent of all Android smartphones ran on the latest version of its operating system, 50% of all Android devices received a security update in the prior year, and that there were at least 1,500 variations of every version of the Android operating software.
By knowing these facts, smartphone users made informed buying choices and decided whether to go for Apple’s iPhones, Google’s Pixel phones or other Android devices based on the frequency of security updates made available for each platform. However, if smartphone makers start lying to their customers about security updates, wouldn’t that amount to outright cheating and customers getting misled?
The discovery of ‘missed patches’
According to researchers at Security Research Labs, while some smartphone manufacturers miss some patches while passing on update packs to their users, some of them tell their users that they have patched their devices with the latest patch versions without actually patching anything at all. They do this by changing the latest patch dates in Android phones’ settings.
“Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” they said.
While Android smartphone makers like Samsung, Sony, LeEco, Google and BQ did not miss more than one patch, the likes of OnePlus, Xiaomi, Nokia, Motorola, and Honor missed between one to two patches, HTC, BlackBerry, Asus, LG, Huawei and Lenovo missed between 2 to 4 patches, and Oppo, ZTE, Alps, and TCL missed 4 or more patches.
According to the researchers, due to a rise in the frequency of security patches, and because of sandboxing, hackers do not usually exploit the absence of individual patches to infiltrate smartphones as such infiltration will require the exploitation of a large number of security bugs in one go.
However, state-sponsored and persistent hackers, who normally resort to exploiting “zero-day” vulnerabilities, may also rely on known bugs to develop effective exploit chains and may take advantage of the fact that some manufacturers miss out of applying certain patches, intentionally or not.
“As Android is ever increasing in popularity, the hacking incentives will only keep growing, as does the ecosystem’s responsibility for keeping its users secure.
“No single defense layer can withstand large hacking incentives for very long, prompting “defense in depth” approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android,” they added.
Scott Roberts, Google’s Android product security lead, told The Guardian that his team will work with Security Research Labs to improve detection mechanisms in order to be able to detect whenever an Android smartphone manufacturer uses an alternate security update instead of the Google-suggested security update.
“Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.
“These layers of security — combined with the tremendous diversity of the Android ecosystem — contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging,” he added.