Android Phone Makers ‘Forget’ Google Security Updates – Report

The shoddy state of Android security on smartphones may down to some smartphone makers skipping security updates from Google.

This is the claim from Germany’s Security Research Labs (SRL), after its researchers conducted a two-year study into the state of Android security, focused around the monthly updates that Google issues.

It found that in some cases, Android smartphone makers allegedly told users that smartphone’s software has been updated with monthly patches when it hasn’t.

Missing patches

The SRL researchers are due to present their findings at the Hack in the Box security conference in Amsterdam on Friday.

The researchers said of the 1,200 smartphones tested, some manufacturers may miss one or two patches from the monthly security updates, but others may miss many more.

They blogged about the Android ecosystem having a hidden patch gap, and warned that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.

The researchers pointed out that Android is the world’s largest smartphone operating system, with two billion devices in active use. But keeping these devices secure requires regular patches.

The researchers found there is often a hidden “patch gap” between what the manufacturers tell the users and what they actually do to the software – some simply tell people they have updated the phones without actually patching anything.

“Android has had its difficulties with patching in the past, with only 17 percent of devices operating on a recent patch level in 2016,” the researchers wrote. “Since then, many device vendors have improved their patching frequency: Phones now receive monthly security updates.”

“Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” they wrote.

“Patching is critically important to uphold the effectiveness of the different security layers already found in Android,” the researchers wrote. “Now that monthly patches are an accepted baseline for many phones, it’s time to ask for each monthly update to cover all relevant patches. And it’s time to start verifying vendor claims about the security of our devices. You can measure the patch level of your own Android phone using the free app SnoopSnitch.

Misleading customers

And while it may be that some of the updates are missed by accident, the researchers feel that some smartphone vendors are deliberately misleading their customers over the patch status.

‘We found several vendors that didn’t install a single patch but changed the patch date forward by several months. That’s deliberate deception, and it’s not very common,’ Security Research Labs founder Karsten Nohl told the Guardian newspaper.

“We’re working with [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google-suggested security update,” Google’s Android product security lead, Scott Roberts, told the newspaper.

According to the SRL research, Google, Sony and Samsung performed the best, missing up to one patch. OnePlus and Nokia meanwhile missed between one and three patches.

HTC, Huawei, LG and Motorola missed three to four patches, but Chinese manufacturers TCL and ZTE missed more than four.

Android used to have a pretty terrible reputation when it comes to security, with infected applications being regularly found on the Play Store in spite of Google’s security screening processes.

But matters have been improving, at least on the phones themselves, in recent years thanks to security updates.

That said, last year experts warned that Apple and Android smartphones which lack augmented security measures do leave high-priority hacking targets (CEOs, politicians etc) vulnerable.

Do you know all about security? Try our quiz!