Porky pies? Research claims that Android phone makers are telling users phones have been updated, when it hasn’t
The shoddy state of Android security on smartphones may down to some smartphone makers skipping security updates from Google.
This is the claim from Germany’s Security Research Labs (SRL), after its researchers conducted a two-year study into the state of Android security, focused around the monthly updates that Google issues.
It found that in some cases, Android smartphone makers allegedly told users that smartphone’s software has been updated with monthly patches when it hasn’t.
The SRL researchers are due to present their findings at the Hack in the Box security conference in Amsterdam on Friday.
The researchers said of the 1,200 smartphones tested, some manufacturers may miss one or two patches from the monthly security updates, but others may miss many more.
They blogged about the Android ecosystem having a hidden patch gap, and warned that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.
The researchers pointed out that Android is the world’s largest smartphone operating system, with two billion devices in active use. But keeping these devices secure requires regular patches.
The researchers found there is often a hidden “patch gap” between what the manufacturers tell the users and what they actually do to the software – some simply tell people they have updated the phones without actually patching anything.
“Android has had its difficulties with patching in the past, with only 17 percent of devices operating on a recent patch level in 2016,” the researchers wrote. “Since then, many device vendors have improved their patching frequency: Phones now receive monthly security updates.”
“Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” they wrote.
“Patching is critically important to uphold the effectiveness of the different security layers already found in Android,” the researchers wrote. “Now that monthly patches are an accepted baseline for many phones, it’s time to ask for each monthly update to cover all relevant patches. And it’s time to start verifying vendor claims about the security of our devices. You can measure the patch level of your own Android phone using the free app SnoopSnitch.
And while it may be that some of the updates are missed by accident, the researchers feel that some smartphone vendors are deliberately misleading their customers over the patch status.
‘We found several vendors that didn’t install a single patch but changed the patch date forward by several months. That’s deliberate deception, and it’s not very common,’ Security Research Labs founder Karsten Nohl told the Guardian newspaper.
“We’re working with [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google-suggested security update,” Google’s Android product security lead, Scott Roberts, told the newspaper.
According to the SRL research, Google, Sony and Samsung performed the best, missing up to one patch. OnePlus and Nokia meanwhile missed between one and three patches.
HTC, Huawei, LG and Motorola missed three to four patches, but Chinese manufacturers TCL and ZTE missed more than four.
But matters have been improving, at least on the phones themselves, in recent years thanks to security updates.
Do you know all about security? Try our quiz!