Your Android Smartphone Maker Is Lying About Missed Security Updates

Yolanda Curtis
April 13, 2018

That's according to a two-year-long study by Security Research Labs (SRL), finding a so-called "patch gap", Wired reports.

The main reason listed on missing these updates were put on the complex Android ecosystem. And if a company making those chips isn't keeping up with patches, it becomes quite hard for the manufacturers of the phones running them to fully secure their devices. Though Google publishes updates monthly, device manufacturers are often late to deliver security updates by months at a time. However, a new set of reports now indicate that some OEM's are claiming that their devices are updated with the latest security patches from Google without actually installing them.

Google has released a set of new wallpapers

What's The Story Of Android's Security Patches All About? The firmware upgrades sometimes delete few critical and important patches from your phone accidentally after you update your phone. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best". Out of the 1,200 phones that were tested by the firm, including devices from Google (the primary source for updates to Pixel phones), Samsung, HTC, Motorola, and TCL, the issue impacted even the flagship models from the likes of Samsung and Sony. The researchers calculated the average number of missing patches for each patch level over the year for the brands. In a somewhat better grouping, each Xiaomi, OnePlus and Nokia phone tested had between one and three missed patches. Huawei, HTC, Motorola, and LG were found to be lacking as many as four, and ZTE and TCL were missing more than four updates in many cases.

But there were some curious outliers in the results, too. The team was especially interested on critical security updates that fixed major bugs in 2017.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap".

Scott Roberts, Android's product security lead also noted that security patches are only one level of protection built into Android devices. Google also reportedly points out that some devices may have had updates skipped due to vendors simply removing a feature that had the vulnerability as opposed to sending out an update, which would likely be a quicker process. According to a blogpost on the website of the firm, they conducted a large study of Android phones, and found "that most Android vendors regularly forget to include some patches", which they say expose the Android ecosystem to many risks. In order to help users tackle the problem, SRL Labs will be releasing an update to its SnoopSnitch Android app that allows users to check their phone's code for the actual state of its security updates.

Manufacturers tell users that phones are patched up to a certain month, the researchers said, but some months have been skipped, leaving security holes that can be exploited by hackers or Android malware.

Other reports by iNewsToday