Mardi, 16 Octobre 2018
Latest news
Main » Some Android OEMs lied about applying security updates

Some Android OEMs lied about applying security updates

14 Avril 2018

A team of German security researchers found that many Android smartphones may be missing critical security updates regardless of what vendors may tell buyers.

The phone makers in question aren't specifically revealed by the research company or Wired, which first reported the findings.

What's The Story Of Android's Security Patches All About?

Research from Security Research Labs shows there is a "patch gap" in terms of Android vendors' devices.

These smartphone makers have created a false sense of security among their users. Researchers Karsten Nohl and Jakob Lell said that there's often a hidden "patch gap" between what the phones manufacturers tell the users about their software patch and what patches have actually been installed. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best".

Due to these findings, SRL has updated its SnoopSnitch app, allowing Android phone users to get an accurate breakdown of which updates have and haven't been installed.

While Nohl says that it was possible that manufacturers accidentally missed a patch or two, this was certainly not the case in every instance of misreporting.

Yes and no. SRL pointed out that manufacturers are only part of the problem while the main blame can be attributed to chip makers. Samsung was singled out in Wired's report, but it wasn't clear from the report whether Samsung specifically employed the patch date manipulation method described above. SRL notes that MediaTek was the biggest offender for chip-level patch omissions - those ended up going up the chain to the OEMs and, thus, were missing from the overall software updates. It also reassured that even with patches missing, it would be hard for a bad actor to hack an Android device. The focus was to check Android vendors claim of rolling updates and especially the critical security updates that got released in 2017. The devices which use the processors from Taiwan's MediaTek miss out 9.7 patches from their phones. Even if you have a flawless device but it is not receiving timely OS updates, there are chances it will feel outdated and vulnerable to issues even before the standard two-year cycle.

Android robot on Google campus.

Some Android smartphone manufacturers have been caught lying about security updates, which means that your device might not be as safe as you think.

The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances. Meanwhile companies like Nokia, OnePlus and Xiaomi were missing 1-3 patches on average. For some features, the app needs to be run on rooted Android phones, but the security patch analysis will work on all phones using a Qualcomm chipset.

Remarkably, top manufacturers like HTC, Sony, Samsung and Motorola were occasionally missing the patches.

Some Android OEMs lied about applying security updates