Android phone makers allegedly lied about missed security patches

Some major phone makers appear to have missed important security updates from Google

Some of the largest Android smartphone makers are thought to be misleading users about important security updates, according to a report from Wired.

The claim comes from technology analyst firm Security Research Labs, which has reason to believe that Android manufacturers are telling lies about security patches.

Over the past few years, Android manufacturers have built up a reputation of being slow to issue important software updates. Statistics released by Google in February claim that just 1.1 per cent of Android devices are working on the latest Android version.

Clearly, that is a problem in itself. However, SRL researchers Karsten Nohl and Jakob Lell believe that several manufacturers are informing users that their devices have been updated, when they are actually missing important patches pushed out by Google.

The technologists spent two years analysing a range of Android devices, considering if the manufacturer had installed promised updates. Overall, they identified a so-called "patch gap".

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In total, Nohl and Lell analysed the firmware of 1,200 phones developed by companies such as Samsung, Google, HTC, Motorola and ZTE.

Based on these findings, the researchers claim that even the biggest Android manufacturers are making misleading promises about security updates.

Unfortunately, they did not explain whether or not these missed updates are intentional. But the worrying thing is that users may not actually be protected like manufacturers make out.

It is worth noting, though, that some manufacturers are apparently better at releasing updates than others. The research shows that Samsung and Sony only missed a few patches over a two-year period.

However, handsets from less known manufacturers like ZTE and TCL have a worse track record at pushing out security patches.

Advertisement - Article continues below

To coincide with the release of the report, SRL has launched an app called SnoopPitch, which it says helps Android users find out if their handsets are neglecting security.

In a statement given to The Verge, Google thanked Karsten Nohl and Jakob Kell "for their continued efforts to reinforce the security of the Android ecosystem".

The firm said: "We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update.

"Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.

"These layers of securitycombined with the tremendous diversity of the Android ecosystemcontribute to the researchers' conclusions that remote exploitation of Android devices remains challenging."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/data-protection/354492/currys-pc-world-parent-firm-hit-with-ps500k-fine-over
data protection

Currys PC World parent firm hit with £500k fine over historic data breach

9 Jan 2020
Visit/security/ransomware/354483/travelex-disruption-caused-by-devastating-ransomware-attack
ransomware

Travelex disruption caused by devastating ransomware attack

8 Jan 2020