Some Android OEMs Reportedly Skipping Security Patches

Gmail for Android

Gmail for Android

It would seem that your brand-spanking new Android phone is not as secure as you think it might be.

Google pushes out Android security updates at the beginning of each month, but only Google's own Pixel and late-model Nexus phones will get them right away. Even worse is the fact that the manufacturers of these handsets are lying when they say that their firmware is fully updated. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl said. However, a new set of reports now indicate that some OEM's are claiming that their devices are updated with the latest security patches from Google without actually installing them.

Even more alarming than the number of missed patches is that Security Research Labs states that some vendors weren't just foregoing the patch updates, but going so far as to actively alter the date and version number of the patch to show as if the security update was applied even when it really wasn't.

Some manufacturers fared better than others.

What's The Story Of Android's Security Patches All About?

Missing an update or two may not end up in a device hack, but with a series of patches missing can cause some serious problems with the security of the device.

James McAvoy and Bill Hader being lined up for It: Chapter 2
James McAvoy and Bill Hader are reportedly being lined up to star in It: Chapter 2 as the grown-up members of the Losers Club . Production for the sequel will begin on July . 2017's It was a huge hit, making more than $700 million worldwide .

Motorola was joined in the three-to-four-missed-patch purgatory by HTC, Huawei and LG.

In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem.

The researchers did find a correlation between skipped patches and chipsets, however. Compared to flagships, cheaper phones are found to be skipping more patches, which also tend to use cheaper chips.

Google told Wired, "some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security".

With Android P, "all traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user", Android security engineer Chad Brubaker wrote. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer. You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it. The researchers agree with this assertion. "Defense in depth means install all the patches".

As Nohl puts it, "You should never make it any easier for the attacker by leaving open bugs that in your view don't constitute a risk by themselves, but may be one of the pieces of someone else's puzzle".

Latest News