Published: Fri, April 13, 2018
Technology | By Christopher Mann

Android Phone Makers Caught Fibbing About Security Patches

Android Phone Makers Caught Fibbing About Security Patches

While there is an iPhone, there is no "Android" phone per se- meaning that Original Equipment Manufacturers (OEM) such as Sony, LG, Samsung etc. ship their smartphones with a customised version of the Android operating system. These OEMs have just been changing the date of the security patches on the device without actually installing the associated patches an have been misleading their users.

According to a report by Wired, such incidents were not one offs either.

A Tornado pilot sits in his cockpit before flying at Britain Royal Air Force base in Akrotiri Cyprus Saturday

The researchers Karsten Nohl and Jakob Lell have been working for the past two years to reverse engineer that code running on Android devices and looking if there was some "patch gap". Researchers looked at companies like Google, Samsung, Motorola, OnePlus, Xiaomi, and others, and found some of them say their handsets have been updated with the latest security patches, but neglect to mention that there are several updates that were in fact missed. The "patch gap" varies between device and manufacturer, but given Google's requirements as listed in the monthly security bulletins-it shouldn't exist at all. Here, I'm talking about regular updates and security patches. While Android users have expressed a general displeasure over delayed patches, blatantly lying about updates is something new, and leaves the smartphones vulnerable to known hacking techniques.

Even when updates were available, they might not be what they seem. But the Samsung J3 (2016) claimed to have every 2017 Android patch installed when in truth it had missed 12 updates, including a pair that were considered "critical" to keeping the handset safe and secure.

More news: Tiger Woods Officially Commits to US Open for First Time Since 2015

For all the good of Android's open-source approach, one of the clear and consistent downsides is that the onus to issue software updates falls on the manufacturer.

ZTE and TCL appear to be among the worst offenders, while Google, Samsung and Sony are the best at patching.

More news: Forecast says gas prices will rise 14% this summer

The vendors of the Android Phones claims that if you are updating your phones regularly then you are having all the latest security patches. Does that necessarily mean that TCL and ZTE are at fault? Google says that some of the devices in the study may not have been Android certified devices, which means that Google's standards of security would not apply to them. Cheaper chips from the lower-end suppliers missed the most patches with a less well-maintained Android ecosystem.

Right now we just have a birds-eye view of this issue, but more details should be landing soon as SRL researchers present their findings at a conference this Friday. There's no word yet on how exactly Google plans to prevent this situation in the future as there aren't any mandated checks in place from Google to ensure that devices are running the security patch level they claim they are running.

More news: Multi-state E.Coli outbreak sickens two in CT

Like this: