Numerous Android manufacturers have been lying to consumers about security patches they have failed to roll out, according to a new report from Security Research Labs (SRL). While the phone's software may claim to be fully up-to-date, the researchers found security patches missing in most devices.
Nohl and Lell plan to present their findings at the Hack in the Box security conference in Amsterdam tomorrow, and post their full paper online after their presentation.
Speaking to Wired, SRL researchers Karsten Nohl and Jakob Nell said they found several vendors that had not installed a single patch. An app called SnoopSnitch enables users to check if smartphone is running the security patches which it claims. These updates even include ones that were considered critical for device safety. As expected, Google phones faired best, along with devices from Sony, Samsung, and French phone company Wiko.
MediaTek, Qualcomm, and other chipset makers are testing and tweaking those patches before they hand them to Android phone makers.
However, this is still a pretty huge problem, as it makes it almost impossible to tell the level of security on a device.
While Nohl says that it was possible that manufacturers accidentally missed a patch or two, this was certainly not the case in every instance of misreporting.
The vendors instead allegedly moved the patch date forward by several months. Researchers with Germany's Security Research Labs (SRL) tested the firmware of 1,200 phones from manufacturers like Google, Samsung, Sony, Nokia, Huawei, Motorola, LG, HTC, ZTE and TCL for every patch released in 2017.
These missing patches may not be the end of the world for Android security, as both Google and the researchers brought out that "hacking" Android is far more complicated than just exploiting missing security patches. SRL notes that MediaTek was the biggest offender for chip-level patch omissions - those ended up going up the chain to the OEMs and, thus, were missing from the overall software updates. This could explain why one Samsung device, the J5 from 2016, didn't miss any patches but the budget J3 from the same year omitted 12 of them. They have examined about 1,200 firmware samples taken from various smartphones which are sourced to various vendors. "Since then, many device vendors have improved their patching frequency: Phones now receive monthly security updates".
"Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important", he said. And Android's fragmentation is a problem that remains unsolved.