At the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of Security Research Labs plan to present the results of two years' worth of research - this amounted to reverse-engineering the code of hundreds of Android phones to check if each device actually contained the security patches it says it has. The smartphones with regular security patches and OS update are a big hit among the user and attracts the potential buyers. Outside of the Google Pixel and Google Pixel 2, the tests revealed that even high-end flagship models made by the top manufacturers had Android security patch updates skipped over, even if the update was credited on the phone.
They blogged about the Android ecosystem having a hidden patch gap, and warned that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks. Most other major Android phone makers fall somewhere in between.
The whole process that takes place during the test may result in omitting a security patch.
Phones with Mediatek chipsets are far more likely to deceive users about the latest updates.
SRL has updated its SnoopSnitch Android security app to detect whether a phone has missed security updates. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging".More news: Ban on actor Sri Reddy by MAA lifted
More news: Industrial production, new orders, on the rise in Romania in February
More news: Trump reportedly plans to pardon Scooter Libby
Failing to update their smartphones with the latest security updates is one thing, but SRL found that some simply lie about installing any patches at all. The tech giants like Samsung and Sony were found to have missed on one patch on an average basis, whereas other brands like TCL and ZTE were reported to have missed on an average of four more security patches. SRL says that it had tested the firmware on around 1,200 Android phones, looking for whether or not patches had been applied, which led to it finding devices that had changed the dates forward without actually adding the patches in.
Google, Sony, Samsung, and Wiko were missing up to one patch, while Xiaomi, OnePlus and Nokia were missing between one and three. Other handset makers have to examine each update and, if necessary, tailor them to fit each of their own devices.
The firm said: "We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update".
In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem.
Bringing up the rear were ZTE and TCL, whose phones had an average of more than four missed Android security practices. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.