Some Android phone makers have lied about having fully update security patches

Share

The good news is that Android's underlying security architecture does its best to mitigate the impact of malicious actors, and even if your OEM skipped one or two patches, so long as it's caught up with the bulk of them, you're probably in good shape. The change was first noticed by the XDA developers in the Android Open Source Project (ASOP) Gerrit repository and could be implemented with Android P. This is said to allow OEMs to roll out the latest OS security updates even if the chipset vendor has not rolled out the latest update.

Most non-Google Android phone makers (except for Sony) were once awful at keeping up with security patches. In a presentation at the Hack in the Box security conference, Karsten Nohl and Jakob Lell will detail the results of two years of reverse-engineering Android device code.

To sum up the findings, vendors such as Google, Sony, Samsung, Wiki on an average missed between 0-1 patches. You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it.

Several manufacturers have been pretending to stay on par with the latest updates without pushing any actual update. Sony and Samsung were both flagged as having missed some security patches - in some cases in spite of reporting that they were up to date.

More news: Michael Bisping Tells Conor McGregor To Lose The Chip On His Shoulder
More news: "Backpage.com, " CEO plead Curious in Arizona, Texas and California
More news: Bed Bath & Beyond Inc. (BBBY)

These smartphone makers have created a false sense of security among their users. "It's nearly impossible for the user to know which patches are actually installed", one of the researchers told the site. It further argued that modern Android phones come with security features that make them hard to hack even when they do have unpatched security vulnerabilities. Missing multiple patches can cause a series of vulnerabilities in a phone's software. If a phone made by either of those companies is your daily driver, you might want to trade up to something a little more secure. The randomization helps to alter the location of a program in memory and sandboxing limits the access to the rest of the device. Xiaomi, OnePlus, Nokia jumped as many as three patches.

In several cases, the chip makers were found to be the main culprits. While we hope to learn a bit more about exactly which phones are missing which fixes, there's also another concern beyond just knowing whether or not your phone is actually secure, and that involves the degree to which manufacturers have been misleading their users. The "patch gap" varies between device and manufacturer, but given Google's requirements as listed in the monthly security bulletins-it shouldn't exist at all.

According to SRL, missed security patches were discovered on a wide range of different handsets across manufacturers.

Share