Android phone makers are putting millions at risk by allegedly lying about missed security patches
Some of the largest Android smartphone makers are thought to be misleading users about important security updates, according to a report from Wired.
The claim comes from technology analyst firm Security Research Labs, which has reason to believe Android manufacturers are telling lies about security patches.
Over the past few years, Android manufacturers have built up a reputation of being slow to issue important software updates. Statistics released by Google in February claim that just 1.1 per cent of Android devices are working on the latest Android version.
Clearly, that is a problem in itself. However, SRL researchers Karsten Nohl and Jakob Lell believe that several manufacturers are informing users that their devices have been updated, when they are actually missing important patches pushed out by Google.
The technologists spent two years analysing a range of Android devices, considering if the manufacturer had installed promised updates. Overall, they identified a so-called “patch gap”.
In total, Nohl and Lell analysed the firmware of 1,200 phones developed by companies such as Samsung, Google, HTC, Motorola and ZTE.
Based on these findings, the researchers claim that even the biggest Android manufacturers are making misleading promises about security updates. Unfortunately, they did not explain whether or not these missed updates are intentional. But the worrying thing is that users may not actually be protected like manufacturers make out.
It is worth noting, though, that some manufacturers are apparently better at releasing updates than others. The research shows that Samsung and Sony only missed a few patches over a two-year period.
However, handsets from less known manufacturers like ZTE and TCL have a worse track record at pushing out security patches.
To coincide with the release of the report, SRL has launched an app called SnoopPitch, which it says helps Android users find out if their handsets are neglecting security.
In a statement given to The Verge, Google thanked Karsten Nohl and Jakob Kell “for their continued efforts to reinforce the security of the Android ecosystem”.
The firm said: “We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update.
“Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.
“These layers of security — combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”
Image: Pixabay under creative commons