Research from Security Research Labs shows there is a ‘patch gap’ in terms of Android vendors’ devices.
Security patches for Android phones have been historically difficult for Google to deploy due to the plethora of smartphone manufacturers using the OS.
Its open source approach is positive in many ways, but it does mean that the onus to issue software updates falls on the multitudes of manufacturers building Android devices.
Various Android phone models tested
Researchers Jakob Kell and Karsten Nohl from Security Research Labs highlighted the problem with relying on manufacturers to issue patches promptly.
Wired reported that the team tested 1,200 Android handsets from all the major manufacturers over a two-year period, checking if the manufacturers had issued the patches as advertised.
The researchers found that patches were missing from a wide range of handsets across a variety of makers. Both Samsung and Sony had missed some patches, despite reporting that they were up to date. “It’s almost impossible for the user to know which patches are actually installed,” one of the researchers said.
TCL and ZTE were the worst performers, and Motorola, Nokia and Xiaomi also appeared on the list of manufacturers. For those curious about their own devices, Security Research Labs is releasing an update to its Android app, SnoopSnitch, which checks to ensure your device has been patched as many times as it should have been.
“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl said. “That’s deliberate deception, and it’s not very common.” Researchers reckoned many of the patch omissions were accidental.
Google says it is a more complex story
Google said that the findings from Security Research Labs may not provide the full story when it comes to ensuring Android devices are adequately protected against security risks. “Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.”
The company added that it was working with the research authors to improve detection mechanisms when a device uses an alternate patch as opposed to a Google-endorsed update.
Google also argued that some missing patches could be to do with a specific phone not offering an affected feature, or a feature being removed entirely as opposed to patching it.
Nohl did say that hacking Android phones is far more difficult than simply exploiting missing security patches alone. Other security measures also mitigate risks, and most devices are actually hacked by rogue apps or zero-day vulnerabilities.
It should be noted, though, that important elements of a crucial security layer being missing is still a potential risk.