Android has consistently struggled to get smartphone manufacturers and carriers to push out security-focused updates on a regular basis, but this new research reveals the extent to which major brands have fallen behind. According to the firm there have been almost a dozen patches that were skipped by certain OEMs, which means that some users, and likely a large number of them considering how many Android phones are out there and how many vendors weren't applying the patches as regularly as Google intended, were continuing to use phones that weren't up to date and weren't able to protect their users from current (at the time) security risks that Google was pushing out these patches for. In a presentation at the Hack in the Box security conference, Karsten Nohl and Jakob Lell will detail the results of two years of reverse-engineering Android device code.
Nohl and Lell opted for investigating the devices that had allegedly got and installed the most recent upgrades. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl is quoted as saying.
As reported by Wired, SRL tested phones from big name companies, the likes of Samsung and HTC, as well those from smaller companies. In the worst cases, Nohl says that phone manufacturers intentionally misrepresented when the device had last been patched. Security patches are little understood, and users have to blindly trust their phone vendors to install patches.
Yet, with a growing amount of malicious code coming from more sophisticated actors, those involved in the Android software development chain shouldn't chance missing out on patches in the case that a string of holes leads to a flawless strike. "Consumers can take comfort in the thought that an Android phone with a few patch gaps is still more secure than the average Windows computer". For example, Samsung's 2016 J3 claimed to have every 2017 Android patch installed but in fact when 12 weren't actually installed.More news: Blue Jackets beat Capitals, 4-3, in overtime
In a statement provided to TechRadar, a Google spokesperson told us that there are cases in which some devices use "an alternate security update instead of the Google suggested security update".
Scott Roberts, Android's product security lead also noted that security patches are only one level of protection built into Android devices.
Business Insider requested comment from all the Android phone makers in Wired's story, including Samsung, Sony, Wiko, Xiaomi, OnePlus, Nokia, HTC, Huawei, LG, Motorola, TCL, and ZTE. On some phones, the patch gaps numbered in the dozens.
Failing to update their smartphones with the latest security updates is one thing, but SRL found that some simply lie about installing any patches at all. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer. And Android's fragmentation is a problem that remains unsolved.