Some Android OEMs are lying about installed security patches
Google has made it a priority recently to send out timely security patches for the Android platform, typically on a monthly basis in an effort to patch issues and security risks. But it looks like some manufacturers aren’t being entirely upfront with their customers.
As reported by Wired, a pair of researchers at Security Research Labs have put in two years’ worth of effort to discover just how well OEMs are sticking to security patches, and the results are not great. It looks like some manufacturers are actually lying to their customers about installed security patches because they are skipping some entirely.
Jakob Lell and Karsten Nohl tested firmware from over 1,200 devices and found that some suffer from “patch gap”, where the device would claim it was up to date but in fact may be missing up to a dozen different security patches. The devices tested were from companies like Google, Samsung, Sony, HTC, Motorola, TCL, and others. It looks like even smartphones from the biggest manufacturers suffer from this issue, too, with Samsung and Sony occasionally missing a patch.
If there is a silver lining here, it is that some manufacturers are better than others. While companies like Google, Samsung, and Sony only missed a few security patches, ZTE and TCL claimed to have installed four or more security patches that they actually didn’t at all.
Google did say that some of the devices that the SRL analysts tested might not have been Android certified devices, which basically means they aren’t held to the standards in security that Google has implemented. The company also said that some companies may simply remove a feature that may be vulnerable, rather than install a related security patch.
However, Google did admit the situation is an important one to look into:
“This is important research. We’ve launched investigations into each instance and each OEM to bring their certified devices into compliance when we’ve been able to reproduce their findings…[but] each instance really needs further investigation.“