As if the Android security update situation couldn’t get any worse, it appears that some Android device makers have been caught lying about how secure their phones really are. In other words, some device makers have been claiming that their phones meet a certain security patch level when in reality their software is missing required security patches.
This is according to Wired which reported on research set to be published tomorrow at the Hack in the Box security conference. Researchers Karsten Nohl and Jakob Lell from Security Research Labs have spent the past two years reverse-engineering hundreds of Android devices in order to check if devices are really secure against the threats that they claim they are secure against. The results are startling—the researchers found a significant “patch gap” between what many phones report as the security patch level and what vulnerabilities these phones are actually protected against. The “patch gap” varies between device and manufacturer, but given Google’s requirements as listed in the monthly security bulletins—it shouldn’t exist at all.
According to the researchers, some Android device makers even went as far as intentionally misrepresenting the security patch level of the device by simply changing the date shown in Settings without actually installing any patches. This is incredibly simple to fake—even you or I could do it on a rooted device by modifying
ro.build.version.security_patch in build.prop.
Of the 1,200 phones from over a dozen device makers that were tested by the researchers, the team found that even devices from top-tier device makers had “patch gaps,” although smaller device makers tended to have even worse track records in this area. Google’s phones seem to be safe, however, as the Pixel and Pixel 2 series did not misrepresent what security patches they had.
In some cases, the researchers attributed it to human error: Nohl believes that sometimes companies like Sony or Samsung accidentally missed a patch or two. In other cases, there was no reasonable explanation for why some phones claimed to patch certain vulnerabilities when in fact they were missing multiple critical patches.
The team at SRL labs put together a chart that categorizes major device makers according to how many patches they missed from October 2017 onwards. For any device that received at least one security patch update since October, SRL wanted to see which device makers were the best and which were the worst at accurately patching their devices against that month’s security bulletin.
Clearly, Google, Sony, Samsung, and the lesser-known Wiko are at the top of the list, while TCL and ZTE are at the bottom. This means that the latter two companies have missed at least 4 patches during a security update for one of their devices after October 2017. Does that necessarily mean that TCL and ZTE are at fault? Yes and no. While it’s disgraceful for the companies to misrepresent a security patch level, SRL points out that often chip vendors are to blame: devices sold with MediaTek chips often lack many critical security patches because MediaTek fails to provide the necessary patches to device makers. On the other hand, Samsung, Qualcomm, and HiSilicon were far less likely to miss providing security patches for devices running on their chipsets.
As for Google’s response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted “patch gap.” There’s no word yet on how exactly Google plans to prevent this situation in the future as there aren’t any mandated checks in place from Google to ensure that devices are running the security patch level they claim they are running. If you are interested in seeing what patches your device is missing, the team at SRL labs has created an Android application that analyzes your phone’s firmware for installed and missing security patches. All of the requisite permissions for the app and the need to access them can be viewed here.
We recently reported that Google may be preparing to split the Android Framework and the Vendor Security Patch levels. In light of this recent news, this now seems more plausible especially since much of the blame goes to vendors that fail to provide chipset patches on time for their customers.