Electronics

Some Android phone makers have lied about having fully update security patches

Some Android phone makers have lied about having fully update security patches

A German research firm, Security Research Labs have revealed that most of the smartphone makers fail to roll out security patches to their users and on many occasions they also skip it.

The patch gap issue is not an isolated case.

These smartphone makers have created a false sense of security among their users. One of the lowest performing brands were TCL and ZTE, all of whose phones had on average over four patches that they claimed to have installed, but had not. For any device that received at least one security patch update since October, SRL wanted to see which device makers were the best and which were the worst at accurately patching their devices against that month's security bulletin.

The vendors of the Android Phones claims that if you are updating your phones regularly then you are having all the latest security patches. All that said, Google has reportedly pointed out some details which are worth considering - some of the devices may not have been Android certified devices which means they wouldn't be offering the same standard of security updates as Google and other more trusted OEMs. It also highlighted Android's core security features, which have made hacking even unpatched phones more hard, and counters that some of the missing patches may have been down to companies leaving out the features they relate to.

Some national parks to see modest admission increase to fund infrastructure repairs
The change resulted in an onslaught of requests for senior passes ahead of the implementation of the new price structure. That was roughly 89,000 shy of the all-time record of just under 331 million visitors set the previous year.

A Google spokesperson sent us the following statement. Out of the 1,200 phones tested by SRL, which included devices from Google, Samsung, HTC, Motorola and TCL, the firm found that even flagship devices from Samsung and Sony missed a patch.

Motorola was joined in the three-to-four-missed-patch purgatory by HTC, Huawei and LG. That could be due to the fact that some cheaper phones using less expensive chips are more likely to miss updates. One theory points to the chipsets these handsets are running, as there seems to be a correlation between particular SoCs and the availability of security updates: Snapdragon-based phones and those running Samsung's Exynos chips may only have one recent fix missing, while those built with MediaTek chips average almost ten. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging". The researchers agree with this assertion.

The company has moved towards encrypting all data that leave and enter Android devices with the industry-standard Transport Layer Security (TLS) protocol, and is further tightening the requirements in Android P, which is now in developer preview.

As Nohl puts it, "You should never make it any easier for the attacker by leaving open bugs that in your view don't constitute a risk by themselves, but may be one of the pieces of someone else's puzzle".