Android Smartphone Makers Caught Lying About Security Updates
We all know very well that security is a serious matter, so we recommend that you install updates for your smartphone as soon as they become available. However, today I will tell you something different which will definitely change your mind.
Security is a serious matter, so we recommend that you install updates for your smartphone as soon as they become available. But that does not necessarily mean that the problem focused there will be solved: extensive research conducted by the German Security Research Labs (SRL) indicates that many Android updates made available by various manufacturers have missing fixes.
Karsten Nohl and Jakob Lell are the SRL researchers who conducted the research. They have used reverse engineering and other techniques for two years to analyze the firmware of 1,200 smartphones from more than 10 brands including Samsung, Motorola, HTC, Xiaomi and ZTE. And not only that even the tech giant Google’s Pixel line has also been tested.
More details on the subject, including affected models, should be released at the Hack in the Box security conference. But researchers have told Wired that in many cases, manufacturers report in the update description that the device is receiving fixes released in a given period when, in fact, many of them do not exist.
Although less frequently, SRL also claims to have found devices that have not received updates. In such cases, the manufacturers would have simply postponed the delivery date of the package.
Based on a comparison of devices that received at least one update package in October 2017 or later, SRL claims that the problem is more frequent in Chinese branded devices, but units of renowned companies such as Samsung and Google itself no longer receive certain updates:-
Average of four or more missing patches: TCL and ZTE
Three or four: HTC, Huawei, LG and Motorola
One to three: Xiaomi, OnePlus, Nokia
From zero to one: Google, Sony, Samsung and Wiko
Researchers also say that mobile phones with Samsung chips have fewer missing patches. At the other extreme are driven with MediaTek processors:-
Samsung: an average of 0.5 missing patches
In general, cheaper devices are the most neglected. As an example, SRL claims that while the Galaxy J5 2016 correctly reports all the fixes installed, Galaxy J3 2016 reports that patches released in 2017 were all released, when 12 are missing, two of which are considered critical.
Contacted by Wired, the tech giant Google explained that many of the devices analyzed by SRL not have certification of Android, which means that these units are not subject to the safety standards established by the company.
The tech giant Google has also stated that newer smartphones have security features that make it harder for intrusions even when there are uncorrected loopholes and that in some cases patches are missing simply because the manufacturer has decided to remove the vulnerable feature instead of fixing it.
The company admits that SRL’s research is important and more analysis than those performed by default may be necessary. Hack in the Box should be waiting for the extent of the problem to be known.
For those who want to find out the status of their smartphone, SRL has made available the SnoopSnitch application, which analyzes the device firmware to find installed and missing fixes.
So, what do you think about this? Simply share all your views and thoughts in the comment section below.