Researchers from Security Research Labs examined around 1200 Android phones from Google, OnePlus, Samsung, HTC, LG etc., and found that some of these companies "modified" their security patch build numbers when updating their devices without actually updating them.
In response to Google's statement, SRL's Karsten Nohl said that while it's unlikely that OEMs have gone as far as circumventing a patch to cover a vulnerability, he agrees that it most hackers will find it hard to hack an Android phone because of the OS's base security features like the randomization of file addresses and app sandboxing.
Speaking at the Hack in the Box security conference in Amsterdam, Karsten Nohl and Jakob Lell from Security Research Labs gave details of their findings after two years of research. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl said.
One of the biggest issues with the Android operating system is the fragmentation problem, as Google has struggled to have smartphone manufacturers and carriers push out updates for Android smartphones. The Korean vendor generally had a strong record on the software updates, according to Nohl, but it did drop the ball when it came to its Samsung J3 handset, which was found missing 12 patches. In the worst cases, Nohl says that phone manufacturers intentionally misrepresented when the device had last been patched.
Other OEMs such as TCL and ZTE had missed four or more patches. While the smartphones of Sony and Samsung were found to have missed few patches, ZTE and TCL lied about 4 or more updates. "Consumers can take comfort in the thought that an Android phone with a few patch gaps is still more secure than the average Windows computer".
And while it may be that some of the updates are missed by accident, the researchers feel that some smartphone vendors are deliberately misleading their customers over the patch status.
"Security updates are one of many layers used to protect Android devices and users", said Scott Roberts, security lead for Android products, in a statement to Wired.
Currently, Google is working with the researchers at SRL to dig deeper into the research findings.
If we talk about smartphone processors, Taiwan's MediaTek company topped the chart on missing the patches. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.
Even the brands that seem most attentive and diligent have been found to not fulfill their duty properly, even lying about the level of security patches of the devices. And Android's fragmentation is a problem that remains unsolved.
For all the good of Android's open-source approach, one of the clear and consistent downsides is that the onus to issue software updates falls on the manufacturer.
/cdn.vox-cdn.com/uploads/chorus_image/image/59349897/timn-email-app2_2040.0.0.jpg)
