Android phone makers are misleading customers with missing security patches

Krales  The Verge

Krales The Verge

For those curious about their own devices, Security Research Labs is releasing an update to its Android app, Snoopsnitch, which checks to ensure your device has been patched as many times as it should have been. On average, these phones had 9.7 missing patches.

While top-tier vendors such as Google, Sony, and Samsung miss no or very few patches, budget Chinese smartphone makers TCL and ZTE failed to install more than four, despite claiming to have fully updated devices, the researchers reported.

Even the brands that seem most attentive and diligent have been found to not fulfill their duty properly, even lying about the level of security patches of the devices.

While criminals typically rely on social engineering to attempt to steal data from users, through malicious apps and the like, state-sponsored actors are more likely to exploit missed patches as part of their attacks using previously unknown methods, the researchers say.

The patch gap issue is not an isolated case.

The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances. While it agrees that the area needs greater attention, it also points out that some of the devices in the study may not have been Android certified, meaning the standards of security they're held to are different. HTC, Huawei, LG and Motorola missed between 3-4 patches whereas TCL and ZTE missed more than 4 patches.

Trump lawyer handled $1.6 million payoff for Republican donor
Cohen reached out to me after being contacted by this woman's attorney, Keith Davidson ", Broidy said in his statement. He was also an important figure to Trump during his presidential campaign, as he helped to raise him money.

Prosecutors: Probe of Trump lawyer Michael Cohen centers on Cohen's business dealings
What does the execution of a search warrant to search for documents in the offices and hotel room used as a domicile by Mr. Daniels, whose real name is Stephanie Clifford, has said she also had a sexual relationship with Trump in 2006.

Arsenal draw Atletico in Europa League semis; Marseille to face Salzburg
Arsenal will first play at home before the return leg at the Emirates Stadium while Atletico will host the return leg. The Spain striker was often Arsenal's bogeyman during his time at Chelsea...

There is also the possibility that instead of patching through updates, phone makers simply remove or alter the feature that might have caused the security vulnerability. The entry segment devices on the other hand hardly receive any regular security update let alone the OS updates.

Every now and then Android comes with its new updates or patches that is said to secure your smartphone.

Our binary-only analysis technique applies to Android and many other domains where patch levels need to be measured without access to source code.

Further complicating the matter is the pure inconsistency of which devices get what quality of treatment: the Galaxy J5 (2016) honestly told consumers about its hit-and-miss patch record while the Galaxy J3 (2016) claimed to have every patch it received, but actually lacked 12 of them - two of them were of "critical" importance. Security updates are one of many layers used to protect Android devices and users. Besides manufacturers, SRL said some chip makers are to blame.

When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities.

Latest News