Android phone makers are misleading customers with missing security patches

Krales  The Verge

Krales The Verge

For those curious about their own devices, Security Research Labs is releasing an update to its Android app, Snoopsnitch, which checks to ensure your device has been patched as many times as it should have been. On average, these phones had 9.7 missing patches.

While top-tier vendors such as Google, Sony, and Samsung miss no or very few patches, budget Chinese smartphone makers TCL and ZTE failed to install more than four, despite claiming to have fully updated devices, the researchers reported.

Even the brands that seem most attentive and diligent have been found to not fulfill their duty properly, even lying about the level of security patches of the devices.

While criminals typically rely on social engineering to attempt to steal data from users, through malicious apps and the like, state-sponsored actors are more likely to exploit missed patches as part of their attacks using previously unknown methods, the researchers say.

The patch gap issue is not an isolated case.

The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances. While it agrees that the area needs greater attention, it also points out that some of the devices in the study may not have been Android certified, meaning the standards of security they're held to are different. HTC, Huawei, LG and Motorola missed between 3-4 patches whereas TCL and ZTE missed more than 4 patches.

US has proof Syria carried out chemical weapons attack: State Department
It would also level the playing field that has tilted towards the Russia-Iran-Assad axis in the ongoing civil war inside Syria . The Syrian government and Russian Federation, which backs it, strongly oppose the claims, which they say are fabricated.

Brent oil traded at the highest level since 2014
The Saudi-led invasion of Yemen has contributed to oil's geopolitical risk premium, as Houthis target Saudi oil assets. The worldwide benchmark reached as much as $73.09 per barrel - its highest level since November 28, 2014.

Texas governor excuses military deployment to border, citing rise in apprehensions
It says troops can not guard anyone in custody for immigration violations or participate in construction of border barriers. The governor plans to send 338 Arizona National Guard troops to help with border security, the Associated press reported.

There is also the possibility that instead of patching through updates, phone makers simply remove or alter the feature that might have caused the security vulnerability. The entry segment devices on the other hand hardly receive any regular security update let alone the OS updates.

Every now and then Android comes with its new updates or patches that is said to secure your smartphone.

Our binary-only analysis technique applies to Android and many other domains where patch levels need to be measured without access to source code.

Further complicating the matter is the pure inconsistency of which devices get what quality of treatment: the Galaxy J5 (2016) honestly told consumers about its hit-and-miss patch record while the Galaxy J3 (2016) claimed to have every patch it received, but actually lacked 12 of them - two of them were of "critical" importance. Security updates are one of many layers used to protect Android devices and users. Besides manufacturers, SRL said some chip makers are to blame.

When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities.

Latest News