Tuesday, 14 August, 2018

Latest patches on Android Phones may miss critical security patches

Krales  The Verge Krales The Verge
Sherri Watson | 13 April, 2018, 15:13

Researchers Karsten Nohl and Jakob Lell from Security Research Labs have spent the past two years reverse-engineering hundreds of Android devices in order to check if devices are really secure against the threats that they claim they are secure against.

When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities.

Which smartphone maker skipped how many patches?

In a practical scenario, when you find that your device's firmware is fully updated, you get a false sense of security.

The researchers found there is often a hidden "patch gap" between what the manufacturers tell the users and what they actually do to the software - some simply tell people they have updated the phones without actually patching anything.

The patch gap issue is not an isolated case.

Ever since, it has been pushing the industry to adopt the regular updates as part of an effort to clean up Android's image and improve security.

The research spanned every Android security patch released in 2017, and utilised 1,200 different makes of device, including items from major manufacturers such as Samsung, Motorola and HTC, as well as Google's own devices. This refers to a scenario where the phone's software would claim it was up to date with security patches but actually missed number of patches. But results could even vary within a brand, as SRL found. "We found several vendors that didn't install a single patch but changed the patch date forward by several months".

Indeed, Google is the source of Android's security patches. After the release of an update, chipset makers adjust the updates as per their requirements and then pushes it to smartphone manufacturers.

TCL and ZTE were the worst offenders, missing more than four, while HTC, Huawei, LG, and Motorola were missing between three and four.

Missing an update or two may not end up in a device hack, but with a series of patches missing can cause some serious problems with the security of the device. Typically, the phones with MediaTek processor were missing on 9.7 security patches which look to be a grave concern and needs to be looked into.

Google told Wired, "some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security".

Nohl agrees that exploiting missing patches remains hard for hackers, who are more likely to use methods like rogue apps snuck onto the Google Play Store or less secure third party sources. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.