Android Phone Makers Caught Fibbing About Security Patches

Share

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap".

Some Android phone makers have been caught actively deceiving their customers about the security of their smartphones.

That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience. "And it's time to start verifying vendor claims about the security of our devices", SRL writes. The issue didn't extend to Google's devices, of course, so those with Pixel and Pixel XL, or Pixel 2 and Pixel 2 XL devices were safe, but the report claims that some OEMs, including Sony, Samsung, and Wiko had missed at least one security patch.

The patch gap issue is not an isolated case.

Kovac to take over Bayern next season on three year deal - club
The 46-year-old will succeed Jupp Heynckes at the Bundesliga giants in July, having penned a three-year deal at Allianz Arena. Heynckes, who is at this moment 72, went back to the Bayern bench at the beginning of the season when Ancelotti was sacked .

Android phone makers could also potentially "miss a patch or two by accident", according to SRL's Karsten Nohl.

For their research, SRL tested firmware from 1,200 phones from manufacturers including Samsung, HTC, Motorola, Huawei and even Google itself, checking for every Android patch released in 2017.

One measure of security a user has when using an Android device is when you get the monthly security patches from Google. Typically, the phones with MediaTek processor were missing on 9.7 security patches which look to be a grave concern and needs to be looked into. Sony and Samsung were both flagged as having missed some security patches - in some cases in spite of reporting that they were up to date. According to a blogpost on the website of the firm, they conducted a large study of Android phones, and found "that most Android vendors regularly forget to include some patches", which they say expose the Android ecosystem to many risks.

"We found several vendors that didn't install a single patch but changed the patch date forward by several months", Nohl told WIRED. The vendor has to primarily depend on the chipmaker to offer a security patch and not the OS.

Wenger's heart-rate up in nervy Arsenal win
He has vast experience in European football, and was one of the Chelsea heroes when they won the Champions League in 2012, saving three penalties in the final against Bayern Munich.

The company has moved towards encrypting all data that leave and enter Android devices with the industry-standard Transport Layer Security (TLS) protocol, and is further tightening the requirements in Android P, which is now in developer preview. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.

The decision to choose one smartphone brand over the other is also influenced by how soon the manufacturer is rolling out regular security and software updates.

The firm said: "We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update".

'Former Commonwealth Games athlete' charged with assault
Botha nevertheless walked away with a silver medal to give South Africa's its first wrestling gong at the Gold Coast Games. The Australian Border Force has been alerted to the missing athletes.

Share