Updates and security patches on Android have always been a serious issue. And Android’s fragmentation is a problem that remains unsolved. Now it looks like smartphone manufacturers have been lying to users about which security patch update is installed on their phone, even when they had skipped the particular patch.
Wired had put out a detailed report on the issue, and this problem was discovered by cyber-security researchers Karsten Nohl and Jakob Lell, who are part of the Germany security firm called Security Research Labs. According to a blogpost on the website of the firm, they conducted a large study of Android phones, and found “that most Android vendors regularly forget to include some patches,” which they say expose the Android ecosystem to many risks.
The report on Wired points out that this ‘patch gap’ is a serious problem where in some cases vendors indicated to users that the phone had all of Android’s security patches, when it was missing more than a dozen in reality. “We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” is what Nohl told Wired.
The research firm tested over 1,200 phones. The list includes Google’s Pixel series, phones from Samsung, HMD Global which is Nokia, Motorola, HTC and Xiaomi, which is a popular brand in India. It also tested phones from Chinese players like ZTE and TCL. The study showed that while Pixel 2 and Pixel had all the latest patches, other vendors were missing out on the security patch updates.
According to the research firm’s blog, players like Xiaomi, Nokia (for which HMD Global is the manufacturer) and OnePlus had 1-3 patches missing. HTC, Motorola, Huawei and LG missed between three and four of the patches. The firm’s blog does point out that a missing security patch by itself does not meant the device can be hacked as most Android phones have other security features to protect them, like Address space layout randomization (ASLR) and sandboxing. ASLR protects memory space access on Android. Also a number of bugs would need to be exploited together in order to successfully carry out a hack, explains the research firm.
However, the blogpost notes that with Android’s growing popularity, there is more and more incentive to hack the ecosystem and security patches are a critical part of the defense. Google in response to the research firm’s findings also had a similar point to make about how Android phones have other security features. A missed security patch by itself cannot be enough to hack the phone, said the company. The statement also said that vendor might have just removed the vulnerable feature, which could explain the missing security patch.