- Even Flagship phones from Samsung and Sony occasionally missed patches
GOOGLE HAS LONG struggled with how best to get dozens of Android smartphone manufacturers—and hundreds of carriers—to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone’s firmware is fully up to date, even while they’ve secretly skipped patches.
On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones’ operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a “patch gap”: In many cases, certain vendors’ phones would tell users that they had all of Android’s security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.
“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” says Nohl, a well-known security researcher and SRL’s founder. In the worst cases, Nohl says, Android phone manufacturers intentionally misrepresented when the device had last been patched. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
The Patch Gap
SRL tested the firmware of 1,200 phones, from more than a dozen phone manufacturers, for every Android patch released in 2017. The devices were made by Google itself as well as major Android phone makers like Samsung, Motorola, and HTC, and lesser-known Chinese-owned companies like ZTE and TCL. Their testing found that other than Google’s own flagship phones like the Pixel and Pixel 2, even top-tier phone vendors sometimes claimed to have patches installed that they actually lacked. And the lower-tier collection of manufacturers had a far messier record.
The missed patches aren’t just an isolated incident, either. According to Wired, SRL tested firmware from 1,200 phones from companies like Google, Samsung, HTC, Motorola, ZTE, and TCL for every Android patch released last year. They found that even major flagships from Samsung and Sony occasionally missed a patch.
Obviously, this is bad. Whether it’s intentional or not, customers aren’t just being left vulnerable to hacks by not having the latest security updates. They’re also being lulled into a false sense of security by thinking that they are fully protected, which could lead to far more disastrous results down the line. To help with that, SRL is releasing a tool called SnoopSnitch on the Play Store that can analyze your phone’s firmware for installed or missing Android security patches to see if you’re really safe, but it really shouldn’t have had to come to this in the first place.
To be clear, not all phone manufacturers are equal when it comes to missing security patches. On average, phones from Google, Samsung, and Sony only tended to miss the occasional patch. But companies like ZTE and TCL performed far worse, with devices that claimed to have installed an average of four or more security patches than they actually did.
For Google’s part, the company commented to Wired, “We’ve launched investigations into each instance and each OEM to bring their certified devices into compliance,” and said it would be further investigating the issue. Google also tried to explain some of SRL’s findings with manufacturers skipping patches for features that they may have just removed entirely from the device or that some of the phones lacked Google’s official Android security certification in the first place. But it’s clear there’s still more work to be done.
After all, if Android device manufacturers can’t manage to update their phones, the least they could do is be honest about that fact.