Smartphone Android Manufacturers Skipping Security Patches and Not Informing Users

Smartphone Android Manufacturers Skipping Security Patches and Not Informing Users

Your Android phone may not be on the level when it tells you it's up to date on software, with security researchers warning that even device-makers releasing relatively timely updates could in fact be missing out security updates.

Some of the largest Android smartphone makers are thought to be misleading users about important security updates, according to a report from Wired. These security updates are distinct from Android OS updates, and are listed by "Security patch level" dates, which can generally be found in the "System About phone" dialog in the Settings menu on Android devices. In order to help users tackle the problem, SRL Labs will be releasing an update to its SnoopSnitch Android app that allows users to check their phone's code for the actual state of its security updates. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl said. Sony and Samsung devices were found to have only skipped 0-1 security update. HTC, Huawei, LG, and Motorola had between three and four missed patches, with few HTC samples available.

Further complicating the matter is the pure inconsistency of which devices get what quality of treatment: the Galaxy J5 (2016) honestly told consumers about its hit-and-miss patch record while the Galaxy J3 (2016) claimed to have every patch it received, but actually lacked 12 of them - two of them were of "critical" importance. In the worst cases, Nohl says that phone manufacturers intentionally misrepresented when the device had last been patched.

Phones from TCL and ZTE were missing four or more of the advertised security patches.

Over recent years, it appeared that the security of Android smartphones was improving.

Antivirus Android apps remain one of the most popular types of applications on Android.

Gmail's next big feature will see emails self-destruct in 10…9…8…7…
In a statement, Google did not confirm specific changes but did acknowledge that it's working on an update to its email service. The new look is set to become available to web users in the coming weeks after being tested inside Google for the time being.

California: Personal belongings of missing Indian family recovered from river, say authorities
A family of four is missing in California, and authorities fear they may have driven into the Eel River while on a road trip. An specialized group of mishap investigators is trying to discover this out with help from the FBI, Carpenter stated.

Scouts donate cookie money to veterans
The best thing about being a Girl Scout, Rosanny said, was getting "to do fun things with all of my sisters and other girls". A special group of Girl Scouts in New York City are setting a lofty goal for themselves this cookie selling season.

Two researchers at Security Research Labs in Germany analyzed more than 1,000 firmware upgrades on dozens of Android phones.

"Security updates are one of many layers used to protect Android devices and users", said Scott Roberts, security lead for Android products, in a statement to Wired.

But speaking today at the HackInTheBox security conference in Amsterdam, Holland, SRL researchers said that many OEMs are lying about these patches.

MediaTek, Qualcomm, and other chipset makers are testing and tweaking those patches before they hand them to Android phone makers. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.

Nohl agrees that exploiting missing patches remains hard for hackers, who are more likely to use methods like rogue apps snuck onto the Google Play Store or less secure third party sources. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging".

Related Articles