Security researchers at Germany’s Security Research Labs have made a startling discovery. After reverse-engineering the operating system code on 1,200 Android devices, researchers Karsten Nohl and Jakob Lell found that some smartphone manufacturers aren’t being honest with regard to security patches.
The duo’s research involved checking the code to see if security patches referenced in the phones’ settings had actually been applied. In many cases, what they found was a “patch gap” – missing patches that vendors claimed had been installed.
SRL uncovered several offenders. As Wired highlights, handsets from major vendors including Xiaomi, OnePlus and Nokia on average had between one and three missing patches. Devices from HTC, Motorola and LG were missing between three and four patches they claimed they had while phones from ZTE and TCL were averaging more than four missing patches.
The firm also found correlating data between missed patches and the chipset used in a particular phone, perhaps for the simple fact that cheaper phones with cheaper processors are more likely to skip patches. Handsets with processors from Samsung, for example, had very few skipped patches while those running chips from MediaTek were missing 9.7 patches on average.
When pinged for comment, Google told Wired that it appreciated SRL’s research but noted that some of the phones analyzed may not have been Android certified devices and thus, not held to Google’s security standards. What’s more, Google pointed out that modern Android phones have security features in place that would make them difficult to hack, even if they do contain unpatched vulnerabilities. And in other cases, Google argues that patches might be absent because a vendor could have removed a vulnerable feature from a device instead of fixing it.
Nevertheless, Google said it was working with SRL to further investigate the matter.
Nohl agreed with Google’s assessment that it’s still difficult to hack some unpatched devices and that they still benefit from Google’s many security measures. "Even if you miss certain patches, chances are they’re not aligned in a certain way that allows you to exploit them," Nohl said.
Google issued the following statement to The Verge regarding the matter:
“We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”