Android smartphone companies are not delivering you the security patch they promised: Research

Manufacturers have been lying to you about releasing the latest security patch to your Android phone.

  • Published: April 13, 2018 10:33 AM IST
Android P - poll (1)

The decision to choose one smartphone brand over the other is also influenced by how soon the manufacturer is rolling out regular security and software updates. This is also the reason why one brand scores low on reliability over the other. Even if you have a perfect device but it is not receiving timely OS updates, there are chances it will feel outdated and vulnerable to issues even before the standard two-year cycle. Now, a study has discovered that manufacturers who claim swifter updates are actually lying to you, and missing out on delivering you the latest patches.

After a research that spanned two years on Android devices, German security firm Security Research Labs (SRL) found that many devices had what is called a “patch gap”, which means the phone’s software claims to be up-to-date with the latest security update, but it has actually missed out on a number of patches, Wired reports.

The patch gap issue is not an isolated case. Out of the 1,200 phones that were tested by the firm, including devices from Google (the primary source for updates to Pixel phones), Samsung, HTC, Motorola, and TCL, the issue impacted even the flagship models from the likes of Samsung and Sony. It is known that mid-level manufacturers already lag behind in the race to provide swifter updates and during the research, it was discovered that they missed out on more patches than the flagship brands.

Researcher Karsten Nohl said, “We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others.” What is more concerning is that in some cases, manufacturers intentionally misrepresented when the device had last been patched. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best,” Nohl is quoted as saying.

“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl further revealed. “That’s deliberate deception, and it’s not very common.”

One of the interesting revelations from the research is that even major vendors such as Xiaomi and Nokia (which promise swifter updates) had on an average between one and three missing patches, whereas HTC, Motorola, and LG had missed between three and four patches. One of the lowest performing brands were TCL and ZTE, all of whose phones had on average over four patches that they claimed to have installed, but had not.

When it comes to the consumer, it gets difficult to identify if their device has been actually receiving the security update or not. In order to help users tackle the problem, SRL Labs will be releasing an update to its SnoopSnitch Android app that allows users to check their phone’s code for the actual state of its security updates.

Watch: Google Pixel 2 XL First Look

Following the results of the research, Google said that it will investigate the findings. The company is working with OEMs to bring their certified devices into compliance. It further argued that modern Android phones come with security features that make them difficult to hack even when they do have unpatched security vulnerabilities. The company further stated that in some cases, patches might have been missing because the phone vendors responded by simply removing the vulnerable feature from the phone rather than patch it.

  • Published Date: April 13, 2018 10:33 AM IST