If you believe your Android phone is receiving regular security updates from the manufacturer, you could be sadly mistaken, according to a new study from a Berlin-based IT security research firm.
Researchers with Security Research Labs studied Android devices from numerous companies and found what they call a hidden patch gap, with large numbers of manufacturers regularly failing to update device security. They said that failure exposes the Android ecosystem to risks despite recent patch improvements, leaving devices susceptible to remote exploits.
Google's Android is the world's leading mobile operating system, with more than 2 billion users around the world. It's also supported by a far more diverse system of manufacturers and developers than its rival, Apple's iOS, which contributes to much more uneven security practices.
Patch Claims Need 'Independent Verification'
Researchers Karsten Noll and Jakob Lell presented their findings today at the HITB security conference in Amsterdam. They said they took a "novel analysis approach" to look for missing seurity updates on a wide range of Android devices, and discovered that most vendors "regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks."
Among the companies whose devices they tested, Google, Sony, Samsung, and Wiko came out on top, with zero or just one patch typically missing. TCL and ZTE, by contrast, landed on the bottom of their list, with more than four missed patches on their devices.
Noll and Lell's findings contradict the claims by many Android device makers that they roll out regular updates to fix vulnerabilities identified by Google's monthly Android security bulletins. The researchers said users should seek independent verification that their devices are regularly patched, and developed an app called SnoopSnitch for that purpose. SnoopSnitch is available as a free download through the Google Play Store.
'Defense in Depth' Is Important
In response to Noll and Lell's findings, Google yesterday told Wired that some of the phones researchers tested might not have been Android certified devices that are required to meet Google security standards. Android product security lead Scott Roberts also noted that monthly patches are just one of several security measures needed to protect devices.
"Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important," Roberts said.
Noll and Lell acknowledged in their study that "defense in depth" is important, and that "a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack."
Android device makers began pledging to roll out monthly security updates in 2016 shortly after the Stagefright vulnerability, which could enable remote exploits by hackers, was found to have likely affected 95 percent of all Android devices.
"Now that monthly patches are an accepted baseline for many phones, it's time to ask for each monthly update to cover all relevant patches," according to Security Research Labs. "And it's time to start verifying vendor claims about the security of our devices."