Android Phone Makers Caught Lying About Monthly Security Updates

A recent study and research on Android devices sold by well-reputed companies including Samsung, Huawei, and Xiaomi reveal that these companies lied to their customers about how secure their smartphones really are.

Smartphone companies often send security patches to improve your device’s security. Newer patches ensure more security and the companies are supposed to keep improving their firmware as new bugs and threats arise which can cause data leaks and hacks.

Facebook’s recent scandal shows how public data these days is highly vulnerable and controllable by high-end organizations – in the Android security patch case, companies have been claiming that their phones meet the latest security level while in reality, the devices ran an older version, missing necessary security fixes.

A Two-year Research

Researchers Karsten Nohl and Jakob Lell have been reverse engineering Android smartphones for the past two-years to check if the security patches have actually been included in firmware updates.

They discovered a “patch gap” in numerous smartphones in which companies simply changed the security patch date to the latest without actually updating the firmware.


ALSO READ

Apple Hires Google’s Head of Artificial Intelligence


If you navigate to your Android device’s settings, you can check its security level by finding your software information within “About Phone”.

But here’s the catch, this date can be changed easily without an update. Its done by editing the “build.prop” file which stores your device’s information such as model number, IMEI, and so on.

Samsung, Huawei, LG, and Xiaomi Included

Shockingly, almost every major smartphone brand has been concealing actual security levels. The researchers tested over 1,200 smartphones from several companies and it was found that Google’s Pixel and Pixel 2 were the only phones that had the latest security files.

Other than that, Samsung and Sony’s patch gap was smaller as compared to HTC, Huawei, and LG. Meanwhile, ZTE had the largest patch gap and has been missing out more updates as compared to other companies.

Missed Patches
Source: SECURITY RESEARCH LABS/WIRED

The chart categorizes vendors based on patch versions of devices launched after October 2017 and shows how these vendors represented actual patch versions in their claimed versions. Samsung phones, on average, had at least 1 missing security update, Xiaomi and Nokia had 1-3 missing updates, and so on.

Chip Manufactures To Blame

Chipset manufacturers are responsible for providing phone makers with necessary files and security patches. Mostly seen in the mid to low segment phones, MediaTek has a massive 9.7 patch gap on average while Samsung has proven to be more consistent in this regard.

Security bugs originate from a phone’s internal chip and it’s up to the chip maker to patch it up. MediaTek processors are cheaper and usually found in budget devices by companies such as Infinix and QMobile. Nohl says,

The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem.

Missed Patches
Source: SECURITY RESEARCH LABS/WIRED

Google’s Response

Google, in response, appreciated the researchers and said that a “patch gap” monitoring feature will be put into place soon, however, it’s unclear how the company will deal with it.

The company also argued that some devices used in the research may have been non-certified Android devices and they don’t comply with Google’s security policy.


ALSO READ

Cambridge Analytica May Have Accessed Facebook Messages as Well


Additionally, Google assured that devices running the latest Android version are difficult to break into even without any security patches. For now, Google is working with the researchers to devise a better way to deal with this situation.

If you want to check if your smartphone company lied to you about your phone’s security, you can check it using SRL lab’s Android app.

You can download it from the PlayStore.

Check out SRL lab’s complete research here.

Does your device have a “patch gap”? Is it truly running the latest security update? Let us know in the comments below.