Research claims Android manufacturers dishonest about security

Eloise Marshall
April 13, 2018

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings.

According to a report by Wired, such incidents were not one offs either.

In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem. This refers to a scenario where the phone's software would claim it was up to date with security patches but actually missed number of patches. This is incredibly simple to fake-even you or I could do it on a rooted device by modifying ro.build.version.security_patch in build.prop.

To sum up the findings, vendors such as Google, Sony, Samsung, Wiki on an average missed between 0-1 patches.

In some cases, the researchers attributed it to human error: Nohl believes that sometimes companies like Sony or Samsung accidentally missed a patch or two.

Cantwell releases statement on new plan to raise park fees
The National Park Service reeled in a heavily criticized plan to increase entrance fees for the most popular parks in the country. This is a much welcomed decision, as it means visitors' money will be going directly to the upkeep of the parks they visit.


Xiaomi, Nokia, HTC, Motorola and LG all made the list, as well, while TCL and ZTE fared the worst in the study, with, on average, not having installed more than four of the patches they claimed to have installed on a given device.

The researchers told Greenberg that they examined 1,200 handsets for evidence of every Android security patch released in 2017. For any device that received at least one security patch update since October, SRL wanted to see which device makers were the best and which were the worst at accurately patching their devices against that month's security bulletin. We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Does that necessarily mean that TCL and ZTE are at fault? It is known that mid-level manufacturers already lag behind in the race to provide swifter updates and during the research, it was discovered that they missed out on more patches than the flagship brands. What is more concerning is that in some cases, manufacturers intentionally misrepresented when the device had last been patched.

The security vendor has a free app, Snoopsnitch, in Google's Play store that attempts to analyse how many patches are installed on Android devices.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap".

Want more posts like this delivered to your inbox?

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER