Android phones are infamously slow to get updates — as of Google’s last update in February, only 1.1 percent of Android users have access to the latest version of the software — but apparently, the problems with Android’s software updates go deeper than that. Research firm Security Research Labs is claiming that numerous Android manufacturers are lying to users about missed security patches, according to a report fro Wired.
SRL researchers Karsten Nohl and Jakob Lell spent two years analyzing Android devices, checking to see if the phones actually had installed the security patches that the software said it had. The pair found that many devices had what they call a “patch gap,” where the phone’s software would claim it was up to date with security patches but was, in reality, missing up to a dozen of the patches.
The missed patches aren’t just an isolated incident, either. According to Wired, SRL tested firmware from 1,200 phones from companies like Google, Samsung, HTC, Motorola, ZTE, and TCL for every Android patch released last year. They found that even major flagships from Samsung and Sony occasionally missed a patch.
Obviously, this is bad. Whether it’s intentional or not, customers aren’t just being left vulnerable to hacks by not having the latest security updates. They’re also being lulled into a false sense of security by thinking that they are fully protected, which could lead to far more disastrous results down the line. To help with that, SRL is releasing a tool called SnoopSnitch on the Play Store that can analyze your phone’s firmware for installed or missing Android security patches to see if you’re really safe, but it really shouldn’t have had to come to this in the first place.
To be clear, not all phone manufacturers are equal when it comes to missing security patches. On average, phones from Google, Samsung, and Sony only tended to miss the occasional patch. But companies like ZTE and TCL performed far worse, with devices that claimed to have installed an average of four or more security patches than they actually did.
For Google’s part, the company commented to Wired, “We’ve launched investigations into each instance and each OEM to bring their certified devices into compliance,” and said it would be further investigating the issue. Google also tried to explain some of SRL’s findings with manufacturers skipping patches for features that they may have just removed entirely from the device or that some of the phones lacked Google’s official Android security certification in the first place. But it’s clear there’s still more work to be done.
After all, if Android device manufacturers can’t manage to update their phones, the least they could do is be honest about that fact.
Correction: Flagship phones from Samsung and Sony occasionally missed patches, not Samsung and Google as this article originally stated.
Update April 12th, 11:45am: Google has reached out to The Verge with a statement on the SRL report:
“We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”