We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.

4 min read 3 comments

Android manufacturers are lying to us about security updates

As if the situation regarding the main updates of Android was not already problematic enough because of the high fragmentation, it seems that the situation with regard to security patches is not the best either. Some producers have been caught lying about these important updates, demonstrating that Google has no control over the mobile ecosystem it has created.

Now it's not new, almost no Android smartphone manufacturer can keep up with the fast updates that Google makes to its OS. Obviously some are better than others and despite not being released at the same time, important updates for all smartphones is at least supposedly guaranteed through special monthly security patches monthly (which is still not done by all manufacturers).

Even the brands that seem most attentive and diligent have been found to not fulfill their duty properly, even lying about the level of security patches of the devices. This is stated in a Wired report that will disseminate more details during the Hack in the Box security conference.

Researchers Karsten Nohl and Jakob Lell of Security Research Labs have spent the past two years checking the security level of hundreds of smartphone models from dozens of brands to see if the security patches indicated as on the devices had actually been implemented.

What's the problem, exactly?

The results are worrying as it has emerged that many of the manufacturers would increase the level of security patches indicated on smartphones without actually applying the patches to the system, thus leaving a gap between the actual level of protection and the declared one.

The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances.

According to the report, some manufacturers deliberately altered the representation of the patch level by simply changing the name, which should make the owners of the smartphones in question rather unsettling. This is possible by editing the ro.build.version.security_patch string within the build.prop system file.

Android Security Patches Table
TCL is the licensee of the BlackBerry brand, which used to have a good reputation for security. / © Security Research Lab - Wired

Sometimes the gap is attributed by researchers to human error: there would be no other reason for manufacturers like Sony or Samsung to miss only some of the patches instead of others. SRL has also published tables that verify security updates from October 2017 until now and check which manufacturers have been diligent and which have not.

Looking at the data you can see that Google, Sony, Samsung and Wiko are the most careful while ZTE and TCL are among the worst.

Is it all the fault of the manufacturers?

Yes and no. SRL pointed out that manufacturers are only part of the problem while the main blame can be attributed to chip makers. For example, Mediatek devices are much more affected by this situation than devices using Qualcomm or Samsung chips.

Android Security Patches Vendors bspline
Mediatek always remains in the worst place, whatever the problem... / © Security Research Lab - Wired

Google is to blame, there is no excuse

The Mountain View company has stated that it will initiate an investigation into all the devices indicated by researchers as guilty of having an actual gap between the patches implemented and those indicated by the manufacturer.

The most disconcerting fact is that there is no control by Google regarding the actual implementation of the security patches indicated by the manufacturers in the updates they release, which should not happen. Google has long since lost control over its platform, whether it wants to admit it or not.

Pixel 2 phones are of course perfectly aligned with the patches

What I personally cannot understand is why companies waste resources on creating "fake" updates that only change the level of patches indicated. Would it not be more honest and useful to redirect these resources to the implementation of more timely system updates?

Of course some are worse offenders than others, but I'm really distressed by this behavior from companies and by the fact that OEMs feel entitled to deceive their users in this way.

What do you think of this embarrassing situation? What do you think Google can do to solve the problem?

9 Shares

3 comments

Write new comment:
All changes will be saved. No drafts are saved when editing

  • Mike 2 months ago Link to comment

    The fact of the matter is, if you use a smart phone, there is no security. To believe otherwise is foolish.


  • The questions I would like to ask is did google know prior to this investigation or finding? And if they did it makes them complicit. And why don't they check regularly to make sure that manufacturers update the devices correctly like they claim? Are they really that naive to think the manufacturers won't lie? Just wonder what's next and what will be revealed on how we are taken for a ride as clients after this. That's what happens when you are too busy with politics in your company and not focusing on work and doing what you should.