Google has often struggled with maintaining the security of its Android platform. This is mostly because the platform is customized extensively by OEMs and carriers. While these OEMs send out regular security patches, a new study has found those rollouts are fake.
Security firm SRL studied 1200 smartphones from 12 OEMs and found many are telling users they are fully secure (up to March 2018), when in fact that's not true. Indeed, the research shows Android manufacturers are faking updates.
“We find that there's a gap between patching claims and the actual patches installed on a device. It's small for some devices and pretty significant for others,” Karsten Nohl and Jakob Lell of the firm Security Research Labs said this week.
“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
SRL tested devices from some of Android's leading OEM's, such as HTC, Samsung, and Google. The only devices without issues with accurate patch reporting were Google's own Pixel devices. That makes sense as those smartphones comes with stock Android and receive Google's own security fixes.
As for the other leading manufacturers, devices are not up to date, whether in the low-end of flagship class.
“We found several vendors that didn't install a single patch but changed the patch date forward by several months,” Nohl said. “That's deliberate deception, and it's not very common.”
In other words, OEMs are fooling customers into believing their handset is secure. They are doing this by moving forward the update dates without actually issuing a patch. Google has often said Android at its core is secure, but it can't control what happens to the open platform when it moves to OEMs.
In a statement to Wired, the company says there are other protections aside from updates, but failed to actually address the problem.
“Security updates are one of many layers used to protect Android devices and users, Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging.”