It also highlighted Android's core security features, which have made hacking even unpatched phones more hard, and counters that some of the missing patches may have been down to companies leaving out the features they relate to. While it agrees that the area needs greater attention, it also points out that some of the devices in the study may not have been Android certified, meaning the standards of security they're held to are different. It's up to third parties, including smartphone manufacturer and network carriers, to supply Google's Android updates to their devices. It is being further reported that the companies who are boasting their sales on the factor that they will roll out timely updates are lying to its users.
In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap".
It would be one thing if companies were outright telling us that an update contained X out of Y recent fixes (and better still if they briefly mentioned the reasons for skipping the others), but with the way things have been operating so far, users could easily have the impression that their phones are more patched than they actually are. "It's small for some devices and pretty significant for others", is what Nohl told Wired. HTC, Huawei, LG and Motorola all had between three and four skipped patches while Xiaomi, OnePlus and Nokia skipped, on average, between one and three security updates.
Most carriers and phone makers tweak Android to make their products unique.
"Sometimes these guys just change the date without installing any patches", Nohl was quoted as saying. Google's phones seem to be safe, however, as the Pixel and Pixel 2 series did not misrepresent what security patches they had. SRL Labs is going to release an update to its Android app SnoopSnitch that will let users check their phone's code for the actual state of its security updates, but it is unlikely that users will manually check for patches. Those with Samsung processors skipped over few patches while models using MediaTek chips missed nearly 10 patches, on average.
The company has moved towards encrypting all data that leave and enter Android devices with the industry-standard Transport Layer Security (TLS) protocol, and is further tightening the requirements in Android P, which is now in developer preview. TCL and ZTE were the worst, with more than four missed patches found, though few ZTE samples were available as well. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging".
As per Nohl and Lell most of the companies are either not rolling out the updates on time, or are simply lying regarding the fact that a latest security update has been installed.