In a recent report by a German security firm, it was found that several Android phones missed multiple security patches leaving these devices vulnerable to a broad collection of known hacking techniques.
In the findings due to be presented at the Hack in the Box security conference in Amsterdam on Friday, the researchers said of the 1,200 smartphones tested, some manufacturers may miss one or two patches from the monthly security updates, but others may miss many more.
Security patches for Android phones have been historically hard for Google to deploy, due to the plethora of smartphone manufacturers using the OS. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best".
Google's Pixel devices are the only ones that contained every security patch that it advertised to its users.
Because these hardware-level fixes are accounted for in the Android security bulletins, this created situations where OEMs delivered updates claiming to have a "security patch level" but they were actually missing some of the patches for that "level". For one, Nohl believes companies like Sony or Samsung may have missed a few patches by accident. Chinese manufacturers TCL and ZTE were among the biggest offenders and on average had more than 4 patches missing in their phones.
"Patching is critically important to uphold the effectiveness of the different security layers already found in Android", the researchers wrote.
"Security updates are one of many layers used to protect Android devices and users", said Scott Roberts, security lead for Android products, in a statement to Wired.
Researchers working at Security Research Labs (SRL), a security firm based in Germany, has found that Android phone manufacturers have been fooling their customers about security patches. But even so, Android has other stop-gap measures to keep users safe, including application sandboxing (this limits an application from running within a larger code environment) and the relatively new Google Play Protect feature that debuted in 2017. The companies like Google, Samsung, and Sony got a very good record of installing the patches but the companies like Lenovo's Motorola, TCL and ZTE have got the problem to roll out the updates.
In some of the cases, it was found that the Android phone manufacturers had intentionally misrepresented the dates when the device had last been patched. And Android's fragmentation is a problem that remains unsolved. Each time Google introduces a software update, chipset vendors like Qualcomm and MediaTek test it out, make adjustments, and then hand off the software to Android smartphone makers for integration.