www. O S N E W S .com
News Features Interviews
BlogContact Editorials
.
How Android phones hide missed security updates
By Thom Holwerda, submitted by emmzee on 2018-04-12 22:42:51

Google has long struggled with how best to get dozens of Android smartphone manufacturers - and hundreds of carriers - to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period - leaving phones vulnerable to a broad collection of known hacking techniques.

Android is a mess.

 Email a friend - Printer friendly - Related stories
.
Read Comments: 1-10 -- 11-20
.
Should have controlled the software distribution
By Spiron on 2018-04-13 03:05:31
This is why Google should have controlled the software distribution along side making it open source. Particularly in regards to the driver level, even if they didn't quite go as far as trying to get everyone to follow the linux kernels guidelines.
Permalink - Score: 3
.
Android is a mess.
By Alfman on 2018-04-13 03:15:49
The problem is twofold:
1 - many manufacturers not providing after-sale support
2 - users being way too dependent upon the manufacturer for updates and getting stuck with old & unsupported firmware.

I wish there were better platform standards where neglected users could simply install whatever they wanted from another source.
Permalink - Score: 4
.
Google response
By Milan Kerslager on 2018-04-13 03:18:43
Google responded and the article was updated. I recommend you to read it by itself.

"They noted that modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities. And they argued that in some cases, patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn't have that feature in the first place. The company says it's working with SRL Labs to further investigate its findings. "Security updates are one of many layers used to protect Android devices and users,"
Permalink - Score: 6
.
RE: Android is a mess.
By ilovebeer on 2018-04-13 05:36:13
> The problem is twofold:
1 - many manufacturers not providing after-sale support

The bottom line is there's more money to be made that way. If they could get away with selling phones as-is, they would do it in a heartbeat.

> 2 - users being way too dependent upon the manufacturer for updates and getting stuck with old & unsupported firmware.It's not unreasonable to expect your devices manufacturer to provide at least security updates. I don't think it would be unreasonable to legally require manufacturers to provide security updates for at least a 3-5 year term, preferably the latter.

> I wish there were better platform standards where neglected users could simply install whatever they wanted from another source.
In addition to that, I wish there were laws that actually protected consumers. Considering how integrated phones have become in peoples daily lives, there should be the expectation that companies take their customers privacy and security seriously, and are legally obligated to do what they can to protect it for X years after purchase.
Permalink - Score: 5
.
RE: Google response
By Kroc on 2018-04-13 07:20:13
Is this the Intel school of security fixes? "We don't need to fix it because everybody is aware of it now."
Permalink - Score: 2
.
RE[2]: Android is a mess.
By Alfman on 2018-04-13 13:43:10
ilovebeer,

> The bottom line is there's more money to be made that way. If they could get away with selling phones as-is, they would do it in a heartbeat.


Time after time we see how consumers are hurt by companies that say these things are important, but then fail to change. It's like zuckerberg apologizing but not actually doing anything about it. You are right about money being a large factor, between protecting user privacy and security or maximizing profits, profits almost always win out.


> In addition to that, I wish there were laws that actually protected consumers. Considering how integrated phones have become in peoples daily lives, there should be the expectation that companies take their customers privacy and security seriously, and are legally obligated to do what they can to protect it for X years after purchase.

Yeah, but you know what, for all the fuss they make over consumer injustices, congress has a terrible track record of actually getting things fixed. A solid block in congress constantly pushes for eliminating rules for corporations because corporations are the ones funding the campaigns that get them elected. Under this quite corrupt system, it's very difficult for normal uncorrupted people to get elected (and to remain uncorrupted).

Edited 2018-04-13 13:44 UTC
Permalink - Score: 4
.
RE[3]: Android is a mess.
By darknexus on 2018-04-13 13:51:33
I agree with you on the last bit, save remove the word "congress" and replace it with the words "national governments" and you've got it. I can't think of one governmental body that actually cares about individuals' rights, in any nation.
Permalink - Score: 1
.
RE[3]: Android is a mess.
By ilovebeer on 2018-04-13 15:09:20
Even if congress wasn't under the thumb of corporate purses, they'd be crippled by how divided the country is, in that agreeing to help consumers means agreeing to bipartisanship, which seems borderline criminal these days. Unfortunately I don't see any way out of this corrupted and corrosive state. I don't see how anyone could be optimistic when you have 70%, 80%, 90% of the country wanting something and virtually 0% of it actually happening. If the Gettysburg Address were written today it would read, "government of the people, by the people, for the people.... lol j/k GTFO!"
Permalink - Score: 2
.
RE: Google response
By Carewolf on 2018-04-13 15:43:30
This makes sense. As part of my job I backport Chrome security patches to our Chromium based product. I can skip up to half of the security patches because we simply don't have the feature, or much much more common: it is a fix of a bug introduced after our last branch point.

Edited 2018-04-13 15:45 UTC
Permalink - Score: 7
.
RE[2]: Google response
By darknexus on 2018-04-13 16:44:40
Sounds more like they have their SEP field turned up to full power.
Permalink - Score: 1

Read Comments 1-10 -- 11-20

No new comments are allowed for stories older than 10 days.
This story is now archived.

.
News Features Interviews
BlogContact Editorials
.
WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?