www. O S N E W S .com
News Features Interviews
BlogContact Editorials

How Android phones hide missed security updates
By Thom Holwerda, submitted by emmzee on 2018-04-12 22:42:51

Google has long struggled with how best to get dozens of Android smartphone manufacturers - and hundreds of carriers - to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period - leaving phones vulnerable to a broad collection of known hacking techniques.

Android is a mess.

20  Comments - Printer friendly - Related stories
Recent related stories
- Android Go review - 2018-04-21
- Chat is Google's next big fix for Android's messaging mess - 2018-04-20
- Liberating MediaTek bootloaders and modem firmware - 2018-04-16
- Android Studio 3.1 released - 2018-03-27
- Google blocks GApps from running on uncertified devices - 2018-03-26
- More related articles
 

Tell a friend
Your full name:
Your email address:
Your friend's email:
Anti-spam measure:
5+2=

News Features Interviews
BlogContact Editorials


WAP site - RSS feed
© OSNews LLC 1997-2007. All Rights Reserved.
The readers' comments are owned and a responsibility of whoever posted them.
Prefer the desktop version of OSNews?