As if the situation regarding the main updates of Android was not already problematic enough because of the high fragmentation, it seems that the situation with regard to security patches is not the best either. Some producers have been caught lying about these important updates, demonstrating that Google has no control over the mobile ecosystem it has created.
Now it’s not new, almost no Android smartphone manufacturer can keep up with the fast updates that Google makes to its OS. Obviously some are better than others and despite not being released at the same time, important updates for all smartphones is at least supposedly guaranteed through special monthly security patches monthly (which is still not done by all manufacturers).
Even the brands that seem most attentive and diligent have been found to not fulfill their duty properly, even lying about the level of security patches of the devices. This is stated in a Wired report that will disseminate more details during the Hack in the Box security conference.
Researchers Karsten Nohl and Jakob Lell of Security Research Labs have spent the past two years checking the security level of hundreds of smartphone models from dozens of brands to see if the security patches indicated as on the devices had actually been implemented.
What’s the problem, exactly?
The results are worrying as it has emerged that many of the manufacturers would increase the level of security patches indicated on smartphones without actually applying the patches to the system, thus leaving a gap between the actual level of protection and the declared one.
The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances.
According to the report, some manufacturers deliberately altered the representation of the patch level by simply changing the name, which should make the owners of the smartphones in question rather unsettling. This is possible by editing the ro.build.version.security_patch string within the build.prop system file.
TCL is the licensee of the BlackBerry brand, which used to have a good reputation for security. / © Security Research Lab – Wired
Sometimes the gap is attributed by researchers to human error: there would be no other reason for manufacturers like Sony or Samsung to miss only some of the patches instead of others. SRL has also published tables that verify security updates from October 2017 until now and check which manufacturers have been diligent and which have not.
Looking at the data you can see that Google, Sony, Samsung and Wiko are the most careful while ZTE and TCL are among the worst.
Is it all the fault of the manufacturers?
Yes and no. SRL pointed out that manufacturers are only part of the problem while the main blame can be attributed to chip makers. For example, Mediatek devices are much more affected by this situation than devices using Qualcomm or Samsung chips.
Mediatek always remains in the worst place, whatever the problem… / © Security Research Lab – Wired
Google is to blame, there is no excuse
The Mountain View company has stated that it will initiate an investigation into all the devices indicated by researchers as guilty of having an actual gap between the patches implemented and those indicated by the manufacturer.
The most disconcerting fact is that there is no control by Google regarding the actual implementation of the security patches indicated by the manufacturers in the updates they release, which should not happen. Google has long since lost control over its platform, whether it wants to admit it or not.
Pixel 2 phones are of course perfectly aligned with the patches
What I personally cannot understand is why companies waste resources on creating “fake” updates that only change the level of patches indicated. Would it not be more honest and useful to redirect these resources to the implementation of more timely system updates?
I prefer an honest and outdated system over finding out that I was deceived by a manufacturer who I believed was accurate and punctual with updates
What do you think?
Of course some are worse offenders than others, but I’m really distressed by this behavior from companies and by the fact that OEMs feel entitled to deceive their users in this way.
What do you think of this embarrassing situation? What do you think Google can do to solve the problem?