Google might call the next version of Android, 'Popsicle'

Saturday, 14 Apr, 2018

Android handset manufacturers may not be telling the whole truth about security updates, according to two well-known German researchers. Nevertheless it still remains that according to SRL, patch updates were still listed as being up to date when they weren't, which might lead some users to wonder going forward if their device has actually been updated with the latest security fixes.

Google said that the findings from Security Research Labs may not provide the full story when it comes to ensuring Android devices are adequately protected against security risks: "Security updates are one of many layers used to protect Android devices and users". Among these, Samsung, Google, and Sony were found to be the frontrunners in installing the patches.

As it turns out, the Android update problem runs much deeper than expected.

Android vendors like to claim their smartphones are routinely updated with the latest security patches.

Google tells WIRED that it is working with SRL and appreciates the data it has obtained. "Sometimes these guys just change the date without installing any patches. It's small for some devices and pretty significant for others", SRL founder Karsten Nohl said. Especially, they aimed at the most severe flaws and the most challenging bugs, those appeared in 2017, and whether the vendors were actually relieving those or not.

The SRL researchers are due to present their findings at the Hack in the Box security conference in Amsterdam on Friday.

As per Nohl and Lell most of the companies are either not rolling out the updates on time, or are simply lying regarding the fact that a latest security update has been installed.

This OnePlus phone seems to be in decent, if outdated, security shape.

In response to Google's statement, SRL's Karsten Nohl said that while it's unlikely that OEMs have gone as far as circumventing a patch to cover a vulnerability, he agrees that it most hackers will find it hard to hack an Android phone because of the OS's base security features like the randomization of file addresses and app sandboxing.

Google is known for releasing security updates timely to its devices and services.

A possible theory for vendors to skip on patches could be attributed to the chipsets they make use of in their devices.

Or so you'd think. Out of the 1,200 phones that were tested by the firm, including devices from Google (the primary source for updates to Pixel phones), Samsung, HTC, Motorola, and TCL, the issue impacted even the flagship models from the likes of Samsung and Sony. Several major phone companies whose devices are owned by millions of Americans did even worse, including HTC, Huawei, LG, and Lenovo-owned Motorola, whose devices had three to four missing patches.

KitGuru Says: Given the number of well-known attacks that can be leveraged against Android devices, keeping on top of security patches in important.