AOSP hints at new security update system for faster patches

Adjust Comment Print

They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period - leaving phones vulnerable to a broad collection of known hacking techniques.

Android handset manufacturers may not be telling the whole truth about security updates, according to two well-known German researchers. Most other major Android phone makers fall somewhere in between. One theory points to the chipsets these handsets are running, as there seems to be a correlation between particular SoCs and the availability of security updates: Snapdragon-based phones and those running Samsung's Exynos chips may only have one recent fix missing, while those built with MediaTek chips average almost ten. Presenting the results of SRLs finding at a security conference, researcher Karsten Nohl said, "We found several vendors that didn't install a single patch but changed the patch date forward by several months". You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it. What they discovered was something they refer to as "patch gap".

SRL has updated its SnoopSnitch Android security app to detect whether a phone has missed security updates. Security updates are one of many layers used to protect Android devices and users.

This OnePlus phone seems to be in decent, if outdated, security shape.

Scott Pruitt's 'Unethical and Potentially Illegal' Acts, 4 EPA Email Accounts
Jahan Wilcox , a spokesman for the E.P.A., said, "We will respond to members of Congress through the proper channel". As the EPA's deputy administrator, Wheeler will be next in line if Pruitt is forced to resign or is fired.

As per some reports from the Beebom, Google powers over 60,000 devices and even after sending the monthly patches for the Android framework, however getting OEMs to push regular updates to this number of devices at the same time could be a tedious task. Other handset makers have to examine each update and, if necessary, tailor them to fit each of their own devices.

Nohl and researcher Jakob Lell found that even companies like Sony and Samsung missed a patch every now and then, but it wasn't consistent across models. It appears Motorola may not be living up to its promises. In a somewhat better grouping, each Xiaomi, OnePlus and Nokia phone tested had between one and three missed patches. Huawei, HTC, Motorola, and LG were found to be lacking as many as four, and ZTE and TCL were missing more than four updates in many cases.

Bringing up the rear were ZTE and TCL, whose phones had an average of more than four missed Android security practices. At least, you think your phone is patched against the most recent security exploits, but is it really?