ibusinesslines.com August 19, 2018

Android Phone Makers Caught Fibbing About Security Patches

13 April 2018, 03:16 | Jodi Jackson

Android P get gesture control like in iPhone X

iPhone X Style Navigation Gestures may arrive in Android P

At the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of Security Research Labs plan to present the results of two years' worth of research - this amounted to reverse-engineering the code of hundreds of Android phones to check if each device actually contained the security patches it says it has.

Most non-Google Android phone makers (except for Sony) were once bad at keeping up with security patches. For J5 customers, those who checked the status of their devices' security were aware of which patches were installed and which were not. Outside of the Google Pixel and Google Pixel 2, the tests revealed that even high-end flagship models made by the top manufacturers had Android security patch updates skipped over, even if the update was credited on the phone.

The patch gap issue is not an isolated case. They found out that many Android phone vendors fail to make patches available to their users, or delay their release for months. Sony and Samsung devices were found to have only skipped 0-1 security update. The companies like Google, Samsung, and Sony got a very good record of installing the patches but the companies like Lenovo's Motorola, TCL and ZTE have got the problem to roll out the updates. The devices which use the processors from Taiwan's MediaTek miss out 9.7 patches from their phones. One of the lowest performing brands were TCL and ZTE, all of whose phones had on average over four patches that they claimed to have installed, but had not. On many occasions, it was found that the OEMs were hiding as many as a dozen missed patches.

Conversely, SRL also found that Samsung's mid-range J5 device contained all the advertised security patches. The vendor has to primarily depend on the chipmaker to offer a security patch and not the OS. After the release of an update, chipset makers adjust the updates as per their requirements and then pushes it to smartphone manufacturers.

The company has moved towards encrypting all data that leave and enter Android devices with the industry-standard Transport Layer Security (TLS) protocol, and is further tightening the requirements in Android P, which is now in developer preview.

One of the interesting revelations from the research is that even major vendors such as Xiaomi and Nokia (which promise swifter updates) had on an average between one and three missing patches, whereas HTC, Motorola, and LG had missed between three and four patches.

Nohl agrees that exploiting Android vulnerabilities remains hard due to these security layers and points out an easier and more common route to compromising Android devices is through the use of malicious apps - either inside Google Play or outside the store. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.

Other News

Trending Now

OH teen trapped in van dies despite pleas to 911
Plush said several times he was "at Seven Hills", though the operator apparently did not hear clearly or understand what he meant. The recordings of Kyle's desperate calls have prompted the Cincinnati Police Department to launch an investigation.

More African athletes missing from Commonwealth Games
They are here on a temporary activity visa and are free to travel around the country until it expires in early May. This comes days after eight Cameroonian athletes went missing at the games, raising concern from the organizers.

Trump Administration Weighs Plan To Drug Test Food Stamp Recipients
The Trump administration is considering a plan that would allow states to drug test some food stamp recipients. No one will be forced out of SNAP, insisted Conaway, although he said some people may drop out voluntarily.

Arsene Wenger: Arsenal were 'in trouble' before recovery in Moscow
Arsenal (ENG), Atletico Madrid (ESP), Lazio (ITA), Leipzig (GER), Marseille (FRA), Salzburg (AUT), Sporting Lisbon (POR). The midfielder was forced off on a stretcher in the first half of the match but managed to complete the game.

How Jio 4G laptops could revive the Indian PC market
The company says there is value in this new segment especially for retailers and telecom operators. The company is working with major PC manufacturers for the "always-connected personal computers".

Trump amps up Amazon fight with an executive order
Postal Service firm model, a movement that came amid criticism of Amazon and its particular operator Jeff Bezos . President donaldtrump late Thursday signed an executive order creating a task force to examine the U.S.

Big point scorers ready to shoulder load for girls track team
HC- Joey Donofrio, lp (1/3 IP, 3BB), Tom Kling (3 2/3 IP, 3K, 2BB), Luke Rafferty (2 IP, 1K, 1BB) and Aaron Gault. Heartland lacked a baseball culture the past few years that Gault hopes to grow over the next few years.