One measure of security a user has when using an Android device is when you get the monthly security patches from Google. But what happens when you discover that some Android phone manufacturers – and alas, seemingly even Google themselves – skip these patches and just adjust the date displayed on your phone settings? That is deception, plain and simple – and this is what the results of a two-year research say. Your phone may say it is patched, but in reality, it may not be.
At the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of Security Research Labs plan to present the results of two years’ worth of research – this amounted to reverse-engineering the code of hundreds of Android phones to check if each device actually contained the security patches it says it has. The results are not good. They found out that many Android phone vendors fail to make patches available to their users, or delay their release for months. More disturbingly, they found out that manufacturers also tell users that their phone’s firmware is fully up to date, even while they’ve skipped patches.
They call this “patch gaps”. The researchers found out that certain phones would show itself patched up to a certain date, but in reality have missed as many as a dozen patches from that period, which in turn makes the device vulnerable to hacking. “We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” says Nohl. In the worst cases, Nohl says that phone manufacturers intentionally misrepresented when the device had last been patched. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
They’ve reached out to Google about this, and the mothership has responded saying that the research may have used devices not certified by Android and as such do not hold to Google’s security standards. Google says that it appreciates the research, and will be working together with SRL Labs in this regard.