Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Android Vendors 'Forget' Patches
Study Says Many Android Vendors Regularly 'Forget' Security Patches
Study Says Many Android Vendors Regularly 'Forget' Security Patches
By Shirley Siluk / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
If you believe your Android phone is receiving regular security updates from the manufacturer, you could be sadly mistaken, according to a new study from a Berlin-based IT security research firm.

Researchers with Security Research Labs studied Android devices from numerous companies and found what they call a hidden patch gap, with large numbers of manufacturers regularly failing to update device security. They said that failure exposes the Android ecosystem to risks despite recent patch improvements, leaving devices susceptible to remote exploits.

Google's Android is the world's leading mobile operating system, with more than 2 billion users around the world. It's also supported by a far more diverse system of manufacturers and developers than its rival, Apple's iOS, which contributes to much more uneven security practices.

Patch Claims Need 'Independent Verification'

Researchers Karsten Noll and Jakob Lell presented their findings today at the HITB security conference in Amsterdam. They said they took a "novel analysis approach" to look for missing seurity updates on a wide range of Android devices, and discovered that most vendors "regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks."

Among the companies whose devices they tested, Google, Sony, Samsung, and Wiko came out on top, with zero or just one patch typically missing. TCL and ZTE, by contrast, landed on the bottom of their list, with more than four missed patches on their devices.

Noll and Lell's findings contradict the claims by many Android device makers that they roll out regular updates to fix vulnerabilities identified by Google's monthly Android security bulletins. The researchers said users should seek independent verification that their devices are regularly patched, and developed an app called SnoopSnitch for that purpose. SnoopSnitch is available as a free download through the Google Play Store.

'Defense in Depth' Is Important

In response to Noll and Lell's findings, Google yesterday told Wired that some of the phones researchers tested might not have been Android certified devices that are required to meet Google security standards. Android product security lead Scott Roberts also noted that monthly patches are just one of several security measures needed to protect devices.

"Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important," Roberts said.

Noll and Lell acknowledged in their study that "defense in depth" is important, and that "a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack."

Android device makers began pledging to roll out monthly security updates in 2016 shortly after the Stagefright vulnerability, which could enable remote exploits by hackers, was found to have likely affected 95 percent of all Android devices.

"Now that monthly patches are an accepted baseline for many phones, it's time to ask for each monthly update to cover all relevant patches," according to Security Research Labs. "And it's time to start verifying vendor claims about the security of our devices."

Image credit: iStock/Artist's concept.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.