Nevertheless it still remains that according to SRL, patch updates were still listed as being up to date when they weren't, which might lead some users to wonder going forward if their device has actually been updated with the latest security fixes.
Some Android OEMs are have reportedly been skipping security patches according to a security research firm called Security Research Labs, which mentioned the issue last week on Friday, April 6 at a conference in Amsterdam.
"Sometimes these guys just change the date without installing any patches", Nohl was quoted as saying. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl is quoted as saying. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Karsten Nohl, Security Research Labs founder, told the publication.
"Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks", the SRL website preview says. You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it. SRL checked out the firmware on 1,200 Android handsets and looked for every patch disseminated in 2017. The team cited the Samsung J5 2016 as being honest about the lack of patches, while the J3 2016 lacked 12 patches (including two deemed "critical") despite claiming to receive every security update in 2017. And if a company making those chips isn't keeping up with patches, it becomes quite hard for the manufacturers of the phones running them to fully secure their devices. Other handset makers have to examine each update and, if necessary, tailor them to fit each of their own devices. Here, I'm talking about regular updates and security patches.
The researchers noted that the SoCs that the smartphones use may be the cause of the issue.
Or so you'd think. It appears Motorola may not be living up to its promises. But that number starts creeping up higher as we look at hardware from LG, HTC, Motorola, and ZTE - the latter's phones averaging four or more absent patches. In a somewhat better grouping, each Xiaomi, OnePlus and Nokia phone tested had between one and three missed patches.
But hacking an Android device is harder than it seems, as Android phones come with a broader set of security measures like address space layout randomization and sandboxing. Compared to flagships, cheaper phones are found to be skipping more patches, which also tend to use cheaper chips.