Android’s already poor security takes another leg down as it transpires that many Android handset makers are not applying security patches, although whether this makes Android devices less secure in practice remains open for debate.
Research carried out by Security Research Labs (SRL) of Germany has shown that not only do many Android handset makers delay the rollout of patches for months, but sometimes they don’t install them at all and then tell users that their software is up to date.
SRL looked at devices from 12 manufacturers over a period of two years and found what it calls a “patch gap” – which refers to the difference between what the handset maker claims and the actual patches installed on the device.
The worst offenders appear to have deliberately misrepresented when the device had been patched by simply changing the “last patched date” and doing nothing more. 1,200 devices from 12 manufacturers were tested and not surprisingly, it was the smaller Chinese makers who fared the worst.
SRL was of the opinion that some of the patches had been missed by accident, but also that hardware may have played a part in creating difficulties. This was highlighted when the number of patches was correlated to the vendor of the applications processor (upon which Android runs). Devices with Samsung processors did best, with less than 0.5 missed patches per device on average highlighting another advantage of vertical integration. Qualcomm was next with 1.1, and HiSilicon ranked at 1.9 indicating that Huawei has some tightening up to do, given it is as vertically integrated as Samsung. MediaTek was by far the worst with an average of 9.7 missed patches per device.
I think that there are two factors behind this:
- Cheap devices: MediaTek dominates the low end and in the low end virtually no money is made. Consequently, handset makers have to cut corners to survive. Security patches looks to have been one of those corners.
- MediaTek: There is very little money to be made in low-end chipsets and so it is entirely possible that MediaTek has been very slow to issue patches for hardware vulnerabilities. If this is the case, then there is nothing that the handset maker can do but wait for the patch to be issued. However, I suspect that a portion of this will have been due to low end Android handset makers ignoring MediaTek’s patches due to the very high cost pressure that they are under.
Despite missing all of these patches, the security implications are unclear. Even hacking Android phones that have not been patched is more difficult than its sounds, due to other provisions that have been implemented in Android since version 4.0 which almost every device now has. To take full control of an Android device, a series of exploits need to be used, and having all of these vulnerabilities present at the same time is quite unlikely.
Even so, this is a major black eye for Google and the Android ecosystem, as even if the device is difficult to hack, not having the patches looks really bad and does make it easier for a determined hacker. Hence, no one disagrees that all patches should be applied to make the device as secure as possible.
This, combined with the fact that devices are very rarely updated, means that Android is even more insecure than I had assumed.
This is just another reason why Google Android remains an inferior ecosystem to iOS, and this will prevent it from challenging iOS until these issues are fixed.
I still believe that this will require Google to take Android fully proprietary, giving it full control over both fragmentation and updates. This is a big step, and one Google has been reluctant to take. But until it does, Android will remain the also-ran when it comes to quality, usage and revenue generation.
Meanwhile, Apple looks set to outperform while the user data controversy rages on, but of all the advertising-driven players, Google is the one most likely to escape unscathed as it hasn’t broken anything yet.
This article was originally published at RadioFreeMobile