![](\"https:\/\/media.wired.com\/photos\/5acd6226ca7afd490baac198\/master\/pass\/AndroidSecurity-91620751.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Andy Greenberg| Date: Thu, 12 Apr 2018 11:00:00 +0000<\/strong><\/p>\n Google has long <\/span>struggled with how best to get dozens of Android smartphone manufacturers\u2014and hundreds of carriers\u2014to regularly push out<\/a> security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available<\/a> to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.<\/p>\n On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period\u2014leaving phones vulnerable to a broad collection of known hacking techniques.<\/p>\n "We find that there's a gap between patching claims and the actual patches installed on a device. It\u2019s small for some devices and pretty significant for others," says Nohl, a well-known security researcher and SRL's founder. In the worst cases, Nohl says, Android phone manufacturers intentionally misrepresented when the device had last been patched. "Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best."<\/p>\n SRL tested the firmware of 1,200 phones,\u00a0from more than a dozen\u00a0phone manufacturers,\u00a0for every Android patch released in 2017.\u00a0The\u00a0devices were made by\u00a0Google itself\u00a0as\u00a0well as\u00a0major Android phone makers like Samsung, Motorola,\u00a0and HTC,\u00a0and\u00a0lesser-known Chinese-owned companies like ZTE and TCL. Their testing found that other than Google's own flagship phones like the Pixel and\u00a0Pixel 2<\/a>,\u00a0even top-tier phone vendors sometimes claimed to have patches installed that they actually lacked. And the lower-tier collection of manufacturers had a far messier record.<\/p>\n 'Sometimes these guys just change the date without installing any patches.'<\/p>\n Karsten Nohl, Security Research Labs<\/p>\n The problem, Nohl points out, is worse than vendors merely neglecting to patch older devices, a common phenomenon. Instead, it's that they tell users they install patches that they in fact don't, creating a false sense of security. "We found several vendors that didn\u2019t install a single patch but changed the patch date forward by several months," Nohl says. "That\u2019s deliberate deception, and it's not very common."<\/p>\n More often, Nohl believes, companies like Sony or Samsung would miss a patch or two by accident. But in other cases, the results were harder to explain: SRL found that one Samsung phone, the 2016 J5, was perfectly honest about telling the user which patches it had installed and which it still lacked, while Samsung's 2016 J3 claimed to have every Android patch issued in 2017 but lacked 12 of them\u2014two considered as "critical" for the phone's security.<\/p>\n Given that kind of hidden inconsistency, "it's almost impossible for the user to know which patches are actually installed," Nohl says. In an effort to solve that missing patch transparency problem, SRL Labs is also releasing an update to its Android app SnoopSnitch<\/a> that will let users check their phone's code for the actual state of its security updates.<\/p>\n After averaging out the results of every phone tested for each vendor, SRL labs produced the chart below, which splits vendors into three categories based how faithfully their patching claims matched reality in 2017, focusing only on phones that received at least one patch in October of 2017 or later. Phones from major Android vendors including Xiaomi and Nokia had on average between one and three missing patches, and even major vendors like HTC, Motorola, and LG missed between three and four of the patches they claimed to have installed. But the lowest-performing companies on the list were the Chinese firms TCL and ZTE, all of whose phones had on average more than four patches that they'd claimed to have installed, but hadn't.<\/p>\n SRL also points to chip suppliers as one possible reason for missing patches: While phones with processors from Samsung had very few silently skipped patches, ones that used chips from the Taiwanese firm MediaTek lacked a whopping 9.7 patches on average. That may in some cases be simply because cheaper phones are more likely to skip patches, and also tend to use cheaper chips. But in other cases, it's because bugs are found in the phone's chips rather than in its operating system, and the phone manufacturer depends on the chipmaker to offer a patch. As a result, cheaper phones that source chips from lower-end suppliers inherit those suppliers' missed patches. "The lessons is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem," Nohl says.<\/p>\n When WIRED reached out to Google, the company said that it appreciated SRL's research, but responded by pointing out that some of the devices SRL analyzed may not have been Android certified devices<\/a>, meaning they're not held to Google's standards of security. They noted that modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities. And they argued that in some cases, patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn't have that feature in the first place. The company says it's working with SRL Labs to further investigate its findings. "Security updates are one of many layers used to protect Android devices and users," added Scott Roberts, Android product security lead, a statement to WIRED. "Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security\u2014combined with the tremendous diversity of the Android ecosystem\u2014contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging."1<\/sup><\/p>\n In response to Google's assertion that some patches may have been unnecessary due to the vulnerable feature being missing from the phone or removed in response to the vulnerability, Nohl counters that those situations very rare. "It\u2019s definitely not a significant number," he says.<\/p>\n More surprisingly, Nohl agrees with Google's other major point: Hacking Android phones by exploiting their missing patches is far harder than it sounds. Even Android phones that don't have solid patching records still benefit from Android's broader security measures, like address space layout randomization\u2014which since Android 4.0 (Lollipop) has randomized the location of a program in memory to make it harder for malware to exploit other parts of the phone\u2014and sandboxing, which limits a malicious program's access to the rest of the device.<\/p>\n That means most hacking techniques, known as exploits, that can gain full control of a target Android phone requires taking advantage of a series of vulnerabilities in a phone's software, not just one missed patch. "Even if you miss certain patches, chances are they\u2019re not aligned in a certain way that allows you to exploit them," Nohl says.<\/p>\n As a result, he says, Android phones are far more often hacked with simpler schemes, namely\u00a0rogue apps that find their way into\u00a0the\u00a0Google\u00a0Play Store<\/a>\u00a0or that trick users into installing them from other sources\u00a0outside of\u00a0the\u00a0Play\u00a0Store<\/a>.\u00a0"Criminals will most likely stick with social engineering as long as humans are gullible and install free or pirated software that comes packaged with malware," Nohl says.<\/p>\n