Android Phone Maker May Be Lying About Security Updates:
Google making monthly security updates a critical feature of Android and most of the vendors skip the security patch, especially for their mid-range devices. Now, two cybersecurity analysts from Security Research Labs are claiming that in many cases, even those manufacturers who claim to push security updates are simply lying.
Karsten Nohl and Jakob Lell say they reached their conclusion after examining 1,200 phones from manufacturers such as Google, Samsung, Sony, Nokia, Huawei, Motorola, LG, HTC, ZTE and TCL in 2017.
Tier-I companies such as Samsung and Sony were found to have missed only one patch on an average, others like TCL and ZTE are missed on average four or more security patches. Xiaomi, OnePlus and Nokia skipped between one and three security updates, while HTC, Huawei, LG and Motorola had between three and four missing patches.
But often manufacturers also lie about the date of a security update by changing it in the code, which shows your phone as having the latest update (from April, for example) but it would actually simply an old update that’s been renamed. Even in the case of Samsung, while the Galaxy J5 (2015) accurately reported the date of the security updates, the Galaxy J3, also from 2015, reported updated patches, even though it was actually 12 versions behind.
The choice that Android gives buyers in terms of phone makers does not matter in this regard.
Samsung’s in-house Exynos chips skipped only a few patches while models using MediaTek SoCs missed almost 10 patches on average – so it would be advisable to not buy MediaTek at the moment, such as the Meltdown and Spectre fiasco for Intel and other CPU makers.
When the Wired reached out to Google for its reaction to the report, the search giant pointed out that, some of the devices analyzed by SRL may not have been ‘Android Certified’ devices, which means their vendors weren’t legally obligated to roll out every available security patch for them. Also, security patches are only meant for certain hardware components or software features that may be missing from some of the devices tested by the SRL.
If you are using phones from any of the manufacturers which are mentioned above, it would be wise to reach out to customer care and find out whether the updates mentioned as installed are actually the real ones, or older ones simple renamed.