Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Android Google Security

Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com) 116

An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.

Some Android Device Makers Are Lying About Security Patch Updates

Comments Filter:
  • by A10Mechanic ( 1056868 ) on Thursday April 12, 2018 @02:57PM (#56426463)
    Boardroom banter: Why should we provide free updates, when we can sell them a new phone...
    • by Anonymous Coward on Thursday April 12, 2018 @03:34PM (#56426725)

      "My phone is still totally fast and has plenty of space, but I'm missing a few security patches, so I'll just buy a new phone." said no customer ever.

      • by Anonymous Coward

        No but if the phone gets hacked and starts "acting funny" the customer will assume it's broken and want to replace it.

        • by Anonymous Coward

          Sure, but if the phone gets hacked and continues acting normal then the customer will assume everything is fine and continue to use the hacked phone.

          Have you guys never played this game before?

      • by green1 ( 322787 ) on Thursday April 12, 2018 @04:06PM (#56426923)

        I sort of just did...

        I had a Samsung Galaxy Note 4. It's a better phone in almost every way to any phone on the market today. (processor is a hair slower than the newest phones, but I'd never found it slow at all, and it's hardware feature set was so far beyond any other device you can buy now as to more than make up for it) But it also hasn't had a security patch in a long time, and several high profile security exploits have come out since the last one. As a result I decided to "upgrade" to a new phone. I miss the large screen on the Note4 (all the new phones quote larger numbers for screen size, but due to the 2:1 aspect ratio have fewer square inches, and less usable space as it's too narrow). I miss the IR transmitter on the Note4, I miss the removable battery (I was on my 3rd battery, something not possible on modern phones), I miss the MHL video output (very few phones have any wired video output capability anymore, despite that it used to be near ubiquitous) I miss the textured back that didn't require a bulky case to simply be able to hold on to.

        But I also knew that I couldn't reasonably hold on forever with the vain hope that someone releases decent hardware again some day.

        • I was going to make a snarky comment about installing LineageOS on it, but checked the device list and cannot see the Samsung Galaxy Note 4 listed, which seems odd.
          A real shame, as that is probably a perfectly usable device.
  • Well no shit... (Score:3, Interesting)

    by Slugster ( 635830 ) on Thursday April 12, 2018 @02:59PM (#56426495)
    This is because Google won't write a universal Android unlocking tool... As long as the unwashed masses can't really tell what the manufacturer did, why bother with anything difficult? ........There's a name for it...... Security through Deniability?
  • No shit .... (Score:5, Insightful)

    by Anonymous Coward on Thursday April 12, 2018 @03:02PM (#56426509)

    Is anybody even remotely surprised?

    One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.

    As soon as it's shipped, they move on to the next product. They have neither the time, resources, nor inclination to maintain older versions of phones -- because they want you to buy a new one.

    The reality is, there are as many versions of Android as there are phones and companies who make them. And companies aren't going to spend the resources on a shipped product, because they've been paid for it already.

    So, yeah, they don't to updates, don't plan to do updates, and refuse to admit that it was abandonware before you even got your hands on it.

    To me, this is the greatest failing of Android.

    • Re:No shit .... (Score:5, Insightful)

      by farble1670 ( 803356 ) on Thursday April 12, 2018 @03:45PM (#56426799)

      One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.

      You get what you pay for.

      And one of the huge benefits of Android is that you aren't locked into one manufacturer. This is why you can get Android devices with SD card slots, dual SIMs, dual screens, touch sensitive sides, built in projectors, big screens, small screens, etc. If you don't want any of that, by all means buy Apple.

      Heck, you can even by an Android phone that gets the most up to date software and patches. All you have to do is pay for it. It costs about as much as an iPhone... surprised?

      • by mjwx ( 966435 )

        Heck, you can even by an Android phone that gets the most up to date software and patches. All you have to do is pay for it. It costs about as much as an iPhone... surprised?

        Quite surprised actually.

        Just yesterday I received the latest security patches of Android 8.1 on my 2 yr old Nexus 5. I only paid $300 for that compared to $600 for the equivalent Iphone and it's still as fast as the day I bought it.

        Android gives you the option to have what you want.

  • Carriers... (Score:5, Insightful)

    by yodleboy ( 982200 ) on Thursday April 12, 2018 @03:08PM (#56426563)

    Plenty of the blame goes on carriers. If you have the new hotness, expect fairly regular updates. If not, good luck. Planned obsolescence is a load of crap perpetrated by carriers and manufacturers. I'd actually put more of the blame on carriers now that you pay full price + interest for phones in the US.

    • manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.

      • manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.

        If you are a struggling Android device maker (as are they all), that is not even close to an option. If you say no there are 100 other manufacturers waiting to get their phones approved on the carriers' network.

      • Knox is just a Samsung thing.

    • If it was a carrier problem rather than an OS or manufacturer problem, wouldn't the same issue be affecting iPhones? Because its not...

      • Not really... iPhone updates affect a very limited variety of phones. Particularly security only updates. If there's a failed update, no one rushes off to ATT for support. They go to the Genius bar, or contact Apple online.

        In the Android world there is an enormous array of different phones with different implementations of Android and support is largely placed on the carrier. Little suprise that the carriers don't want to risk messing up a functional phone and only do it as rarely as they can g

    • by Zumbs ( 1241138 )
      It is also a failure on the part of regulators. Most software updates includes bug fixes, that is, fixes to errors that was in the device as it was shipped. In many jurisdictions these errors that came with the device are covered by a two year warrenty from the date of sale, but I don't remember ever hearing regulators actually forcing device vendors to update the software to fix the errors.
  • by Bob the Super Hamste ( 1152367 ) on Thursday April 12, 2018 @03:11PM (#56426579) Homepage
    Some missing info from the sumamry about the average number of missing patches per device from each manufacturer
    Average missing patches per device from each manufacturer
    0 or 1 - Google, Samsung, and Sony
    1 to 3 - Xiaomi, OnePlus, and Nokia
    3 to 4 - HTC, Huawei, LG, and Motorola
    4 or more - TCL and ZTE
    • by ctilsie242 ( 4841247 ) on Thursday April 12, 2018 @03:24PM (#56426661)

      I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.

      • It is easy to provide an update if you don't fix much...

      • by dstyle5 ( 702493 )
        I picked up an HTC U11 in fall (my Nexus 6P died out of the blue) which luckily coincided with their releasing Oreo for it. So far it has been a pretty good phone.

        Not sure if they are lying about updates in this case as my security patch level is stuck at Dec, 2017. :( Hmmm...
      • by tlhIngan ( 30335 ) <slashdot@NoSpAM.worf.net> on Thursday April 12, 2018 @04:35PM (#56427053)

        I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.

        The article is not about patches coming out on time. It's about patches that come out missing.

        It's easy to make a security patch that patches nothing other than updating the date you see in the about screen.

        That's what the article is about - just because your device is "up to date", doesn't mean it has all the patches. They basically took a patched phone and re-ran the vulnerability tests on them, only to find the patches were not applied despite claims they were by having the patches up to date.

      • I think you missed the part where they go "yup, you are patched" without actually providing the patches.

      • by mjwx ( 966435 )

        I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time.

        The problem with Android is that the carriers can block OTA patches for certain phone types, mostly out of laziness but sometimes to keep their crappy bundled software working. Not so much of an issue here in the ROTW as you can simply switch carriers by swapping a SIM card, but in the US its can be an issue.

    • Ran the tool. Confirmed that My LG is missing 3.

    • by b0bby ( 201198 )

      I have been pleasantly surprised at the number of patches Sony pushes out to my Xperia X. It seems like at least every couple of months an update comes through; sometimes just security, but a couple of months ago I moved to Oreo. Never had a Google phone, but it seems like a more regular schedule than I got from my last Samsung.

      • RTFA to learn that just because you received updates and just because you're phone claims to be patched, you probably do not actually have those patches unless you bought a phone from Google.

        • by b0bby ( 201198 )

          I did RTFA; Sony was listed right along with Google and Samsung as actually installing the updates. I don't verify each security update, but I can for sure tell when they push out Android 8 to me.

    • by Zumbs ( 1241138 )

      3 to 4 - HTC, Huawei, LG, and Motorola

      Motorola just pushed a new patch to my phone. I wonder if it will improve matters.

  • Lying to the public? (Score:4, Interesting)

    by VeryFluffyBunny ( 5037285 ) on Thursday April 12, 2018 @03:16PM (#56426611)
    Isn't it a crime for a company to tell such blatant lies to the public? Can't customers sue the companies for endangering their sensitive data? Is the no regulatory oversight for this?
    • by Anonymous Coward

      It's illegal to lie in the course of business in Canada. So yes. What they have done is illegal in Canada.

  • by FudRucker ( 866063 ) on Thursday April 12, 2018 @03:17PM (#56426623)
    until the current crop of devices are bought and used up, or recalled and destroyed, i dont want to buy another PC,. laptop or a phone or tablet until all this heartbleed, or meltdown (the CPU bug) is resolved,
    • or meltdown (the CPU bug)

      As opposed to the Samsung Galaxy Note 8 meltdown. Thanks for clarifying.

    • by Anonymous Coward

      Good idea. I hear next year's products will be perfect.

  • The majority of Android phones sold aren't even running the latest version of Android at the time of sale.
    Why would we presume that security updates are current?
    • Google has made abuse part of its business by allowing users of Google Android to abuse customers.

      Apparently no one on Google management realized that abuse would eventually cause damage to Google's reputation.
      • But it doesn't. Most consumers don't know that Google makes Android. Most probably don't even know that they have an Android per se. Hell, most probably don't know that their phone has an OS. But they sure know that Google is a great search engine.

        • Good points.

          However, bad reputation with people who are technically-knowledgeable eventually flows to those who aren't.

          One example: Now Facebook is being criticized in top-level news stories. I Downloaded the Information That Facebook Has on Me. Yikes. [nytimes.com] (New York Times, April 11, 2018)

          Facebook was always the way it is now. But now the average person is learning about the huge negatives.

          If you are a billionaire owner of Google (now with a foolish name, Alphabet, Inc.) the abuse surrounding Android
  • Sounds like fraud. (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Thursday April 12, 2018 @03:25PM (#56426667)

    IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.

    • by q4Fry ( 1322209 )

      IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.

      Agreed. All it takes is one sufficiently-large fine or market closure to provoke change.

  • by farble1670 ( 803356 ) on Thursday April 12, 2018 @03:30PM (#56426685)

    The question is how they know the devices are missing the patch. Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.

    Because of vendor specific code changes, patches don't always apply cleanly and need changes, or the issue may have been fixed by the vendor in a different way, or even not relevant to the vendor's dist.

    • They have an app to test phones. I just checked mine. Could be that results are sent back home.

      • Well don't keep us in suspense, link it. Hope we have the source as well otherwise we are right back to knowing squat.

        The idea that they wrote code to test all of the issues fixed in patches is rather outlandish. Most the issues end up being hypothetical exploits that have *never* been executed in the lab let alone in the wild.

        • Much of the time you can test for a flaw that leads to an exploit without going all the why and fulfilling the entire exploit. If a function returns bad data that subsequently can be used to finagle a complicated sequence of events to exploit the system, you only need to checke for the bad function result.

    • Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.

      Why? Software performs automated testing. Can be installed on multiple devices at once, run in the background. Not only is this possible, but it could likely be done by a single person.

  • ..."We found several vendors that didn't install a single patch but changed the patch date forward by several months,"...

    If a phone that falsely indicated patches were installed were taken over by malware because of the lack of patches, would that phone manufacturer be liable because of the lies?

    • not likely with the "it's not our fault if it goes wrong" language in the EULA, unless you're prepared to lawyer up and fight that first. Good luck.
      • OK, thx. I was just curious. imo, if there's no monetary downside to the behavior, I doubt it will change.
    • by Passman ( 6129 )

      If a phone that falsely indicated patches were installed were taken over by malware because of the lack of patches, would that phone manufacturer be liable because of the lies?

      That depends.
      If they released an update with notes that said "This patch is for exploits X, Y & Z" and then you got infected via Y, you would probably have a case.

      If they did the Microsoft thing and the notes just said "This patch fixes a number of issues that could affect your phone." Well then, you're out of luck.

  • It is expensive to provide patches so the makers of budget smartphones don't really want to be bothered with it. I am not surprised that ZTE made the list. What does surprise me is that the manufactures will outright lie and just provide a date patch. Money makes the world go round .... honesty gets thrown out with the bath water.
  • I was wondering why my Moto Z Force was still vulnerable in lab testing even after patching it. I submitted an email to their security team and nobody responded, so I thought maybe I was a snowflake case. This is even more of a case to only purchase google made android devices.

  • Mine is 3 years and a half old. I've been using it without problem, except the usual : it was getting slower and slower.
    After 3 years, I decided to make a full factory reset.

    Before : I had control over more things, many application were completely disabled, including Facebook (I never created an account) and Evernote.

    After : I got back some battery life and speed, although it's not consistent, I have to reboot from time to time. But the most annoying is that I lost control over many applications. I can no l

    • I'm running a hand-me-down Note 4 with the excellent Resurrection Remix 7.1 ROM on it, undervolted and underclocked, rooted with Magisk and it's wonderful.

      I saw yesterday that Resurrection Remix has released a new Oreo version that supports the Note 4, which I will get around to installing and trying at some point.
  • If they were lying about patch levels, why is my Moto X4 still on 1 August 2017?
    The only thing they're lying about is updating it to Android 8. Apparently "pending partner support" - it's a retail model. No carriers are involved. Who the hell are the partners they're waiting on?

    • Strange, my X4 before it broke in February was regularly updated every month -- though it was purchased through Project Fi.

      • It appears they're only providing updates to phones they're required to. Project Fi requires them to provide regular updates.
        Turns out they don't give a shit about regular retail customers.

    • No carriers are involved. Who the hell are the partners they're waiting on?

      Qualcomm? Or could be anyone that produces drivers for the hardware they use.

      It's quite common to get a very short support lifecycle for drivers with consumer hardware. It's possible Moto used old components in that device for which there are no drivers that support the newer version of Android.

      • They released the update to Oreo in India back in December 2017, so I doubt the drivers are an issue. I have the same hardware variant sold there, XT1900-2.

  • The PhoneDog article is just a wrapper for the Wired article. [wired.com] It says:

    We found several vendors that didn’t install a single patch but changed the patch date forward by several months," Nohl says. "That’s deliberate deception, and it's not very common."

    What exactly does the patch date mean? Does that mean it has all the patches up to that date? Or does it merely mean that it was patched on that date? What if the manufacturer has a patched version of a library or driver, and they haven't merged that patch into their library or driver yet? That might be irresponsible, but it doesn't mean that patch date is wrong or that they are being malicious.

    • What exactly does the patch date mean?

      On Android the patch date is just a string the manufacturer sets. They can set it to anything they want. Google releases quarterly patches, so the date is supposed to correspond to the release date of those patch sets.

      As to what it means, the implication is that you are "up to date" with the patches as of your listed patch date.

  • One amazing thing about the report is how widespread this is. These companies do not collaborate in non-implementation of patches and lying about it. They probably invented this way of cheating the customer independently.

    • At the company I work at, the product team would definitely be looking at competitors doing this sort of thing at trade shows et al. If these companies don't know what their competitors are up to, they don't last long.

  • Thanks to Project Treble the Android fragmentation problem is solved. People already demonstrated this by running generic Android OS images on top of even some obscure phone models, which actually comply with Treble. Treble compliance is mandatory for any device with Oreo and upwards. What treble is - basically complete separation of OS and HAL. It is now possible to update Android regardless of the oem as long as bootloader is not permalocked.
  • I gladly rather live in a "walled garden" than in an open dump. I would not be surprised if Androids are the majority of devices in botnets these days. Certainly will be sooner or later.

Wherever you go...There you are. - Buckaroo Banzai

Working...