Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com) 116
An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.
Planned Obsolescence (Score:5, Insightful)
Re:Planned Obsolescence (Score:5, Insightful)
"My phone is still totally fast and has plenty of space, but I'm missing a few security patches, so I'll just buy a new phone." said no customer ever.
Re: (Score:2)
No but if the phone gets hacked and starts "acting funny" the customer will assume it's broken and want to replace it.
Re: (Score:1)
Sure, but if the phone gets hacked and continues acting normal then the customer will assume everything is fine and continue to use the hacked phone.
Have you guys never played this game before?
Re:Planned Obsolescence (Score:4, Interesting)
I sort of just did...
I had a Samsung Galaxy Note 4. It's a better phone in almost every way to any phone on the market today. (processor is a hair slower than the newest phones, but I'd never found it slow at all, and it's hardware feature set was so far beyond any other device you can buy now as to more than make up for it) But it also hasn't had a security patch in a long time, and several high profile security exploits have come out since the last one. As a result I decided to "upgrade" to a new phone. I miss the large screen on the Note4 (all the new phones quote larger numbers for screen size, but due to the 2:1 aspect ratio have fewer square inches, and less usable space as it's too narrow). I miss the IR transmitter on the Note4, I miss the removable battery (I was on my 3rd battery, something not possible on modern phones), I miss the MHL video output (very few phones have any wired video output capability anymore, despite that it used to be near ubiquitous) I miss the textured back that didn't require a bulky case to simply be able to hold on to.
But I also knew that I couldn't reasonably hold on forever with the vain hope that someone releases decent hardware again some day.
Re: (Score:2)
A real shame, as that is probably a perfectly usable device.
Re: Planned Obsolescence (Score:4, Informative)
I've just noticed yesterday that Resurrection Remix has just released a new Oreo version for phones that include the Note 4,so it looks like it's still got some life left in this model yet.
Re: Planned Obsolescence (Score:1)
Re: (Score:2)
They are not lying, it just depends on your phone. (Score:3)
If you have a locked bootloader you can still use a modified rom however you need to retain the stock kernel, which s
Re: (Score:2)
Lineage website does not list independent roms built from their source code, only official ones, and there are TONS that are unofficial
Water isn't oxygen and hydrogen; it's something a fair bit different, despite being derived from those two elements, but you might not get my point from that example, so here's one relating to operating systems: Ubuntu, Grml, Kali, PureOS, and Tails aren't Debian, though they're derived from Debian. LineageOS is LineageOS; anything derived from LineageOS is something else. This is an important distinctions because, as you state, flashing the wrong thing can easily and permanently brick some phones.
Oh, and
Re: (Score:2)
LineageOs (and even Android in general) is not handled the same way as Ubuntu and Debian which I will get to in a second. The official ports are usually derived from creators building unofficial versions which then get adopted as official after a few months of running well, if the builder submits it.
https://wiki.lineageos.org/sub... [lineageos.org]
As for naming, this has to do with how Android is compiled vs how an normal OS is compiled. If you compile Ubuntu yourself you have Ubuntu, but Ubuntu works on
Re: (Score:2)
If you take LineageOS and change the launcher or some of the defaults and repackage it, it is no longer LineageOS; that's what differentiates Ubuntu from Debian, as w
Re: if u dont like (Score:2)
It would be illegal in most countries to totally disable emergency calling. So your never going to get that. The closest you'll get is airplane mode (which virtually every phone has) , which really does turn off all the radios. When you try to make an emergency call, it turns the radio back on.
Unrelated but why does slashdot not keep me logged in anymore? Wtf?
Re: (Score:2)
How else would you be able to use the expensive in-flight internet.
Well no shit... (Score:3, Interesting)
No shit .... (Score:5, Insightful)
Is anybody even remotely surprised?
One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.
As soon as it's shipped, they move on to the next product. They have neither the time, resources, nor inclination to maintain older versions of phones -- because they want you to buy a new one.
The reality is, there are as many versions of Android as there are phones and companies who make them. And companies aren't going to spend the resources on a shipped product, because they've been paid for it already.
So, yeah, they don't to updates, don't plan to do updates, and refuse to admit that it was abandonware before you even got your hands on it.
To me, this is the greatest failing of Android.
Re:No shit .... (Score:5, Insightful)
One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.
You get what you pay for.
And one of the huge benefits of Android is that you aren't locked into one manufacturer. This is why you can get Android devices with SD card slots, dual SIMs, dual screens, touch sensitive sides, built in projectors, big screens, small screens, etc. If you don't want any of that, by all means buy Apple.
Heck, you can even by an Android phone that gets the most up to date software and patches. All you have to do is pay for it. It costs about as much as an iPhone... surprised?
Re:No shit .... (Score:5, Informative)
Even Google stopped supporting their Pixel phones, when almost their only selling point was getting proper updates.
Google guarantees 3 years of updates (OS updates, not just patches) on the Pixel 2, and the Pixel 1 is guaranteed 3 years of patches (but I think only 2 years of OS updates):
https://www.theverge.com/circu... [theverge.com]
Re: (Score:2)
Re: (Score:2)
What? I have a Google Pixel XL and just installed an update today. I'm at 8.1.0 and participate in the beta program. How much better could the update process be?
You mean you don't have the as yet undiscolsed release fixing the as yet unfound bugs? Man are you behind in the times.
*Posted from my Google Pixel running Android Wonkabar.
Re: (Score:2)
Heck, you can even by an Android phone that gets the most up to date software and patches. All you have to do is pay for it. It costs about as much as an iPhone... surprised?
Quite surprised actually.
Just yesterday I received the latest security patches of Android 8.1 on my 2 yr old Nexus 5. I only paid $300 for that compared to $600 for the equivalent Iphone and it's still as fast as the day I bought it.
Android gives you the option to have what you want.
Carriers... (Score:5, Insightful)
Plenty of the blame goes on carriers. If you have the new hotness, expect fairly regular updates. If not, good luck. Planned obsolescence is a load of crap perpetrated by carriers and manufacturers. I'd actually put more of the blame on carriers now that you pay full price + interest for phones in the US.
manufacturers need to say to no carriers roms (Score:2)
manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.
Re: (Score:2)
manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.
If you are a struggling Android device maker (as are they all), that is not even close to an option. If you say no there are 100 other manufacturers waiting to get their phones approved on the carriers' network.
Re: (Score:2)
Knox is just a Samsung thing.
Re: (Score:2)
If it was a carrier problem rather than an OS or manufacturer problem, wouldn't the same issue be affecting iPhones? Because its not...
Re: (Score:2)
Not really... iPhone updates affect a very limited variety of phones. Particularly security only updates. If there's a failed update, no one rushes off to ATT for support. They go to the Genius bar, or contact Apple online.
In the Android world there is an enormous array of different phones with different implementations of Android and support is largely placed on the carrier. Little suprise that the carriers don't want to risk messing up a functional phone and only do it as rarely as they can g
Re: (Score:2)
Missing info from summary (Score:5, Informative)
Average missing patches per device from each manufacturer
0 or 1 - Google, Samsung, and Sony
1 to 3 - Xiaomi, OnePlus, and Nokia
3 to 4 - HTC, Huawei, LG, and Motorola
4 or more - TCL and ZTE
Re:Missing info from summary (Score:5, Informative)
I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.
Re: (Score:3)
It is easy to provide an update if you don't fix much...
Re: (Score:2)
Not sure if they are lying about updates in this case as my security patch level is stuck at Dec, 2017.
Re:Missing info from summary (Score:5, Informative)
The article is not about patches coming out on time. It's about patches that come out missing.
It's easy to make a security patch that patches nothing other than updating the date you see in the about screen.
That's what the article is about - just because your device is "up to date", doesn't mean it has all the patches. They basically took a patched phone and re-ran the vulnerability tests on them, only to find the patches were not applied despite claims they were by having the patches up to date.
Re: (Score:2)
I think you missed the part where they go "yup, you are patched" without actually providing the patches.
Re: (Score:2)
I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time.
The problem with Android is that the carriers can block OTA patches for certain phone types, mostly out of laziness but sometimes to keep their crappy bundled software working. Not so much of an issue here in the ROTW as you can simply switch carriers by swapping a SIM card, but in the US its can be an issue.
Re: (Score:2)
Ran the tool. Confirmed that My LG is missing 3.
Re: (Score:2)
I have been pleasantly surprised at the number of patches Sony pushes out to my Xperia X. It seems like at least every couple of months an update comes through; sometimes just security, but a couple of months ago I moved to Oreo. Never had a Google phone, but it seems like a more regular schedule than I got from my last Samsung.
Re: Missing info from summary (Score:2)
RTFA to learn that just because you received updates and just because you're phone claims to be patched, you probably do not actually have those patches unless you bought a phone from Google.
Re: (Score:2)
I did RTFA; Sony was listed right along with Google and Samsung as actually installing the updates. I don't verify each security update, but I can for sure tell when they push out Android 8 to me.
Re: (Score:2)
3 to 4 - HTC, Huawei, LG, and Motorola
Motorola just pushed a new patch to my phone. I wonder if it will improve matters.
Lying to the public? (Score:4, Interesting)
Re: Lying to the public? (Score:1)
It's illegal to lie in the course of business in Canada. So yes. What they have done is illegal in Canada.
Re: (Score:1)
That metric is meaningless without the average enforcement action rate. This is an example of why people say the news is bullshit and journalism is dead.
Re:Lying to the public? (Score:4, Informative)
And the article has exactly that information in it:
A review of a CFPB database obtained by the AP through a Freedom of Information request shows that the bureau issued an average of two to four enforcement actions a month under former Director Richard Cordray, President Obama’s appointee. But the database shows zero enforcement actions have been taken since Nov. 21, 2017, three days before Cordray resigned.
Yeah, curse the news a bullshit when you didn't bother to even take a single peek at it.
i am not buying any more new hardware (Score:4, Interesting)
Re: (Score:2)
or meltdown (the CPU bug)
As opposed to the Samsung Galaxy Note 8 meltdown. Thanks for clarifying.
Re: (Score:1)
Good idea. I hear next year's products will be perfect.
Updates (Score:1)
Why would we presume that security updates are current?
Poor, self-destructive management by Google. (Score:2)
Apparently no one on Google management realized that abuse would eventually cause damage to Google's reputation.
Re: (Score:3)
But it doesn't. Most consumers don't know that Google makes Android. Most probably don't even know that they have an Android per se. Hell, most probably don't know that their phone has an OS. But they sure know that Google is a great search engine.
Re: (Score:2)
However, bad reputation with people who are technically-knowledgeable eventually flows to those who aren't.
One example: Now Facebook is being criticized in top-level news stories. I Downloaded the Information That Facebook Has on Me. Yikes. [nytimes.com] (New York Times, April 11, 2018)
Facebook was always the way it is now. But now the average person is learning about the huge negatives.
If you are a billionaire owner of Google (now with a foolish name, Alphabet, Inc.) the abuse surrounding Android
Sounds like fraud. (Score:5, Insightful)
IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.
Re: (Score:3)
IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.
Agreed. All it takes is one sufficiently-large fine or market closure to provoke change.
How? (Score:3)
The question is how they know the devices are missing the patch. Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.
Because of vendor specific code changes, patches don't always apply cleanly and need changes, or the issue may have been fixed by the vendor in a different way, or even not relevant to the vendor's dist.
Re: (Score:3)
They have an app to test phones. I just checked mine. Could be that results are sent back home.
Re: (Score:2)
Well don't keep us in suspense, link it. Hope we have the source as well otherwise we are right back to knowing squat.
The idea that they wrote code to test all of the issues fixed in patches is rather outlandish. Most the issues end up being hypothetical exploits that have *never* been executed in the lab let alone in the wild.
Re: How? (Score:2)
Much of the time you can test for a flaw that leads to an exploit without going all the why and fulfilling the entire exploit. If a function returns bad data that subsequently can be used to finagle a complicated sequence of events to exploit the system, you only need to checke for the bad function result.
Re: (Score:2)
Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.
Why? Software performs automated testing. Can be installed on multiple devices at once, run in the background. Not only is this possible, but it could likely be done by a single person.
Liability? (Score:2)
..."We found several vendors that didn't install a single patch but changed the patch date forward by several months,"...
If a phone that falsely indicated patches were installed were taken over by malware because of the lack of patches, would that phone manufacturer be liable because of the lies?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
If a phone that falsely indicated patches were installed were taken over by malware because of the lack of patches, would that phone manufacturer be liable because of the lies?
That depends.
If they released an update with notes that said "This patch is for exploits X, Y & Z" and then you got infected via Y, you would probably have a case.
If they did the Microsoft thing and the notes just said "This patch fixes a number of issues that could affect your phone." Well then, you're out of luck.
Cost of doing business (Score:2)
This explains a lot (Score:2)
I was wondering why my Moto Z Force was still vulnerable in lab testing even after patching it. I submitted an email to their security team and nobody responded, so I thought maybe I was a snowflake case. This is even more of a case to only purchase google made android devices.
Samsung Galaxy Note 4 case (Score:2)
Mine is 3 years and a half old. I've been using it without problem, except the usual : it was getting slower and slower.
After 3 years, I decided to make a full factory reset.
Before : I had control over more things, many application were completely disabled, including Facebook (I never created an account) and Evernote.
After : I got back some battery life and speed, although it's not consistent, I have to reboot from time to time. But the most annoying is that I lost control over many applications. I can no l
Re: Samsung Galaxy Note 4 case (Score:1)
I saw yesterday that Resurrection Remix has released a new Oreo version that supports the Note 4, which I will get around to installing and trying at some point.
Re: (Score:1)
Thanks a lot for the tip! I will have a close look on this soon!
Motorola is not guilty (Score:2)
If they were lying about patch levels, why is my Moto X4 still on 1 August 2017?
The only thing they're lying about is updating it to Android 8. Apparently "pending partner support" - it's a retail model. No carriers are involved. Who the hell are the partners they're waiting on?
Re: (Score:2)
Strange, my X4 before it broke in February was regularly updated every month -- though it was purchased through Project Fi.
Re: (Score:2)
It appears they're only providing updates to phones they're required to. Project Fi requires them to provide regular updates.
Turns out they don't give a shit about regular retail customers.
Re: (Score:2)
No carriers are involved. Who the hell are the partners they're waiting on?
Qualcomm? Or could be anyone that produces drivers for the hardware they use.
It's quite common to get a very short support lifecycle for drivers with consumer hardware. It's possible Moto used old components in that device for which there are no drivers that support the newer version of Android.
Re: (Score:2)
They released the update to Oreo in India back in December 2017, so I doubt the drivers are an issue. I have the same hardware variant sold there, XT1900-2.
Methodology question (Score:2)
The PhoneDog article is just a wrapper for the Wired article. [wired.com] It says:
We found several vendors that didn’t install a single patch but changed the patch date forward by several months," Nohl says. "That’s deliberate deception, and it's not very common."
What exactly does the patch date mean? Does that mean it has all the patches up to that date? Or does it merely mean that it was patched on that date? What if the manufacturer has a patched version of a library or driver, and they haven't merged that patch into their library or driver yet? That might be irresponsible, but it doesn't mean that patch date is wrong or that they are being malicious.
Re: (Score:2)
What exactly does the patch date mean?
On Android the patch date is just a string the manufacturer sets. They can set it to anything they want. Google releases quarterly patches, so the date is supposed to correspond to the release date of those patch sets.
As to what it means, the implication is that you are "up to date" with the patches as of your listed patch date.
Independent malice (Score:2)
One amazing thing about the report is how widespread this is. These companies do not collaborate in non-implementation of patches and lying about it. They probably invented this way of cheating the customer independently.
Re: Independent malice (Score:2)
At the company I work at, the product team would definitely be looking at competitors doing this sort of thing at trade shows et al. If these companies don't know what their competitors are up to, they don't last long.
Fragmentation problem is now solved (Score:2)
Re: (Score:1)