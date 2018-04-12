Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com) 33
An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.
One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.
As soon as it's shipped, they move on to the next product. They have neither the time, resources, nor inclination to maintain older versions of phones -- because they want you to buy a new one.
One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.
You get what you pay for.
And one of the huge benefits of Android is that you aren't locked into one manufacturer. This is why you can get Android devices with SD card slots, dual SIMs, dual screens, touch sensitive sides, built in projectors, big screens, small screens, etc. If you don't want any of that, by all means buy Apple.
Heck, you can even by an Android phone that gets the most up to date software and patches. All you have to do is pay for it. It costs about as much as an iPhone... surprised?
Plenty of the blame goes on carriers. If you have the new hotness, expect fairly regular updates. If not, good luck. Planned obsolescence is a load of crap perpetrated by carriers and manufacturers. I'd actually put more of the blame on carriers now that you pay full price + interest for phones in the US.
manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.
manufacturers need to say to no to carriers roms or let us load the manufacturers rom with no knox trips.
If you are a struggling Android device maker (as are they all), that is not even close to an option. If you say no there are 100 other manufacturers waiting to get their phones approved on the carriers' network.
Average missing patches per device from each manufacturer
0 or 1 - Google, Samsung, and Sony
1 to 3 - Xiaomi, OnePlus, and Nokia
3 to 4 - HTC, Huawei, LG, and Motorola
4 or more - TCL and ZTE
I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.
Ran the tool. Confirmed that My LG is missing 3.
or meltdown (the CPU bug)
As opposed to the Samsung Galaxy Note 8 meltdown. Thanks for clarifying.
Why would we presume that security updates are current?
Apparently no one on Google management realized that abuse would eventually cause damage to Google's reputation.
IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.
The question is how they know the devices are missing the patch. Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.
Because of vendor specific code changes, patches don't always apply cleanly and need changes, or the issue may have been fixed by the vendor in a different way, or even not relevant to the vendor's dist.
..."We found several vendors that didn't install a single patch but changed the patch date forward by several months,"...
If a phone that falsely indicated patches were installed were taken over by malware because of the lack of patches, would that phone manufacturer be liable because of the lies?
