Some Android vendors do not deploy the fully security updates
Security researchers at the Security Research Lab in Germany have just made a startling discovery. After reverse engineering the operating system code of 1200 Android devices, Karsten Nohl and Jakob Lell found that some smartphone manufacturers failed to honestly patch the device. The work of the two people is mainly to check the code to confirm whether the security patches referenced in the mobile phone settings have been really applied.
However, in many cases, they have discovered a “Patch Gap” – some manufacturers do not actually have a patch.
Wired reported that SRL researchers have dished out a number of dishonest manufacturers. Even millet, one-plus, and Nokia-like big names have, on average, erroneously omitted one or three security patches.
In addition, the number of missing patches from HTC, Motorola, and LG is also 3 to 4 compared with what vendors claim. The average number of missing patches for ZTE and TCL handsets exceeds four.
SRL also pointed out the missing data between the patch and the chipset used by the phone. Those low-end machines that use cheap processors are more likely to skip patches.
For example, on the MediaTek model, the average number of missing patches is 9.7. In contrast, the number of devices skipped by Samsung processors is much smaller.
Google appreciated the research of SRL but pointed out that some of the devices analyzed may not be certified by Android, or fail to comply with the company’s security standards.
More importantly, Google pointed out that the security features of modern Android phones are in place, and even if they contain unpatched vulnerabilities, they are hard to crack.
In addition, under certain circumstances, the vendor may remove a vulnerable feature from the device instead of fixing it, which may also be an objective reason for the absence of certain vulnerabilities.
Finally, Google stated that it would cooperate with SRL in an in-depth investigation. Nohl also agreed with the company’s view that “some unpatched devices are still difficult to crack”, thanks to many security measures deployed by Google.
Source: Wired
