When this security patch arrives in the hands of Android mobile phone users, but also depends on the mobile phone model, Android phone manufacturers may also involve operators (such as the United States).
Now, an implementation-level problem has been exposed. Even if promised to update the security patch, most Android phone manufacturers may miss several security patches. A few vendors do not even install patches, let the user think that the system by modifying the security patch time Has been upgraded to the latest version. This means that Android phone manufacturers may hide information on mobile phone security.
At Hack in the Box, a security conference in Amsterdam, the Netherlands, on the 13th, two researchers at the security company's Security Research Laboratory (SRL) published a two-year research report on hundreds of Android models and discussed the issue.
Some of the information has been published on SRL's laboratory website, and Wired magazine's interview with SRL Labs founder Karsten Nohl also discussed this issue. More detailed reports need to wait until the SRL speech is completed before being posted online.
According to some report information provided by SRL and the interview of “Connection”, the report of SRL Labs stated that there is a problem in the reliability of Android mobile phone manufacturers to update security patches. Most mobile phone manufacturers have lost several security patches. Not installed.
Sampling section: Few for 5-9; Many for 10-49, Lots for more than 50 | Photo from: SRL Labs
According to the report, some of the reasons may be related to mobile phone manufacturers. Millet, Nokia's models have an average of 1-3 security patches not installed; and partly because of chip companies. If it is a chip hardware level loophole, Android handset manufacturers will Need to obtain the patch provided by the chip company. Generally speaking, cheap models use low-end chips, it also led to cheaper models are prone to more loopholes.
The number of missed mobile phone security patches according to different chip manufacturers | Image from: "Connections"
Even in the case of cheap models, there may be differences in treatment. In the report, SRL Labs used Samsung's two low-cost handsets as examples. Samsung’s two handsets, the J3, launched in 2016 claim to have installed all security patches released in 2017, but In fact, fewer than 12. J5 models launched in the same year will tell the user which patches are not yet installed.
The SRL laboratory reverse engineered the Android system code for 1200 mobile phones and researched whether the security patches released in 2017 were actually installed in the system. The mobile phone models need to meet the standard that these models are installed in October 2017 or later. After a security patch.
1200 handsets are from the major Android handset manufacturers, including Huawei, Xiaomi, and Samsung, the three largest sales companies, plus OnePlus, HTC, LG, and Motorola.
A more common phenomenon is that the security patches of old models are not updated in a timely manner. Karsten Nohl, founder of SRL Labs, said that Android mobile phone manufacturers ignore system upgrades and install security patches on older models. a common phenomenon.
However, it is worth noting that this report has some problems for mobile phone manufacturers and mobile phone models. OPPO, vivo, which is not included in the two Android phone manufacturers, only a few Pixel phones Google sampled more than 50 devices.
But not installing a security patch does not mean that Android phones are vulnerable to attacks. SRL Labs also mentioned this.
In response to the report from SRL, Google responded to Wired magazine, explaining that Android phones did not install some security patches. It also said that it would cooperate with SRL Labs to conduct further investigations. Google explained that some Android mobile phone manufacturers even It is possible to directly remove some of the vulnerable features, or some mobile phones do not have the ability to repair by installing patches.
On the other hand, even if the security patch is not installed, the security features of the current Android phone configuration make it difficult to attack. Google responded that the security update is only used to protect Android devices and users. Others also include the sandbox mechanism. Google Play Protect Security Services etc.
After the Stagefright vulnerabilities in 2016, Google and some Android vendors have speeded up the pace of updating security patches. However, progress is still not fast enough.
In March of last year, Google also announced a list of 16 Android mobile phones in its annual feedback, showing models that have been able to get security patch updates on a monthly basis. Among them, 6 models are Google’s Nexus, Pixel mobile phone brand. Samsung , OPPO, vivo each have a model.