Android Phones Missing Security Patches

[apolloa]

Interesting story linked below, a group has checked over 1200 Android phones from all makes, including google and Samsung and Sony, and has found them to be missing parts of security patches the manufactures say they got.

So if google released a security patch version XXXX and Samsung releases it for their phones, those patches are actually missing some of the security updates that google originally released in those patches, the manufacture did not include them in their devices update, so you think you may have a security hole patches because your running version XXXX, when in fact your device did not get that particular patch.

Have a read, it seems to affect the lesser known brands more but they did note Samsung and Sony devices missing the odd patch, they have a tool you can use to scan your phone to check if your missing any patches in the security updates:

http://www.theverge.com/2018/4/12/17228510/android-phone-manufacturers-missed-security-updates-lie

 

[AustinIllini]

This is crazy. People ask me for Android phone recommendations and with the misstep from the Pixel line this year, it's hard to recommend any of them in light of this.

 

[mib1800]

This is crazy. People ask me for Android phone recommendations and with the misstep from the Pixel line this year, it's hard to recommend any of them in light of this.

And the world gonna to end for all android users tomorrow when all their money, identity and lives will be stolen. iPhone users can rejoice

 

[eltoslightfoot]

Most logical iPhone users want to have good competition, not someone sucks less...which is where we are now.

 

[nviz22]

Samsung is already missing two patches on the S9+.

 

[IowaLynn]

When you have a different OS, 7.1.1. vs 8.0.0 or 8.1 and all the out of date 6.0/6.01, plus how fragmented Android is.... that 'patch' may not apply.

 

[nviz22]

When you have a different OS, 7.1.1. vs 8.0.0 or 8.1 and all the out of date 6.0/6.01, plus how fragmented Android is.... that 'patch' may not apply.

Keep me at 8.0 vs 8.1 if it means getting monthly security patches. I can see why people want the Pixel or iPhone for security purposes. If it wasn't for Knox or certified protection, Samsung would be cooked.

 

[TRDmanAE86]

One of the downsides of Android is definitely the consistency of security patches/major software versions. Fragmentation is horrible (especially when carrier models and unlocked models are considered in the equation)

Last summer, I was researching a ZTE branded AT&T Go-phone being sold at my local CVS. As it turns out, this particular phone was over 2 model years old and has not received a single security patch and, had a unlocked boot-loader. Amusingly. a different variation of this same phone (this one was the Cricket model I believe) already got 3 security updates.

With my main phone, a AT&T branded LG V10, its pretty much a afterthought since it was not a top-selling model and, it was part of bootloopgate. Thus, security patches have been skipped and now the phone is at the end of support for updates. AT&T were thinking about giving it nougat however, they decided not to while the Unlocked and T-Mobile variants got it (and after AT&T received the regular update from LG)

 

[GigabitEthernet]

Google clearly don't give a ****.

 

[AustinIllini]

Most logical iPhone users want to have good competition, not someone sucks less...which is where we are now.

Agreed. Without android, iPhone would still probably have a 3.5 inch screen.
[doublepost=1523630987][/doublepost]

Google clearly don't give a ****.

Google has nothing to do with it. These are OEMs omitting Google security fixes. Google is likely powerless to address this issue.

 

[LIVEFRMNYC]

Not surprised. Which is one of several reasons I always thought putting a date on Android security patches needs to be axed, along with the reason of people's impatience. 99% of users don't even know what's getting patched, including myself.

This is equivalent to skipping on Windows updates for several months, but between all the other security measures, you'll still have sufficient protection. Most Android users are probably only at 0.1% higher risk of an attack from not being on the latest security patch. Although this is a problem which Google and manufacturers need to address, in the broad scale it's much to do about nothing.

On another note ... would project treble eventually make this an issue of the past?

 

[GigabitEthernet]

Agreed. Without android, iPhone would still probably have a 3.5 inch screen.
[doublepost=1523630987][/doublepost]
Google has nothing to do with it. These are OEMs omitting Google security fixes. Google is likely powerless to address this issue.

Google has a responsibility, it is fundamentally their OS. I get it is open source but they should make it a condition of Google Services that updates must be done in a certain timeframe.

 

[IowaLynn]

Google now has Project Treble to enforce some compliance and make it somewhat easier with going forward with any phone that ships with 8.x or later.

“P” takes it a step further and 64-bit compliance in 2019.

But that leaves 100’s if phones with older vulnerable unpatched software, perfect for being harvested by new waves of malware that are more sophisticated.

 

[AustinIllini]

Google has a responsibility, it is fundamentally their OS. I get it is open source but they should make it a condition of Google Services that updates must be done in a certain timeframe.

Google has little to no recourse. They make money by selling Google Play Services as a package with the Android OS. A company like Samsung can probably muscle them as they are a large customer of Google Play Services.

The reality is, Google likely knows this is happening but understands its relationship with OEMs like Samsung are too important to outweigh the Android security push.

 

[Michael Goff]

Google now has Project Treble to enforce some compliance and make it somewhat easier with going forward with any phone that ships with 8.x or later.

“P” takes it a step further and 64-bit compliance in 2019.

But that leaves 100’s if phones with older vulnerable unpatched software, perfect for being harvested by new waves of malware that are more sophisticated.

Project Treble won’t enforce anything.

 

[AustinIllini]

Project Treble won’t enforce anything.

Right. Unless Google comes up with a Google certification program for Android and advertises it heavily, you're not going to see anything change.

 

[Michael Goff]

Right. Unless Google comes up with a Google certification program for Android and advertises it heavily, you're not going to see anything change.

Exactly. I don’t think people understand what Treble does. It makes it easier for companies to update, but that’s it.

 

[IowaLynn]

If it shipped with Oreo then isn’t Project Treble support if you want to have google support. And updates will be done differently.

• However, what is happening with Project Treble is that Google is requiring that any vendor-specific code be separated from the Android OS framework and instead live in its own vendor implementation. Usually this means that there is now a separate /vendor partition on Treble-enabled smartphones that contains a bunch of HALs (Hardware Abstraction Layers).

https://www.xda-developers.com/how-project-treble-revolutionizes-custom-roms-android-oreo/

 

[mrex]

and everybody thinks that ios is better? have you checked how many times apple doesnt patch security issues and how many of them are still without patching, partly because people dont want to update the ios and partly because apple doesnt support old devices any more (=fragmented). for example a year 2017, vulnerabilities in os (top 5):

1. android, over 800 (A bad year for android)
2. linux kernel, over 400
3. ios, almost 300
4. macos, 300
5. win10, around 250

all time stats https://www.cvedetails.com/top-50-products.php?year=0

and a reality check ”how well is my old device supported by apple?”
https://www.ctrl.blog/entry/apple-abandoned-product-security

so, do you really think that apple patches everything?? there are many security holes still on ios and macos that havent been fixed althought they are known. and that should be the thing to talk about when apple has the os and the hw to control. still they left holes behind...

the more or the less known fact is that most of the android related bugs are fixed via playstore without needing an os update. how many times apple has fixed a security hole without needing to update the whole os? so, how many iphones are out there with huge amount of security holes because they have not been updated to current os? yes, ios is badly fragmented - yes it is! - and many iphones dont have patched os or apple ditched them anyway. ”But apple provided a new os for your old iphone and it was your choice not to update.” did you ask yourself why the user didnt update the iphone? but, it is not sexy to talk about apple and security, it is more sexy to talk about how bad android is...

what comes to updating android, it is abit heavy process, starting from google, ending with carriers... when google fixes something in android, it usually takes months before e.g. samsung even can bring it to the customer (something to fix, too heavy process, imo.). this is already an old article about it but gives some perspective to android vs apple https://readwrite.com/2014/01/28/android-version-updates-take-so-long-get-smartphone/

is android bad? no! shouldnt you compare android vs apple more like google vs apple? google device gets their patched immediately and almost all of them are updated. so is google devices as fragmented as apple devices?

if you want and need to get every updates, get a google device.

btw. i have iphone, ipad/ipad pro, macbook pro, atv, and not really using android at all anymore... but i do not understand this ”Omg, how bad it is...” when closing your eyes and living in a bubble that apple has told you for years... for sure, i feel better with apple, but still come on... it is not a heaven! and for me the problem isnt the android os itself, it is secure(!), but the the fact that google allows devs to change priviledges too easily after google has approved the app in playstore and from the beginning apps has too much priviledges without needing them. there have been several apps innplaystore that i have reported to google and they were removed. until google does it better i stay with apple, playstore app should be checked by google, not by a user...

 

[hallux]

Google has a responsibility, it is fundamentally their OS. I get it is open source but they should make it a condition of Google Services that updates must be done in a certain timeframe.

Google release OS patches monthly but patching of the non-Pixel and non-Nexus devices (specifically older ones anyway) is up to the carriers and manufacturers. The point of Project Treble is to try to help those OEM's by forcing the manufacturer customizations into a different space to make it easier to do those monthly updates - possibly even by allowing them to be pushed by Google directly.

Oh - there's another thread on this already.. Lies and Security Patches | MacRumors Forums

 

[Michael Goff]

If it shipped with Oreo then isn’t Project Treble support if you want to have google support. And updates will be done differently.

• However, what is happening with Project Treble is that Google is requiring that any vendor-specific code be separated from the Android OS framework and instead live in its own vendor implementation. Usually this means that there is now a separate /vendor partition on Treble-enabled smartphones that contains a bunch of HALs (Hardware Abstraction Layers).

https://www.xda-developers.com/how-project-treble-revolutionizes-custom-roms-android-oreo/

Treble just means updates are easier. It doesn’t mean they’ll actually happen

 

[IowaLynn]

Phones ship with Oreo get Treble support

 

[Michael Goff]

Phones ship with Oreo get Treble support

I know that they have to have Treble support, I’m just saying Treble phones still have to be updated by the OEM.

 

[AustinIllini]

Google release OS patches monthly but patching of the non-Pixel and non-Nexus devices (specifically older ones anyway) is up to the carriers and manufacturers. The point of Project Treble is to try to help those OEM's by forcing the manufacturer customizations into a different space to make it easier to do those monthly updates - possibly even by allowing them to be pushed by Google directly.

Oh - there's another thread on this already.. Lies and Security Patches | MacRumors Forums

Nailed it. And there's a key difference here. It is the OEM's responsibility to update their devices. Google provides the OEMs with the tools they need to support their customers. Google is not responsible for the shortcomings of the carriers. They make no direct money off of Android. Google Play Services? Sure. Google's job is to support their OS/Services with the Carriers and OEMs as the customers. The OEMs and Carriers are responsible for their products being safe.

Because Apple has removed the carrier from the equation and is the only OEM (if you accept Foxconn as a silent OEM partner), it is the responsibility of Apple to keep their devices safe and secure.

 

[nviz22]

Nailed it. And there's a key difference here. It is the OEM's responsibility to update their devices. Google provides the OEMs with the tools they need to support their customers. Google is not responsible for the shortcomings of the carriers. They make no direct money off of Android. Google Play Services? Sure. Google's job is to support their OS/Services with the Carriers and OEMs as the customers. The OEMs and Carriers are responsible for their products being safe.

Because Apple has removed the carrier from the equation and is the only OEM (if you accept Foxconn as a silent OEM partner), it is the responsibility of Apple to keep their devices safe and secure.

Until CDMA goes away, Samsung will struggle to remove carriers out of the equation. Qualcomm gets to have a stronghold on the American market. Other OEMs should abide by Google's standards before things get worse and worse. HTC used to be the standard for third-party Android OEM updates.