Study into missed security updates casts doubt on Google's Android patch level system.
Google has spent the past two years building momentum behind its Android monthly patch level system, but a study has found critical patches that should be on devices displaying a patch level aren't actually present.
The 'hidden patch gap' in Android devices was discovered by researchers Karsten Nohl and Jakob Lell of German security firm Security Research Labs.
The pair are presenting the results of their two-year analysis of 1,200 Android phones today at the Hack in the Box conference in Amsterdam.
The results, shared with Wired, show that some popular Android devices are missing as many as a dozen patches that users would expect to be there, based on the patch level string displayed in settings in date format
Google introduced the monthly Android updates in 2016, shortly after the Android-wide Stagefright bugs emerged.
Ever since, it has been pushing the industry to adopt the regular updates as part of an effort to clean up Android's image and improve security. Google usually releases two patch levels each month: one just for Android bugs, and another for bugs in kernel and chipset drivers.
Google reported in its 2017 Android security review that the system had resulted in 30 percent more devices receiving security patches compared with 2016.
But, according to Nohl, some Android manufacturers appear to be gaming the patch level system to falsely improve their image. And, as vendors chalk up security points for non-existent patches, end users are left with a false sense of security.
"Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best," he told Wired.
The study looked at all 2017 patches on a range of devices from Google, Sony, Samsung, Wiko, Xiaomi, OnePlus, Nokia, HTC, Huawei, LG, Motorola, TCL, and ZTE. The researchers calculated the average number of missing patches for each patch level over the year for the brands.
Google, Sony, Samsung, and Wiko were missing up to one patch, while Xiaomi, OnePlus, and Nokia were missing between one and three. TCL and ZTE were the worst offenders, missing more than four, while HTC, Huawei, LG, and Motorola were missing between three and four.
But there were some curious outliers in the results, too. A Samsung 2016 J3 with a patch level for the end of 2017 lacked 12 patches issued that year, two of them being critical.
The results also reflect poorly on LG and Motorola, given their early participation in Google's monthly patch program.
A possible source of missing patches is the chipset used in devices and the vulnerabilities specific to it. MediaTek chipsets, which are often used in cheaper handsets, were found to have 9.7 missing patches.
Google pointed out that security updates are just one layer of security that make it hard to actually exploit Android devices. Other protections include app sandboxing, Google Play Protect, and the Android ecosystem's diversity.
Nohl agrees that exploiting Android vulnerabilities remains difficult due to these security layers and points out an easier and more common route to compromising Android devices is through the use of malicious apps -- either inside Google Play or outside the store.
Nonetheless, Android users should be able to trust that a patch level string is a truthful reflection of the state of their handset.
"Now that monthly patches are an accepted baseline for many phones, it's time to ask for each monthly update to cover all relevant patches. And it's time to start verifying vendor claims about the security of our devices," SRL writes.
Users who want to monitor the patch state of their device can use SRL's free patch verification app, SnoopSnitch.
Security Research Labs' table shows the average number of missing critical and high-severity patches before the claimed patch date.
Image: Security Research Labs