With Android P, "all traffic should be encrypted, regardless of content, as any unencrypted connections can be used to inject content, increase attack surface for potentially vulnerable client code, or track the user", Android security engineer Chad Brubaker wrote. This refers to a scenario where the phone's software would claim it was up to date with security patches but actually missed number of patches.
Each monthly security update contains a collection of patches for a variety of security bugs.
Some Android vendors are purposefully lying about the latest security update on their phones. The Berlin-based team found that many Android phone manufacturers were far behind on updates, or even lying about the last security update applied to the phone. Sony and Samsung devices were found to have only skipped 0-1 security update.
Meanwhile, Google has responded to the report saying it is working with SRL Labs to further investigate its findings.Google responded to the issue, in an emailed statement to Gadgets 360, "We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem".
Ssssh, It's Friday The 13th
Singer Tupac died on Friday 13, the Buckingham Palace was bombed, it is said even the Cold War started on Friday 13. A number of high-rise buildings do not have a floor numbered 13th or the entire floor is kept vacant.
"We found several vendors that didn't install a single patch but changed the patch date forward by several months", Nohl told WIRED. "It's nearly impossible for the user to know which patches are actually installed", one of the researchers told the site. According to the study, phones with Samsung-made chips had much fewer skipped updates.
A possible theory for vendors to skip on patches could be attributed to the chipsets they make use of in their devices. But the researchers found there is often a hidden "patch gap" between what the manufacturers tell the users and what they actually do to the software - some simply tell people they have updated the phones without actually patching anything.
It is worth noting that some of the devices tested may not have been "Android Certified".
While many of these missed security patches may not be inherently unsafe in isolation, hackers typically chain together multiple security holes to reach their goal, taking over devices and stealing data. "Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks". The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer. And Android's fragmentation is a problem that remains unsolved.