Published: Fri, April 13, 2018
Research | By Raquel Erickson

How Android phones hide missed security updates

How Android phones hide missed security updates

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap". Like every other digital product, there are still some bugs plaguing the firmware but none of them are more bothersome than the issue that involves Google Assistant.

In a statement provided to TechCrunch, Google pointed to the importance of various different means used to secure the Android ecosystem. This is incredibly simple to fake-even you or I could do it on a rooted device by modifying ro.build.version.security_patch in build.prop. The issue didn't extend to Google's devices, of course, so those with Pixel and Pixel XL, or Pixel 2 and Pixel 2 XL devices were safe, but the report claims that some OEMs, including Sony, Samsung, and Wiko had missed at least one security patch.

This OnePlus phone seems to be in decent, if outdated, security shape.

In some cases, the researchers attributed it to human error: Nohl believes that sometimes companies like Sony or Samsung accidentally missed a patch or two. It further argued that modern Android phones come with security features that make them hard to hack even when they do have unpatched security vulnerabilities.

When it comes to the consumer, it gets hard to identify if their device has been actually receiving the security update or not. Does that necessarily mean that TCL and ZTE are at fault?


Several phone makers have been allegedly misleading consumers regarding their device's protection. It is known that mid-level manufacturers already lag behind in the race to provide swifter updates and during the research, it was discovered that they missed out on more patches than the flagship brands.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap".

Security Research Labs analysed a large number of devices running Google's Android operating system, and found that some vendors fail to apply critical and high severity security patches.

If you're curious about how your own phone's faring when it comes to all this, you can check out SRL's Snoop Snitch app, which compares the patch level your phone claims to have installed versus the actual fixes present on your handset. All of the requisite permissions for the app and the need to access them can be viewed here.

That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience. Enter your email to be subscribed to our newsletter.

Like this: