Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Android Device Makers Are Lying About Security Patch Updates (phonedog.com)

Posted by msmash on from the closer-look dept.

An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.

27 of 116 comments (clear)

  1. Planned Obsolescence by A10Mechanic · · Score: 5, Insightful

    Boardroom banter: Why should we provide free updates, when we can sell them a new phone...

    1. Re:Planned Obsolescence by Anonymous Coward · · Score: 5, Insightful

      "My phone is still totally fast and has plenty of space, but I'm missing a few security patches, so I'll just buy a new phone." said no customer ever.

    2. Re:Planned Obsolescence by Anonymous Coward · · Score: 2

      No but if the phone gets hacked and starts "acting funny" the customer will assume it's broken and want to replace it.

    3. Re:Planned Obsolescence by green1 · · Score: 3, Interesting

      I sort of just did...

      I had a Samsung Galaxy Note 4. It's a better phone in almost every way to any phone on the market today. (processor is a hair slower than the newest phones, but I'd never found it slow at all, and it's hardware feature set was so far beyond any other device you can buy now as to more than make up for it) But it also hasn't had a security patch in a long time, and several high profile security exploits have come out since the last one. As a result I decided to "upgrade" to a new phone. I miss the large screen on the Note4 (all the new phones quote larger numbers for screen size, but due to the 2:1 aspect ratio have fewer square inches, and less usable space as it's too narrow). I miss the IR transmitter on the Note4, I miss the removable battery (I was on my 3rd battery, something not possible on modern phones), I miss the MHL video output (very few phones have any wired video output capability anymore, despite that it used to be near ubiquitous) I miss the textured back that didn't require a bulky case to simply be able to hold on to.

      But I also knew that I couldn't reasonably hold on forever with the vain hope that someone releases decent hardware again some day.

    4. Re: Planned Obsolescence by Pax_Europa · · Score: 4, Informative

      I've inherited a hand-me-down Note 4 and am currently running the wonderful Resurrection Remix ROM (7.1),undervolted and underclocked, rooted with Magisk, and it's a fantastic phone IME.

      I've just noticed yesterday that Resurrection Remix has just released a new Oreo version for phones that include the Note 4,so it looks like it's still got some life left in this model yet.

  2. Well no shit... by Slugster · · Score: 2, Interesting

    This is because Google won't write a universal Android unlocking tool... As long as the unwashed masses can't really tell what the manufacturer did, why bother with anything difficult? ........There's a name for it...... Security through Deniability?

  3. No shit .... by Anonymous Coward · · Score: 5, Insightful

    Is anybody even remotely surprised?

    One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.

    As soon as it's shipped, they move on to the next product. They have neither the time, resources, nor inclination to maintain older versions of phones -- because they want you to buy a new one.

    The reality is, there are as many versions of Android as there are phones and companies who make them. And companies aren't going to spend the resources on a shipped product, because they've been paid for it already.

    So, yeah, they don't to updates, don't plan to do updates, and refuse to admit that it was abandonware before you even got your hands on it.

    To me, this is the greatest failing of Android.

    1. Re:No shit .... by farble1670 · · Score: 4, Insightful

      One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.

      You get what you pay for.

      And one of the huge benefits of Android is that you aren't locked into one manufacturer. This is why you can get Android devices with SD card slots, dual SIMs, dual screens, touch sensitive sides, built in projectors, big screens, small screens, etc. If you don't want any of that, by all means buy Apple.

      Heck, you can even by an Android phone that gets the most up to date software and patches. All you have to do is pay for it. It costs about as much as an iPhone... surprised?

    2. Re:No shit .... by farble1670 · · Score: 4, Informative

      Even Google stopped supporting their Pixel phones, when almost their only selling point was getting proper updates.

      Google guarantees 3 years of updates (OS updates, not just patches) on the Pixel 2, and the Pixel 1 is guaranteed 3 years of patches (but I think only 2 years of OS updates):
        https://www.theverge.com/circu...

  4. Carriers... by yodleboy · · Score: 4, Insightful

    Plenty of the blame goes on carriers. If you have the new hotness, expect fairly regular updates. If not, good luck. Planned obsolescence is a load of crap perpetrated by carriers and manufacturers. I'd actually put more of the blame on carriers now that you pay full price + interest for phones in the US.

  5. Missing info from summary by Bob+the+Super+Hamste · · Score: 5, Informative

    Some missing info from the sumamry about the average number of missing patches per device from each manufacturer
    Average missing patches per device from each manufacturer
    0 or 1 - Google, Samsung, and Sony
    1 to 3 - Xiaomi, OnePlus, and Nokia
    3 to 4 - HTC, Huawei, LG, and Motorola
    4 or more - TCL and ZTE

    --
    Time to offend someone
    1. Re:Missing info from summary by ctilsie242 · · Score: 4, Informative

      I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.

    2. Re:Missing info from summary by leehwtsohg · · Score: 2

      It is easy to provide an update if you don't fix much...

    3. Re:Missing info from summary by tlhIngan · · Score: 5, Informative

      I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.

      The article is not about patches coming out on time. It's about patches that come out missing.

      It's easy to make a security patch that patches nothing other than updating the date you see in the about screen.

      That's what the article is about - just because your device is "up to date", doesn't mean it has all the patches. They basically took a patched phone and re-ran the vulnerability tests on them, only to find the patches were not applied despite claims they were by having the patches up to date.

  6. Lying to the public? by VeryFluffyBunny · · Score: 3, Interesting

    Isn't it a crime for a company to tell such blatant lies to the public? Can't customers sue the companies for endangering their sensitive data? Is the no regulatory oversight for this?

    --
    Debate is a form of harassment. Do not question my truth.
    1. Re:Lying to the public? by crunchygranola · · Score: 3, Informative

      And the article has exactly that information in it:

      A review of a CFPB database obtained by the AP through a Freedom of Information request shows that the bureau issued an average of two to four enforcement actions a month under former Director Richard Cordray, President Obama’s appointee. But the database shows zero enforcement actions have been taken since Nov. 21, 2017, three days before Cordray resigned.

      Yeah, curse the news a bullshit when you didn't bother to even take a single peek at it.

      --
      Second class citizen of the New Gilded Age
  7. i am not buying any more new hardware by FudRucker · · Score: 3, Interesting

    until the current crop of devices are bought and used up, or recalled and destroyed, i dont want to buy another PC,. laptop or a phone or tablet until all this heartbleed, or meltdown (the CPU bug) is resolved,

    --
    Politics is Treachery, Religion is Brainwashing
  8. Sounds like fraud. by Gravis+Zero · · Score: 5, Insightful

    IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Sounds like fraud. by q4Fry · · Score: 2

      IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.

      Agreed. All it takes is one sufficiently-large fine or market closure to provoke change.

  9. How? by farble1670 · · Score: 2

    The question is how they know the devices are missing the patch. Did the test all of the problems covered in the patch, on 1,200 different devices? Seems unlikely.

    Because of vendor specific code changes, patches don't always apply cleanly and need changes, or the issue may have been fixed by the vendor in a different way, or even not relevant to the vendor's dist.

    1. Re:How? by leehwtsohg · · Score: 2

      They have an app to test phones. I just checked mine. Could be that results are sent back home.

  10. Re:Liability? by Bugler412 · · Score: 2

    not likely with the "it's not our fault if it goes wrong" language in the EULA, unless you're prepared to lawyer up and fight that first. Good luck.

  11. This explains a lot by sizzlinkitty · · Score: 2

    I was wondering why my Moto Z Force was still vulnerable in lab testing even after patching it. I submitted an email to their security team and nobody responded, so I thought maybe I was a snowflake case. This is even more of a case to only purchase google made android devices.

  12. Samsung Galaxy Note 4 case by AncalagonTotof · · Score: 2

    Mine is 3 years and a half old. I've been using it without problem, except the usual : it was getting slower and slower.
    After 3 years, I decided to make a full factory reset.

    Before : I had control over more things, many application were completely disabled, including Facebook (I never created an account) and Evernote.

    After : I got back some battery life and speed, although it's not consistent, I have to reboot from time to time. But the most annoying is that I lost control over many applications. I can no longer disable Facebook or Evernote. Thanks Samsung. And I'm always getting the updates, although I disabled automatic update in the Play Store.

    Samsung, give me control over the phone I gave you money to own !

    Sadly, there is no LineageOS for the Note 4. There are for older models, and even for the Note 8, but not for the 4.
    Will I buy a Note 8 ? Guess what Samsung : I will not pay nearly 50% more for a phone that probably cost you less than the Note 4 did !

    --
    Totof
  13. Re:Poor, self-destructive management by Google. by rjstanford · · Score: 2

    But it doesn't. Most consumers don't know that Google makes Android. Most probably don't even know that they have an Android per se. Hell, most probably don't know that their phone has an OS. But they sure know that Google is a great search engine.

    --
    You're special forces then? That's great! I just love your olympics!
  14. Fragmentation problem is now solved by Varcain · · Score: 2

    Thanks to Project Treble the Android fragmentation problem is solved. People already demonstrated this by running generic Android OS images on top of even some obscure phone models, which actually comply with Treble. Treble compliance is mandatory for any device with Oreo and upwards. What treble is - basically complete separation of OS and HAL. It is now possible to update Android regardless of the oem as long as bootloader is not permalocked.

  15. They are not lying, it just depends on your phone. by Leslie43 · · Score: 2

    Lineage website does not list independent roms built from their source code, only official ones, and there are TONS that are unofficial, so just because a model is not listed doesn't mean a version of Lineage doesn't exist. You need to go onto XDA (best place to look) and look for not just your model, but part number and carrier. You may even have to look at your specific firmware version.

    If you have a locked bootloader you can still use a modified rom however you need to retain the stock kernel, which severely limits your options. Some people have modded the stock rom to work and look like Lineage while using the stock kernel. My old S4 was running a modified stock rom but being a Verizon model it had a locked bootloader. When i bought my S5 I made sure it was an unlocked T-Mobile variant and it currently runs Lineage.

    Samsung works with carriers and will lock the bootloader and sim depending on the carrier's wishes.The S4 has been the bane of rom builders because Samsung refused to help unlock it and and did a darn good job on it. Later models have actually been a bit easier as they eased up on their restrictions a bit. The S4 was caught in the middle of being hackable like previous versions and Samsung being willing to work with us instead of against us and got left behind.

    Who does what? Verizon has an unlocked sim, but a locked bootloader.
    AT&T locks both the bootloader and the sim however the very first AT&T S4 had an unlocked bootloader, the first update locked it down. 2 years ago ones with original firmware carried a 40% premium over almost all other models.
    Sprint locks the bootloader, the sim and deletes the sub menu for sim changes. (seriously, F- Sprint.)
    T-Mobile however locks nothing but you will pay a premium for used T-Mobile and unlocked phones for the very fact that they are unlocked.

    BEWARE. Being impulsive with a Samsung is a very quick way to owning a nice paperweight. Flash the wrong modem and your phone is permanently bricked and not all rom builders know how or that they are supposed to strip that out, I lost an S3 this way testing a rom for someone. If you want to flash a Samsung you need to pay attention when you buy (get a T-mobile model) and be prepared to read a lot before you start hacking because otherwise it will not end well. Nice phones, but they are one of the bigger pains in the neck and are some of the least forgiving when it comes to hacking. You can almost always save an LG or HTC, but a Samsung is very quick to hard brick.