Some Android Device Makers Are Lying About Security Patch Updates

An anonymous reader shares a report: Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten. According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE. The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.

Planned Obsolescence

[A10Mechanic]

Boardroom banter: Why should we provide free updates, when we can sell them a new phone...

Re:Planned Obsolescence

"My phone is still totally fast and has plenty of space, but I'm missing a few security patches, so I'll just buy a new phone." said no customer ever.

No shit ....

Is anybody even remotely surprised?

One of the huge problems with Android is it is now so fragmented, and every vendor has filled it with their own custom shit and they've done god knows what to the core of it.

As soon as it's shipped, they move on to the next product. They have neither the time, resources, nor inclination to maintain older versions of phones -- because they want you to buy a new one.

The reality is, there are as many versions of Android as there are phones and companies who make them. And companies aren't going to spend the resources on a shipped product, because they've been paid for it already.

So, yeah, they don't to updates, don't plan to do updates, and refuse to admit that it was abandonware before you even got your hands on it.

To me, this is the greatest failing of Android.

Missing info from summary

[Bob+the+Super+Hamste]

Some missing info from the sumamry about the average number of missing patches per device from each manufacturer
Average missing patches per device from each manufacturer
0 or 1 - Google, Samsung, and Sony
1 to 3 - Xiaomi, OnePlus, and Nokia
3 to 4 - HTC, Huawei, LG, and Motorola
4 or more - TCL and ZTE

Re:Missing info from summary

[tlhIngan]

I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.

The article is not about patches coming out on time. It's about patches that come out missing.

It's easy to make a security patch that patches nothing other than updating the date you see in the about screen.

That's what the article is about - just because your device is "up to date", doesn't mean it has all the patches. They basically took a patched phone and re-ran the vulnerability tests on them, only to find the patches were not applied despite claims they were by having the patches up to date.

Sounds like fraud.

[Gravis+Zero]

IANAL but this sure sounds an awful lot like fraud. They claim to be providing a service but don't actually provide it? The FTC should come down like a load of bricks on these companies.