Exposed: Lazy Android mobe makers couldn't care less about security

Let's nail this once and for all: too many Android smartphone makers simply aren't rolling out Google's security bug fixes for the mobile operating system.

Germany-based Security Research Labs (SRL) today said that even top vendors – such as HTC, Huawei, and Motorola – leave punters vulnerable by not patching devices for known Android vulnerabilities in a timely fashion, if at all.

You'd hope manufacturers would be quick to test and push out over-the-air firmware and software updates to close down bugs that can be exploited by malicious applications, booby-trapped messages, and dodgy webpages, to hijack, control and snoop on handhelds. But, nope. Not always the case.

It turns out updates issued to some devices are incomplete, leaving unlucky punters open to attack. Now, we're not advocating buggy and rushed code is forced onto gadgets, but it would be nice if patching was a bit more of a priority. And if manufacturers fessed up to their customers that they were behind in patching, rather than claim everything is all OK and up to date.

"Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates," the SRL team – Karsten Nohl and Jakob Lell – noted as part of their presentation to the Hack In The Box security conference in Amsterdam, the Netherlands.

"Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks."

And, yes, that's the same Nohl known for pointing out big holes in the world's cellular networks.

Stalled

Beyond its own smartmobes, Google leaves it to individual phone vendors to test, cryptographically sign, and distribute updates for their hardware, which includes fixes for security vulnerabilities in drivers as well as the core system software. That reliance on vendors ends up stalling, or completely blocking, the rollout of fixes to people.

The web giant did develop a neat trick, though, in which its Google Play Services code can bypass manufacturers and install some security patches by itself over the internet without any vendor intervention. This should, in theory, get stuff updated quickly. However, the services can't dig deep into the device and replace low-level faulty software components, such as drivers and system libraries. Hence, some devices get half-complete updates each month. Some from Google, none from the manufacturer.

El Reg can vouch for this first-hand. One of our offices has an Android 7 Samsung Galaxy S8 handset that, despite being "up to date," can't fetch any security patches since August last year.

SRL suggests security-savvy users take a look at what is included in the monthly fixes from Google, and at least be aware of any issues that need patching.

Don't panic (too much)

The researchers also note that the presence of a vulnerability in and of itself does not mean a device will fall to malware or hackers. Rather, attackers will still likely have to use multiple tactics – such as convincing the user to run a malicious app from an unofficial store – or exploit several vulnerabilities in tandem to escape Android's sandbox, defeat various defense mechanisms such as ASLR, and ultimately seize control.

"Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device," the SRL duo noted.

"Instead, multiple bugs need to be chained together for a successful hack."

SRL has provided the full slide deck [PDF] of the presentation on its blog if you're interested in more details. ®