SRL: Android phone makers lie about patches

One of the big problems of the Android ecosystem remains the fact that phones and tablets are slowly (or often even never) patched. To make matters even worse, Security Research Labs discovered that some smartphone makers lie about patches. They make users believe that their phone's firmware is fully up to date, while they're quietly skipping patches. In some cases, an "update" merely changes the date without installing any real patches. Full details over at Wired.

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.

"We find that there's a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others," says Nohl, a well-known security researcher and SRL's founder. In the worst cases, Nohl says, Android phone manufacturers intentionally misrepresented when the device had last been patched. "Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best."