According to the firm there have been almost a dozen patches that were skipped by certain OEMs, which means that some users, and likely a large number of them considering how many Android phones are out there and how many vendors weren't applying the patches as regularly as Google intended, were continuing to use phones that weren't up to date and weren't able to protect their users from current (at the time) security risks that Google was pushing out these patches for. But results could even vary within a brand, as SRL found.
The Google Pixel 2 XL running on the first Android P Developer Preview with March 2018 Security Patches. For example, Samsung's 2016 J5 accurately reported what was and wasn't installed, but its 2016 J3 said all patches were up to date when 12 weren't actually installed. This is incredibly simple to fake-even you or I could do it on a rooted device by modifying ro.build.version.security_patch in build.prop. Out of the 1,200 phones tested by SRL, which included devices from Google, Samsung, HTC, Motorola and TCL, the firm found that even flagship devices from Samsung and Sony missed a patch.
The researchers did find a correlation between skipped patches and chipsets, however.
Worse, vendors allegedly misled users by claiming devices are fully patched when in fact they are missing important monthly updates for Android, the researchers said.
The team at SRL labs put together a chart that categorizes major device makers according to how many patches they missed from October 2017 onwards.
For all the good of Android's open-source approach, one of the clear and consistent downsides is that the onus to issue software updates falls on the manufacturer.
ZTE and TCL appear to be among the worst offenders, while Google, Samsung and Sony are the best at patching.
Some Android vendors are purposefully lying about the latest security update on their phones. Several phones from these smartphone makers listed the latest security patches even when a deeper investigation revealed that they did not include them. Cheaper chips from the lower-end suppliers missed the most patches with a less well-maintained Android ecosystem.
The patch gap issue is not an isolated case. There's no word yet on how exactly Google plans to prevent this situation in the future as there aren't any mandated checks in place from Google to ensure that devices are running the security patch level they claim they are running. In order to help users tackle the problem, SRL Labs will be releasing an update to its SnoopSnitch Android app that allows users to check their phone's code for the actual state of its security updates. All of the requisite permissions for the app and the need to access them can be viewed here.
That is still a long time away from now and such an outcome will only make it more certain that Google does not care for post-release user experience. Enter your email to be subscribed to our newsletter.