When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities.
If we talk about smartphone processors, Taiwan's MediaTek company topped the chart on missing the patches. For J5 customers, those who checked the status of their devices' security were aware of which patches were installed and which were not.
The research laboratory laid their hands on phones which were claimed to have received the latest Android updates. Most other major Android phone makers fall somewhere in between.
Ever since, it has been pushing the industry to adopt the regular updates as part of an effort to clean up Android's image and improve security. Out of the 1,200 phones that were tested by the firm, including devices from Google (the primary source for updates to Pixel phones), Samsung, HTC, Motorola, and TCL, the issue impacted even the flagship models from the likes of Samsung and Sony.
The results, shared with Wired, show that some popular Android devices are missing as many as a dozen patches that users would expect to be there, based on the patch level string displayed in settings in date format.
Bringing up the rear were ZTE and TCL, whose phones had an average of more than four missed Android security practices. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Karsten Nohl, Security Research Labs founder, told the publication. In some cases, these chipsets were found to include bugs and as a result, vendors had to rely on chipset makers to roll out patches before implementing OS software updates. SRL says that it had tested the firmware on around 1,200 Android phones, looking for whether or not patches had been applied, which led to it finding devices that had changed the dates forward without actually adding the patches in. And some patches may have been missed, says Google, because the manufacturer removed the offending feature instead of fixing it with the patch.
Updates and security patches on Android have always been a serious issue.
SRL has updated its SnoopSnitch Android security app to detect whether a phone has missed security updates.
Google told Wired, "some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security". Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.