Home SecurityMobile Security Android security: Patching improves, but fragmentation challenges remain

Android security: Patching improves, but fragmentation challenges remain

by ethhack

Android device makers have improved their patching processes over the past two years according to a new analysis, decreasing the time gap between when security updates become public and their integration into firmware. This is good news for the Android ecosystem, which has historically been considered worse than Apple’s iOS when it comes to patch hygiene. However, version fragmentation remains high in the Android world, with significant differences among device manufacturers and even across the same vendor’s product lines. This leads to many devices running versions that are no longer supported.

Berlin-based Security Research Labs (SRLabs) has published the results of its binary analysis of around 10.000 unique firmware builds running on many Android device models from different manufacturers. Most of the data was collected with SnoopSnitch, an application developed by the company to analyze mobile radio data for abnormalities that could indicate user tracking and fake base stations. It can also check if the Android firmware running on a device has the critical vulnerability patches that correspond to its reported security patch level.

When it began releasing monthly Android security updates in 2015, Google added a date string to Android’s “About phone” screen to indicate the device’s patch level. Each security bulletin comes with two patch strings: one that covers vulnerabilities in the standard code and components of the Android Open Source Project (AOSP), and another that covers patches for device-specific components that might not be open source, such as chipset drivers. What string device manufacturers choose to display depends on whether they integrated the chipset-specific patches or just the AOSP patches.

Android patch test results

In 2018, SRLabs began testing whether Android devices contain all patches for serious vulnerabilities that correspond to the patch date string they report. This is done through binary analysis that can take a few minutes and uses tests developed by SRLabs that are downloaded by SnoopSnitch from a server in the background. The test covers only vulnerabilities that are potentially useful for hackers to compromise phones.

The company’s original report in 2018, which included data from 2017, found that many devices were missing patches despite reporting a patch level that should have included them. Some vendors fared better than others and phones with certain chipsets were more likely to have missing patches, indicating that the problem might be higher up in the supply chain.

In a new report, SRLabs published the results of scans performed over the last year and some clear improvements were observed. “We found that on average, official firmwares released in 2019 missed only about half as many patches as comparable firmwares released in 2018,” the company said.

Copyright © 2020 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment