If you have a Google Pixel smartphone you’re probably used to getting monthly security updates. If you have an Android phone from any other device maker… it’s complicated. While some phone makers have committed to delivering monthly security updates shortly after Google makes them available, many others do not.

But it turns out that if you’ve got anything other than a Pixel, there’s a chance your phone might not even have all the updates it says it does.

Wired reports that a group of researchers at Security Research Labs have discovered that many Android phones claim to have a security patch level that doesn’t accurately show the patches that have actually been installed on those phones.

The researchers plan to present their findings at the Hack in the Box security conference tomorrow, but Wired highlights the key findings.

In a nutshell, you can go into your phone’s settings to see the latest date a patch was installed. Some phone makers failed to deliver all the updates you’d expect based on that date. And a few may have gone so far as to use an arbitrary date that implies your phone is more up to date than it is without delivering any security patches at all.

It’s bad enough that some phone makers don’t deliver monthly security updates (and some don’t even deliver updates regularly… or at all). But this finding paints an even grimmer picture: phone makers may be intentionally misleading users and providing a false sense of security.

Google’s phones were the only ones tested by the researchers that had never missed an update.

The researchers say phones from some companies including Sony and Samsung were only missing a single update that you’d have expected to be installed based on the stated patch level.

But Xiaomi, OnePlus, and Nokia missed up to 3 patches. HTC, Huawei, LG, and Motorola missed up to 4. And TCL and ZTE had phones that were missing more than 4 of the patches they claimed to have installed.

Wired/Security Research Labs

It’s also noteworthy that the phones that were most likely to have a high number of missed security patches were those with MediaTek processors. It’s unclear if that’s because MediaTek failed to make patches available to vendors or if phone makers failed to release available patches to users. One possible explanation is that most phones with MediaTek processors are low-cost devices that don’t get much support at all.

If you want to check to see whether your phone is missing any of the security updates it’s supposed to have, you can try running the latest version of SnoopSnitch, an app from Security Research Labs that lets you run an “Android patch level analysis.” When I ran it on my Google Pixel 2, the results were inconclusive, but that might be because I just installed a monthly update yesterday.

If there’s any good news here, it’s that even phones that haven’t received all the latest security updates are relatively difficult to hack using the types of vulnerabilities usually patched by monthly security updates. Wired reports that it’s far more likely that someone looking to hack your device will use phishing techniques by trying to get you to install an app downloaded from a source other than the Google Play Store in order to harvest your data or put you on a botnet.

 

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

9 replies on “Researchers: Most phone makers lie about Android security patch levels”

  1. I’m not sure this is unique to Android. Windows Update used to (not sure about the present) also sometimes miss patches.

    Also, I went to the website indicated above, and it’s not clear their analysis is based on more than the Snoopsnitch app, which itself might be inaccurate.

  2. Frankly Android is a product of perverse incentives. Incentives from when Google was going to market and had to lure in manufacturers and carriers to challenge Apple. Incentives now that it is more dominant that are part of Google’s business model. Incentives that are not aligned with users interests. It’s time for a serious alternative.

  3. F***ing motorola and Nokia?! I was hoping to buy either a Nokia 6 or a Moto G6+.

    Count me out. I have a Moto X Pure that’s getting old, and my wife’s is trashed. They dragged their heels for practically an entire year after they missed their promised delivery date for Android 7.0 on the MXP. I had just started to forgive them since they did actually deliver it, just late. To find out that they’re all too happy to simply lie about patches to save face? Yep. I’m done with them.

    1. FWIW, my g5 Plus only shows one missing patch and my wife’s X4 (running 8.0) shows zero missing. I really wish they reported more on which processors tend to be affected–both of these devices are Snapdraggon.

  4. Pathetic…Google needs to crack down on this, it is one thing to not deliver them but lo cheat about having delivered them is beyond low. Oh and surprise Huawei & Honor on the list!!!

    1. Wrong. The government should be the one going after false advertising.

      1. This is SO MUCH WORSE than false advertising. Security is not to be advertised but to be enforced.

        This shows the “commitment” from those handset makers.

        Also shows how bad things get when the update has to pass through all vendors/carriers before getting to your phone.

        That’s why I don’t use Android as my phone platform OS.
        If I would, it would be a phone that receives updates STRICTLY DIRECTLY from the phone manufacturer, no one else.

        Timely updates and no bloatware.

  5. This was eye opening. My Huawei Mate SE (Honor 7x) had 4 minor patches missing despite Huawei’s clockwork monthly security updates.

Comments are closed.