Your favorite phone maker may be delivering security updates at a steady pace, but a new report states that your smartphone may still be vulnerable to the next major exploit.
That’s because crucial patches are commonly skipped over by some of the most prolific players in the smartphone market, according to in-depth findings from Security Research Labs (opens in new tab) (SRL).
Across a relatively large sample size, companies like Google, Samsung and Sony seem to be strong enforcers of including each patch within its security updates. On the other hand, ZTE, Huawei, LG, HTC, Motorola and other big names appear to omit, at times, several patches from its releases. SRL doesn't specify phone models, but states that its testing was limited to phones that were patched during and following October 2017. In other words, the testing likely includes the latest and greatest flagship phones.
How does this happen?
It’s hard to exactly pin down why some companies don’t include patches for each bug in a security update. It could come down to a lack of resources, the sheer difficulty of adapting the work across multiple devices, or the hope that the next Stagefright-scale attack won’t happen again soon.
In a statement provided to TechRadar, a Google spokesperson told us that there are cases in which some devices use “an alternate security update instead of the Google suggested security update”. But even so, Android has other stop-gap measures to keep users safe, including application sandboxing (this limits an application from running within a larger code environment) and the relatively new Google Play Protect feature that debuted in 2017.
What does this mean for you?
Probably nothing. The research firm notes that a missing patch doesn’t necessarily point to guaranteed vulnerabilities, but the big takeaway is that your Android phone may not be as secure as you’re being led on to believe. Of course, Google is the best at sticking to security updates, but owning the Google Pixel 2 isn’t critical to staying safe as an Android user.
As more manufacturers get on board with consistently delivering monthly updates, it’s critical that each ensures that the proper holes are plugged. And while this seems like a tough job to keep up with as a consumer – the onus is on the software makers – the authors of the report stated that the app SnoopSnitch will allow you determine if your updates cover the wide swath of patches necessary to stay as safe as possible.
But if you just want to just not worry about it (we feel you), the tail-end of Google’s statement asserts that you can do just that: “These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging.”
SRL states that despite the present situation, it’s a vast improvement over 2016, as told by a report from Duo (opens in new tab) – a time when only 17% of Android phones and tablets were running the most recent patch.