Security Updates
With the security updates, Google has been delivering patches to smartphone manufacturers on a monthly cycle since 2015. It is then up to the manufacturers to incorporate them into their software and distribute them. These security patches are intended to close security gaps. However, not all manufacturers are equally successful in implementing them. It can take one to two months to apply the patches, even for well-known manufacturers. Official Google partners are granted access to the security patches one month before release (The Android patch ecosystem – Still fragmented, but improving).
After the legal warranty period has expired, however, it is almost exclusively in the case of Google devices that there is a chance to obtain current security patches for a stock ROM. In custom ROMs, however, current Google security patches can be integrated into the software even for outdated source codes and Android versions. This ensures a safe usage even beyond the legal warranty.
Android Security Bulletin
The Android security patches at Google, also called Android Security Bulletin, are published once a month and can then be applied to Android by manufacturers and developers. With these security patches general Android security holes are closed, but also chip manufacturers, especially device manufacturers, have the possibility to close security holes.
Currently, Google only provides security patches for Android 8, 9 and 10. The support for Android 7 (Nougat) expired with the security patch of November 2019. Nevertheless, there are still quite a few devices running this Android version that may not be upgradeable to a higher Android version. In order to be able to continue to use them safely, the security patches are backported by developers in the custom ROM communities and made compatible with Nougat.
The Android user interfaces adapted by the manufacturers can bring further weaknesses with them. The same applies to a whole range of software that the end user has not installed or does not need himself. Accordingly, device manufacturers deliver security patches parallel to Google, which can be used to close these security gaps, some of which are very device or exclusive to a chipset.
In addition, Google has the option of updating other parts of the system via the Google services. These include, for example, the integrated web browser and the so-called WebView, which the browser brings with it so that apps can display Internet content. With Project Mainline, which was integrated into the system with Android 10, this method of updating is extended. The new contact tracking interface, which is to be integrated into the system to combat the Corona pandemic, will be integrated via this very function.
Vulnerabilities
Samsung recently discovered a security vulnerability that has been in existence for five years – approximately since August 2015. Using MMS reception and Samsung’s integrated image processing format QMAGE, an exploit could be triggered without the user having to open an infected MMS or even notice the reception of this MMS. Samsung provides software updates with the appropriate patch for its latest devices. Older devices, however, no longer receive security updates and remain affected. A custom ROM could help here. The Samsung Galaxy S5 tested in the case studies is also affected by this security hole. Although it is possible to close it manually by disabling automatic MMS reception, many users do not even know that this vulnerability exists.
A similar situation occurred with the so-called Stagefright security gap from Android 2.2 to 5.1, where an MMS exploit using malware in image files could take over the entire device. The security patches that were supposed to close this gap have still not reached all devices. In contrast to the manufacturers CyanogenMod has incorporated and distributed the corresponding patches quickly. Another example of persistent security vulnerabilities is a web browser vulnerability that exists in the browser implementation on Android devices up to Android 4.3. This was announced in 2015 and never officially fixed.
Further aspects of dealing with security vulnerabilities in the Android system are described in the
the following brief. Apparently there are vendors that deliver security updates, but they omit patches or are incomplete. Newly discovered security holes in old systems are usually no longer patched. Snoop-Snitch has documented this fact in 2018. In the process, some custom ROMs were also examined and it was found that these are to be evaluated differently than vendor updates. According to SnoopSnitch there were significant improvements in 2019 regarding the delivery of security updates by Google and the manufacturers.
The following table summarizes how fast the vendors were in updating:
Explanatory notes:
- Patch delays are approximated from the difference between the build date and patch level date of firmware uploads; the above value, where applicable is the median of all calculated delays per vendor.
- Counting only critical and high severity patches
- The number of missed patches is the average value of all missed patches per vendor
- *Samples – Few: 0-50; Many: 50-100; Lots: 100+ unique builds
- Not all patches are included in our tests, so the real number could be higher still
- In the statistical analysis, only those uploads are considered that had a patch level from 2018 and 2019, respectively
- A missing patch does not automatically indicate that a related vulnerability can be exploited
SnoopSnitch’s testing focuses mainly on the speed of deployment of patches for smartphones that are (still) officially supported. This does not include smartphones that are no longer officially supported. Support for a device, if poorly performing, may end after twelve months, such as the OnePlus X. In this case this was due to a processor that was already two years old when the device was delivered and no longer met the CDD requirements. The smartphone, which was released in 2015, did not receive an Android nougat update as a result. The processor was the Qualcomm Snapdragon 801.