Android device makers have improved their patching processes over the past two years according to a new analysis, decreasing the time gap between when security updates become public and their integration into firmware.
This is good news for the Android ecosystem, which has historically been considered worse than Apple's iOS when it comes to patch hygiene.
However, version fragmentation remains high in the Android world, with significant differences among device manufacturers and even across the same vendor's product lines. This leads to many devices running versions that are no longer supported.
Berlin-based Security Research Labs (SRLabs) has published the results of its binary analysis of around 10.000 unique firmware builds running on many Android device models from different manufacturers.
Most of the data was collected with SnoopSnitch, an application developed by the company to analyse mobile radio data for abnormalities that could indicate user tracking and fake base stations. It can also check if the Android firmware running on a device has the critical vulnerability patches that correspond to its reported security patch level.
When it began releasing monthly Android security updates in 2015, Google added a date string to Android’s “About phone” screen to indicate the device’s patch level.
Each security bulletin comes with two patch strings: one that covers vulnerabilities in the standard code and components of the Android Open Source Project (AOSP), and another that covers patches for device-specific components that might not be open source, such as chipset drivers.
What string device manufacturers choose to display depends on whether they integrated the chipset-specific patches or just the AOSP patches.
Android patch test results
In 2018, SRLabs began testing whether Android devices contain all patches for serious vulnerabilities that correspond to the patch date string they report. This is done through binary analysis that can take a few minutes and uses tests developed by SRLabs that are downloaded by SnoopSnitch from a server in the background. The test covers only vulnerabilities that are potentially useful for hackers to compromise phones.
The company's original report in 2018, which included data from 2017, found that many devices were missing patches despite reporting a patch level that should have included them.
Some vendors fared better than others and phones with certain chipsets were more likely to have missing patches, indicating that the problem might be higher up in the supply chain.
In a new report, SRLabs published the results of scans performed over the last year and some clear improvements were observed. "We found that on average, official firmwares released in 2019 missed only about half as many patches as comparable firmwares released in 2018," the company said.
Some vendors such as Google, LGE, Samsung, ZTE, Lenovo and Xiaomi missed between zero and 0.2 patches on average across their entire product lines. Others such as Sony, Nokia, Huawei, Motorola, Asus and OnePlus missed between 0.2 and one patch on average, while Oppo and HTC missed between one and two.
No vendor missed more than two patches on average, compared to four and more missed patches for some vendors during 2017 and 2018. The number of missing patches might seem low, but these are average numbers and the missing patches are for serious vulnerabilities -- usually those with high or critical severity.
The company also analysed how quickly vendors implemented fixes and released new firmware builds after the security issues became public through the monthly Android security bulletins. This is an important metric because Google shares vulnerability information and patches with its Android partners one month in advance of public disclosure, so manufacturers usually have at least one month to prepare firmware updates and perform testing.
SRLabs' data shows that Google, Sony and Nokia are the fastest to integrate and distribute security updates, their patch delays being virtually nonexistent -- zero days. Huawei releases patches with a delay of six days on average, LGE with 12 days and Samsung with 14 days.
Other manufacturers have average patch delays that range between 15 days and 31 days (Xiaomi). The average patch delay for the entire Android ecosystem decreased by 15 per cent, from 44 days to 38 days.
The version fragmentation issues might be responsible for some of these differences between manufacturers, with some vendors producing and maintaining a much larger number of models than others, for example Samsung versus Google. Some manufacturers maintain firmware builds for as many as four major Android versions simultaneously -- Android 7, 8, 9 and 10 -- that are used on their various devices.
A large number of devices in the wild have reached the end of support and are no longer receiving any kind of security updates, suggesting that average support life of Android devices might be too short for many users.
Fortunately, Android open-source community firmware such as LineageOS could be an answer for those old devices and a way for users who can't afford to buy new devices to continue receiving timely security updates.
Enterprise takeaways on Android patching
According to Karsten Nohl, chief scientist at SRLabs, enterprises have historically shunned Android in favour of iOS for their workforces because iOS devices are perceived as having better patching hygiene. What this new data shows is that things are improving in the Android ecosystem and some Android vendors are on par with Apple when it comes to patching, he tells CSO.
What Android devices have in their favour is a lower cost, which could make them more appealing to some organisations. Nohl hopes the results of SRLabs' study can help those organisations choose Android phone manufacturers that make an effort to release security updates in a timely manner and, at the same time, make sure that those patches are complete.
SRLabs has been in contact with mobile chipset vendors and a number of Android manufacturers about its research but has seen evidence that even those vendors who haven't reached out are using its tool for internal testing.
Nohl believes there are several reasons for this improvement in patching processes including Google putting pressure on device vendors, having firmware with fewer vendor customisations -- newer versions of Android make it easier for vendors to keep their customisations in separate components -- as well as vendors gaining more experience and streamlining their processes.
In general, the manufacturers who are quicker to integrate patches are those who sell and maintain fewer device models.
Contrary to popular belief, newer devices that run the latest Android version might not necessarily be the first to receive patches when they come out, because they're not as popular as older ones, so they're lower on the priority list.
"We found vendors best able to patch the versions of Android most commonly found on their devices," SRLabs said in its report. "And it takes a longer time for vendors to provide security updates for less widespread Android versions. As a result, the Android ecosystem still has security challenges that arise from its fragmented nature."