• When Security Patches Don't Mean a Damn Thing



    If you needed another reason to be angry at your Android device maker, here it is. According to a new feature in WIRED some OEMs have been flat-out lying about their security patches. The table above is a summary of missing patches found in Android builds across thirteen manufactures. Google and Samsung, as one would hope, are fairly honest; on the other end is TCL and ZTE, each with more than four patches missing from their "updated" devices.

    For the past two years the German security firm SRL have been reverse-engineering software on hundreds on Android phones, investigating what they call "patch gap". The research will be presented today at a conference in Amsterdam.

    With so many Android hardware makers there's no single reason for missing security patches. Sometimes it's an honest mistake and, to quote someone from SRL, sometimes not so much:

    "Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best."
    Whenever a security firm presents bad news like this there's often a solution being peddled to address it. And sure enough, SRL has SnoopStitch, which runs a local test on your device and supposedly informs you of any missing patches. I tried it on my OnePlus phone but the results were inconclusive, possibly because I'm on a beta channel of the software for that device.

    Read more about SRL and patch gap at the links directly below.

    Source: WIRED via XDA

    ---------
    This article was originally published in forum thread: When Security Patches Don't Mean a Damn Thing started by acurrie View original post