How to check if your phone is missing security patches with 'SnoopSnitch'

How to check if your phone is missing security patches with 'SnoopSnitch'

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap". The smartphones with regular security patches and OS update are a big hit among the user and attracts the potential buyers.

These smartphone makers have created a false sense of security among their users. There's no word yet on how exactly Google plans to prevent this situation in the future as there aren't any mandated checks in place from Google to ensure that devices are running the security patch level they claim they are running. However, a new set of reports now indicate that some OEM's are claiming that their devices are updated with the latest security patches from Google without actually installing them. Yes and no. While it's disgraceful for the companies to misrepresent a security patch level, SRL points out that often chip vendors are to blame: devices sold with MediaTek chips often lack many critical security patches because MediaTek fails to provide the necessary patches to device makers. This is incredibly simple to fake-even you or I could do it on a rooted device by modifying ro.build.version.security_patch in build.prop. While Nohl and Lell found, on average, between zero to one missed patches since October 2017 on each Samsung, Google and Sony phone they tested, they found between three and four missed patches on the Motorola phones.

While many of these missed security patches may not be inherently unsafe in isolation, hackers typically chain together multiple security holes to reach their goal, taking over devices and stealing data.

"Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks", the SRL website preview says. By skipping patches, some devices may still be vulnerable to Android attacks, despite the firmware date showing that it shouldn't be an issue.

'We found several vendors that didn't install a single patch but changed the patch date forward by several months.

Indeed, Google is the source of Android's security patches. The more alarming detail is not that the security patches had been missed, but rather the number of times that the patches weren't applied. After the release of an update, chipset makers adjust the updates as per their requirements and then pushes it to smartphone manufacturers.

ZTE and TCL are among the worst offenders, followed by HTC, LG, Motorola, and Huawei. Security updates are one of many layers used to protect Android devices and users. Your phone may say it is patched, but in reality, it may not be. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.