You consider yourself a responsible smartphone user. You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it. At least, you think your phone is patched against the most recent security exploits, but is it really? A new report suggests that's likely not the case, claiming that many phones are missing at least one, and sometimes ten or more security patches.
Security Research Labs looked into state of updates for some 1,200 phones from a variety of major manufacturers, and found that despite these handsets claiming that their software is caught up with Android security patches as of certain dates, one or more fixes were often missing.
Some manufacturers tend to do a lot better than others. Unsurprisingly, Pixel phones are the best, accurately indicating that they're up to date with security fixes, and devices from Samsung and Sony aren't far behind, maybe only missing one fix out of a larger batch. But that number starts creeping up higher as we look at hardware from LG, HTC, Motorola, and ZTE — the latter's phones averaging four or more absent patches.
Why wouldn't a company deliver all the fixes we'd expect it to? One theory points to the chipsets these handsets are running, as there seems to be a correlation between particular SoCs and the availability of security updates: Snapdragon-based phones and those running Samsung's Exynos chips may only have one recent fix missing, while those built with MediaTek chips average nearly ten. And if a company making those chips isn't keeping up with patches, it becomes quite difficult for the manufacturers of the phones running them to fully secure their devices.
That all said, it's not necessarily a disaster that your phone might not have every single last possible security patch installed, and it often takes more than one unpatched bug to leave your phone open and vulnerable to attackers. The good news is that Android's underlying security architecture does its best to mitigate the impact of malicious actors, and even if your OEM skipped one or two patches, so long as it's caught up with the bulk of them, you're probably in good shape.
Right now we just have a birds-eye view of this issue, but more details should be landing soon as SRL researchers present their findings at a conference this Friday. While we hope to learn a bit more about exactly which phones are missing which fixes, there's also another concern beyond just knowing whether or not your phone is actually secure, and that involves the degree to which manufacturers have been misleading their users.
It would be one thing if companies were outright telling us that an update contained X out of Y recent fixes (and better still if they briefly mentioned the reasons for skipping the others), but with the way things have been operating so far, users could easily have the impression that their phones are more patched than they actually are. We're already placing a lot of faith in these businesses to help keep our information secure, and if that trust starts to decay, the consequences have the potential to be severe.
If you're curious about how your own phone's faring when it comes to all this, you can check out SRL's Snoop Snitch app, which compares the patch level your phone claims to have installed versus the actual fixes present on your handset.