Why Are Android Devices Slow to Patch?
Of 57 vulnerabilities affecting the Android operating system and other components patched by Google in June’s update, 11 of the bugs were rated as critical.
Per the Android Open Source Project, Android partners are notified by Google of all issues at least a month prior to publishing them. For Google-owned devices like Pixel and Nexus, they will receive over-the-air updates over the course of a week and a half.
But for some users on non-Google owned devices, they may not receive the patches or latest Android version until much later, as ThreatPost reports. Part of the reason why is that new Android patches must first be tested on devices for compatibility, which takes time and effort on the vendor's side. Other vendors also operate on different timelines, although monthly updates are now considered standard.
As Duo Labs found in the latest iteration of The 2018 Duo Trusted Access Report, 90 percent of Android devices were not on the latest security patch released 26 days prior.
While the large percentage may be due to the lag in different vendor updates available to Android users, it also sheds light on how many may be potentially susceptible to known Android vulnerabilities.
Plus, some of the latest security research suggests that some Android vendors actually forget to include some patches in their security updates provided to their users, according to findings by Security Research Labs researchers Jakob Lell and Karsten Nohl, as reported by HelpNetSecurity. One older Samsung device running an older Android version, on a Jan. 2018 patch level was found to be missing a few critical and high-severity patches.
However, as Security Research Labs cautions, modern operating systems like Android have security barriers in place that make exploitation more complex - often a few missing patches cannot lead directly to a compromise.
Patching is critically important to uphold the effectiveness of the different security layers already found in Android.
As Kyle Lady of Duo Labs states:
“For most Android devices, users are at the mercy of their mobile carriers to provide updates. In turn, carriers have to wait for device manufacturers to provide updated software for each model they produce. The platform fragmentation of Android provides great flexibility for manufacturers, but with that upside comes the downside of a substantial overhead to produce updates for the combination of every model and every carrier.
Android phones on version 4.4.4 or higher have the ability to receive monthly security updates, which can be pushed out faster than whole new versions of the operating systems, which is a win for consumers, though it's still not as much of a benefit as having the improved security features that come with newer OS versions.”
Google continues to develop up-to-date platform security with protections built into the Android OS in order to make devices more difficult to compromise with app isolation using sandboxing, file-based encryption, Verified Boot and more.
According to last year's Google Android Security Report, they also provide compatibility resources, collaborate with manufacturers and carriers, and work with partners to help keep Android device security up to date. In 2017, they increased the number of Android devices that receive security patches by more than 30 percent.
Download the 2018 Duo Trusted Access Report to see more about the current state of device health and remote access.