Security patches for smartphones are extremely important because many people store personal data on their devices. Lots of Android phones out there get regularly security patches, but according to a new report, some of them are lying about the patches that they've actually gotten.
According to a study by Security Research Labs, some Android phones are missing patches that they claim to have. Wired explains that SRL tested 1,200 phones from more than a dozen phone makers for every Android security patch released in 2017. The devices tested include ones from Google, Samsung, Motorola, LG, HTC, Xiaomi, OnePlus, Nokia, TCL, and ZTE.
The study found that outside of Google and its Pixel phones, well-known phone makers had devices that were missing patches that they claimed to have. "We found several vendors that didn't install a single patch but changed the patch date forward by several months," says SRL founder Karsten Nohl.
The number of missing security patches on phones varied between device makers. For example, Google, Samsung, and Sony devices were found to be missing 0 or 1 patches on average. Xiaomi, OnePlus, and Nokia devices were missing 1 to 3 patches on average, while HTC, Huawei, LG, and Motorola were missing 3 to 4 patches on average. Devices from TCL and ZTE fared the worst, missing an average of 4 or more patches that they claimed to have.
When asked for comment on this report, Google told Wired that some of the devices tested may not have been Android certified, meaning that they aren't held to Google's security standards. Google also noted that Android devices have security features to make them more difficult to hack and that, in some cases, a device maker may have simply removed a device's vulnerable feature rather than patching it.
"We’ve launched investigations into each instance and each OEM to bring their certified devices into compliance when we’ve been able to reproduce their findings...[but] each instance really needs further investigation," Google said.
This report is a pretty big deal for Android devices. As I said before, security patches are a big deal because a lot of people store private, personal data on their phones, and so it's important that those devices are secure. And while it is very possible that some devices tested by SRL aren't Android certified and that some devices may have just had their vulnerable features removed, it's also possible that there are some instances in which an OEM said that they had updated a phone with new security patches when they actually hadn't.