The Android patch ecosystem – Still fragmented, but improving

Since 2018, SRLabs has refined Android patch analysis through the app SnoopSnitch [1]. Recent SnoopSnitch data paints an improved picture of the Android ecosystem over what we saw in 2018 [2]. All major vendors appear to apply patches more regularly, and some of the vendors implement security updates exceptionally fast.

This research update answers the main question: Have vendors improved their patching hygiene since 2018? TL;DR: Yes.

Data set. The analysis discussed herein focuses on official firmware builds and excludes community firmware builds such as LineageOS. We augmented crowdsourced results from SnoopSnitch users’ phones with results from analyzing our own large collection of firmware builds. In the past years, we have collected tens of thousands of results from SnoopSnitch, among which we identified around 10.000 unique builds with patch level dates from 2018 and around 7000 unique builds with patch level dates from 2019.

Improved patching. We found that on average, for official firmwares released in 2019 missed only about half as many patches as comparable firmwares released in 2018. Monthly security updates were delivered faster too, with patches being integrated into firmware builds about 15% faster, decreasing from within 44 days to 38 days.

Remaining gap. While these statistics are encouraging, the Android ecosystem still continues to become more fragmented. Several Android versions need to be supported in parallel while unsupported end-of-life versions continue to be widely used in the wild. Among SnoopSnitch users, only 30% of unique uploads in 2019 were from devices running Android 9 or newer. (For comparison, statcounter.com observed just 22% market share of Android 9 across 2019[6], suggesting that SnoopSnitch users tend to use newer phones.)

Vendors continue to improve the speed to bring patches to their Android phones

In 2019 only, 90% of unique firmware builds for major Android vendors [4] were released within 38 days of the SPL. The same number for the year 2018 was 44 days.

In the last two years, vendors seem to have also improved their patching processes. In 2019, the rate of missed patches was below 0.3 [down from 0.7 in 2018] per unique firmware build on average.

Table 1: Patching analysis of major Android vendors

Notes for Table 1:

  • Patch delays are approximated from the difference between the build date and patch level date of firmware uploads; the above value, where applicable is the median of all calculated delays per vendor
  • Counting only critical and high severity patches
  • The number of missed patches is the average value of all missed patches per vendor
  • *Samples – Few: 0-50; Many: 50-100; Lots: 100+ unique builds
  • Not all patches are included in our tests, so the real number could be higher still
  • In the statistical analysis, only those uploads are considered that had a patch level from 2018 and 2019, respectively
  • A missing patch does not automatically indicate that a related vulnerability can be exploited
Figure 1: In 2019, no more vendors were observed to have missed more than two critical or high severity patches on average. Most missed fewer than one patch on average.

Overall, we find that vendors tend to patch their most widely deployed Android versions (e.g. Android 7.1.1 for Samsung and Xiaomi, Android 9 for Asus) faster than less-widely deployed versions. Less widely deployed versions, even if more recent, were more likely to see delayed updates or missed patches.

Figure 2: Samsung generally increases speed of patching specific Android versions over time
Figure 3: Xiaomi takes more time to implement patches for Android versions less common on their devices, such as Android 8.0.
Figure 4: As there are gradually fewer devices running older Android versions, Motorola can focus on delivering patches more quickly for the latest available versions
Figure 5: Nokia with a less broad device portfolio patches exceptionally quickly

Some vendors, including Nokia and Google, are able to patch exceptionally fast. Newer Android versions are usually built days, in some cases weeks, before the public Android Security Bulletin [1] is posted. See Figure 5. This is possible because vendors get access to the same information one month ahead of the public. The fast vendors use vanilla Android rather than highly customized Android versions, hence have less effort in applying patches. The fast vendors have also released fewer devices, further streamlining the patching process compared to vendors who have to a large portfolio of devices to maintain.

Lastly, we found that most major vendors (e.g. Samsung, Motorola, Xiaomi, Huawei, OnePlus) clearly improve over time at patching new Android versions, as shown in Figure 2.

Most firmwares for supported Android versions have been patched recently

Major Android vendors continued to improve patching accuracy and patching speed in 2019. The majority of unique firmware in use among SnoopSnitch users have security patch level dates issued within the last four months.

The remaining patch gap appears arise from the complexity of the ecosystem and the number of Android versions that must be supported by each vendor. Vendors provide security updates for devices that operate on a range of different Android versions. According to recent statistics, Android 9 is present on 10% of Android devices globally, while Android 8 is present on 28% and Android 7 on 19%. [5] The variety of Android versions in use is reflected in our own data as well. Among SnoopSnitch users, who can be presumed to be more security conscious and more likely to accept major firmware updates, Android 9 was present on just 30% of devices, while Android 8 was present on approximately 40% and Android 7 on 30% (not including unsupported Android versions).

We found vendors best able to patch the versions of Android most commonly found on their devices. And it takes a longer time for vendors to provide security updates for less widespread Android versions. As a result, the Android ecosystem still has security challenges that arise from its fragmented nature.

To test your own device’s Android patch level, and other security properties of your phone and mobile network, install SnoopSnitch today, available in the Playstore, FDroid, and as apk.

References:

[1] https://opensource.srlabs.de/projects/snoopsnitch

[2] https://srlabs.de/bites/android_patch_gap/

[3] https://source.android.com/security/bulletin 

[4] Google, Samsung, Huawei, Xiaomi, Motorola, Oppo, LG, Nokia, Asus, Lenovo, Vivo, ZTE, OnePlus, Sony

[5] https://developer.android.com/about/dashboards/index.html

[6] https://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide/#monthly-201901-201912-bar