The Android ecosystem contains a hidden patch gap

Android is the most successful operating system to date, with two billion devices in active use. With success comes responsibility, in this case for the security and privacy of mobile users all over the world. One central pillar of keeping these devices secure is providing regular patches.

Android has had its difficulties with patching in the past, with only 17% of devices operating on a recent patch level in 2016. Since then, many device vendors have improved their patching frequency: Phones now receive monthly security updates.

Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.

Android vendors differ in their patch completeness:

Notes
– The table shows the average number of missing Critical and High severity patches before the claimed patch date
* Samples – Few: 5-9; Many: 10-49; Lots: 50+
– Some phones are included multiple times with different firmwares releases
– Not all patch tests are always conclusive, so the real number of missing patches could be higher
– Not all patches are included in our tests, so the real number could be higher still
– Only phones are considered that were patched October-2017 or later
– A missing patch does not automatically indicate that a related vulnerability can be exploited

[Data current as of April 12, 2018. Check back here for future updates.]

Android exploitation is still hard

Modern operating systems include several security barriers, for example ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone. Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.

The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year.

That leaves state-sponsored and other persistent hackers, who usually operate stealthily. These well-funded hackers would typically resort to “zero day” vulnerabilities but may also rely on known bugs to develop effective exploit chains. Patching these known bugs hence increases the effort for very determined hackers.

Be aware of your Android patch level

As Android is ever increasing in popularity, the hacking incentives will only keep growing, as does the ecosystem’s responsibility for keeping its users secure. No single defense layer can withstand large hacking incentives for very long, prompting “defense in depth” approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.

Now that monthly patches are an accepted baseline for many phones, it’s time to ask for each monthly update to cover all relevant patches. And it’s time to start verifying vendor claims about the security of our devices. You can measure the patch level of your own Android phone using the free app SnoopSnitch

References

Details of this research were presented at the HITB conference on April 13, 2018, in Amsterdam: Announcement and slides