Google Forces Android Device Manufacturers To Provide Security Updates
In May of 2015, I was parked in a not-so-great area of San Francisco to attend a work event. After the event, all too eager to make my way home, I was looking up driving directions on Waze when I received a text message from a “friend”. The next thing I knew, my iPhone rebooted and required me to spend a few more minutes in a bad area of town until my phone had finished rebooting. Once my phone booted back up, I got the directions I needed, drove as fast as I could towards the freeway, and called my “friend” to deliver a few choice words. What actually happened was my iPhone received a specially crafted text message that was designed to crash the iPhone’s Unicode interpreter and force the phone to reboot. Apple quickly patched this flaw in the next release of iOS.
In the battle between Google’s Android and Apple iOS operating systems, there are many pros and cons that consumers weigh when selecting a phone, tablet, or set-top box device. iOS is a very closed operating system, effectively protecting users against themselves. Android is a very open platform allowing for the installation of non-App Store applications, unsigned code, and custom applications.
In my opinion, one of the major pro’s for iOS is that there is a single hardware source (Apple) and operating system which allows security updates to be rolled out regularly. Apple devices become end of support on a predictable schedule and within reason. My first generation iPad mini is stuck on iOS 9, but still runs like a champ. On the other side of that coin, Android devices come from many manufacturers (Samsung, Huawei, LG, Motorola, Google, etc.) and there is no standard on how operating system and security patches are rolled out. Depending on carrier lock, some updates are pushed from the phone’s carrier (AT&T, Verizon, T-Mobile) and some updates are pushed from the hardware manufacturers. Either way, I have a Motorola E Android phone that I have used for testing since 2016, running Android Lollipop (5.1), the operating system at least three major versions behind the current version. When I have an active internet connection and check for updates, the phone reports that I am up to date. There are likely thousands of security vulnerabilities that have been patched since version 5.1 that my phone will never receive.
Similar to Microsoft, Google releases set of patches once a month for the most dangerous vulnerabilities discovered in its Android operating system. Responsible hardware manufacturers and carriers will roll these updates out to their users in a timely fashion in order to protect them. However, this is not always the case as seen with my Motorola E phone and Google is now going to do something about it. According to leaked documents from Google, Google’s new partnership agreement contract now requires explicit obligations for hardware manufactures to roll out security updates to any popular phone or tablet for at least two years. As I have opined many times though my blog posts, unpatched devices that have patches available are ripe for exploitation. Attackers can quickly reverse engineer released patches and turn that into an exploit, going after devices that have not received that patch.
Last month, security researchers released details on a remote compromise vulnerability in D-Link routers. D-Link acknowledged the vulnerability and announced that it would only patch two of eight affected models, as six of the affected models were already at end-of-life. This was also seen with WannaCry, which occurred in May of 2017 when Microsoft released the patch to protect systems against the spreading mechanism EternalBlue in March 2017.
According to the leaked documents, any device running Android Oreo or later, which was released after January 31, 2018 and activated by more than 100,000 users would be required to follow the new security patching standards. These standards would require at least 4 security updates within a year of the device’s initial launch. The second year also has update mandates, but no minimum number of releases reported at the time of writing. In addition to the minimum security updates, device manufacturers meeting the security requirements are also required to patch and release updates for vulnerabilities identified within the previous 90 days. If device manufacturers fail to meet the security requirements, Google could withhold approval of future devices.
This news is very much welcome in the security industry, as a patchwork of operating systems and device manufacturers has created barriers in pushing security updates to Android devices. This is a step in the right direction, but will take time to filter down to the point where an average user will see a positive impact. However, security has to start somewhere and Google is taking the fight to hardware manufacturers and holding them accountable. Absent any security updates, the use of a security proxy to inspect web traffic can protect unpatched devices against known vulnerabilities and a cloud sandbox to inspect unknown files.