Google’s security team says companies need to get better at patching Android
Google is warning that Android smartphone manufacturers need to get better at patching their devices.
In a blog post (opens in new tab) published by Google’s cybersecurity arm, Project Zero, the researchers explain how Android’s biggest strength – the decentralization if its ecosystem – is also its greatest weakness.
As things stand now, it says the patching process is too slow, too cumbersome, and too divided, leaving consumers at risk of known and relatively easy-to-exploit vulnerabilities.
Decentralization woes
Android, while built by Google, is based on Linux, and it’s essentially an open-source solution, so third-party smartphone manufacturers like Samsung, Oppo, LG, and OnePlus can take ownership of their version of the operating system.
As a result, when Google releases a patch, it first needs to be analyzed and modified by the manufacturer, before being pushed to the device. This means that Android users may be at risk of being compromised by malware for an extended period.
If that period draws out for too long, and Google releases vulnerability details to the public, that gives cybercriminals a unique opportunity to compromise endpoints without needing to look for new zero-days.
In contrast, Apple offers a closed ecosystem for its devices. The company is in charge of building most of its hardware and software. So, with updates firmly under Apple’s control, whenever the company releases a patch, most endpoints get it fairly quickly.
That’s exactly what happened with CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by many Android devices that TechRadar Pro reported on in November 2022.
As soon as Google concluded its investigation of that zero-day in July 2022, it reported the findings to ARM, who then patched it in August 2022. Thirty days later, Google made its findings public.
However, all of the test devices that used Mali remained vulnerable to the issues, Google found. “CVE-2022-36449 is not mentioned in any downstream security bulletins,” it said at the time, raising the issue of what it calls the “patch gap”.
“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” the blog post reads.
“Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”
“Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”
Audio player loading… Google is warning that Android smartphone manufacturers need to get better at patching their devices. In a blog post (opens in new tab) published by Google’s cybersecurity arm, Project Zero, the researchers explain how Android’s biggest strength – the decentralization if its ecosystem – is also its…
Recent Posts
- Google I/O 2024 live blog: it’s AI time
- Comcast’s StreamSaver bundle will put Netflix, Apple TV Plus and Peacock all under the same roof – and for a ‘vastly reduced price’
- Amazon to produce a live-action Tomb Raider series
- Senua’s Saga: Hellblade II highlights the next round of May Game Pass titles
- AMD RDNA 4 graphics cards could be imminent, as huge driver-related hint is dropped
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011