Mobile Security - this path will not be easy...

01/10/2020
G DATA Blog

Updates are essential for the security of Android devices. However, given the different operating system versions, it is difficult to keep track. We shed light on the version labyrinth and provide tips to improve security.

If you always want to have the latest Android version, you can’t beat Google's Pixel series. Other Android manufacturers are not as reliable. The update policy of many manufacturers has so far left consumers confused as to whether the devices available in stores will still receive updates in the long term. Google has taken a first important step with Project Treble, to provide the major Android flagships in particular with updates more quickly. Whereas it previously took an average of 192 days for the Nougat update to reach the most important smartphones, and 170 days for the Oreo version to do so, OEM manufacturers rolled out Android Pie just 118 days after its launch. However, the times vary considerably between individual manufacturers. Samsung, Huawei and Xiaomi, in particular, have almost halved deployment times.

Do-it-yourself

Monthly Android updates ensure the protection of the devices and, thereby, the users too. The manufacturers always provide an up-to-date overview of current patches and security fixes very promptly. The most important addresses are:

There's a catch, though. Even if the patch level is up to date, there is still a residual risk. This is because a review of missed security updates raises doubts about Google's Android patch level system. German security experts have found critical patches that should have been installed on devices with a given patch level, but were not there. On some devices, up to a dozen patches were missing. This may seem sketchy, but Google is not necessarily to blame. This is because the US-based company usually releases two patch levels per month - one for Android bugs and a second one for bugs in kernel and chipset drivers. In their review, the experts have come to the conclusion that some manufacturers give users a false sense of security. One possible explanation for missing patches is the chipset used in devices and a specific vulnerability associated with it. However, security updates represent only one security level among many to protect Android devices. Further protection measures are app sandboxing and the Play Store Bouncer. In addition, experience shows that it is easier for cyber criminals to compromise smartphones via infected apps - either directly via Google's Play Store or via third parties. If you want to monitor the patch status of your device more closely, you should use the free patch verification app “SnoopSnitch”.

Other Google projects

With each new operating system version, Google implements projects with the goal of providing the most comprehensive enhancements for Android devices. One example is Android One. With this initiative, Google provides much faster updates to a wider range of customers. The reason is that Android One devices are equipped with a standard operating system. Consequently, they lack user-defined skins, software or applications that need to be updated and tested for compatibility. While this is certainly at the expense of individuality, it does benefit security. In addition, Android One smartphones receive upgrades to the current version of the operating system for at least two years, as well as monthly security updates for three years. Google promises extensive security combined with a consistently high performance. Android One is much tidier and has fewer dependencies within the system, making it more widely distributed, especially on cheaper phones.

Another project is called Mainline and is based on Treble. The goal is to make the deployment of Android updates easier and faster. Basic operating system components are updated in the same way as apps are updated via Google Play. This approach enables developers to deliver selected components faster and over a longer period of time - independent of a full update from the respective manufacturer. The updated framework components are located above the Treble interface and hardware-specific implementation and below the apps layer. Users benefit in terms of security, privacy and consistency. In this way, with Project Mainline, Google delivers faster security fixes for critical security issues - for example, by modularising media components, which accounted for nearly 40 percent of recently patched vulnerabilities.

An essential component of Project Mainline is Pony EXpress. Android Pony EXpress (APEX) is a container format used in the installation process for subordinate system modules. This format makes it easier to update system components that do not fit into the standard Android application model. This allows important security and performance enhancements that were previously required for full operating system updates to be downloaded and installed as easily as an app update. Google has also developed new fail-safe mechanisms and improved testing processes to ensure the secure delivery of updates.

Mobile Security - there is still much to do

The issue of security is becoming ever more crucial for smartphones and tablets, because smartphones are taking on more and more security-critical tasks. More and more people are using smartphones and tablets as a digital cockpit for their everyday lives, for example to control their smart homes while they are out. Another example of security-critical use is the Payment Services Directive PSD2. This ensures that more and more people use two-factor authentication for online banking with their mobile devices. .

Alexander Burris

So anyone who uses a smartphone with an outdated operating system or a missing security patch is wilfully opening the door to criminals. It is therefore in the user’s own interest to use a “secure” smartphone. This also requires manufacturers to put the issue of security at the top of their agenda. Initial projects are moving in the right direction, but the majority of the work still lies ahead for all those involved. Ultimately, it is up to customers to decide what priority they give to security when buying a smartphone.

Alexander Burris

Lead Mobile Researcher at G DATA CyberDefense