From the Editor's Desk: Security, signal and noise

Another Android security scare, another round of muddled reporting. Your Android phone might not have all the security updates it claims to. As reported this week, research from SRL (Security Research Labs) has revealed that sometimes there's a discrepancy between the Android Security Patch date reported by a device, and the patches that are actually installed. So is your phone lying to you? Like most Android security stories, what's going on here is complex and nuanced. And, like most Android security stories, it's been badly reported by most media outlets, conflating the few situations where a less reputable manufacturer will just YOLO it and arbitrarily set the patch date ahead, with other explanations for patches not being found by SRL. SRL's method involves "two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings." It's important to highlight this upfront, because that's all the information we currently have on the method being used to draw some pretty significant conclusions. Even if this method is perfect, it fails to account for specific vulnerabilities either not affecting specific handsets, and thus not being required. Speaking to Wired, SRL's Karsten Nohl claims this is "definitely not a significant number" of the missed patches. However, the firm's own research shows very small numbers of missed patches in the timeframe of the original research: between 0 and 3 for manufacturers including Google, Sony, Samsung, Xiaomi, Nokia and OnePlus. For others, like MediaTek, whose chips are often found in white-label devices that are lucky to receive any updates ever -- yeah, all bets are off. In its response, Google rightly points out that even with a handful of missing patch levels, other security patches and Android's built-in protections makes taking advantage of a missing security patch extremely difficult. That's not to excuse shoddy programming, or even deliberate corner-cutting. Missing any part of a security patch is bad, and it's clear that SRL's important research has uncovered some manufacturers either being sloppy, or, in some cases that don't include major Western phone brands, cheaping out and just skipping the clock ahead. In most of these cases, given how few consumers even know what the Android Security Patch level means, the cause is likely something other than a master plan to mislead consumers while leaving their phones vulnerable. To put it another way, we should hesitate to attribute to malice that which can be adequately explained by stupidity. But let's get back to the testing method itself, because there's one important nugget of info to be found in Google's official response to all this: We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Translate this from PR speak, and it tells you at least some of these missed patches are false positives: The manufacturer has patched the underlying issue, but not in the exact way Google specifies. That's fine from a device security perspective, and in specific cases the manufacturer or chipmaker will know things about their hardware that Google doesn't, making this the optimal way to patch the issue anyway. With a Samsung or a Motorola or a Sony, this is a far more likely explanation for the Google-sanctioned patch being absent, and Google's mention of it in this press statement is important to note considering the small numbers of missed patches we're seeing from the big Android brands. These are all important parts of the signal that are being lost in the noise and outrage. Given the history of reporting around Android security issues, the cavalcade of BS you see in a Google news search for "android security patches" isn't surprising. Android has a great many security challenges, and the diversity of the Android ecosystem means there'll always be examples of chancers who don't update devices, or sloppy programming from certain OEMs that introduces new vulnerabilities. Ultimately, though, this is yet another Android security scare that isn't as bad as it first appeared. Other odds and ends for a working Sunday: The Porsche Design Huawei Mate RS is a beautiful and ridiculous piece of technology, which I'm going to have fun testing over the coming weeks. I'll be using the cheaper of the two models, the 6/256GB variant, which only costs two thousand U.S. dollars 😬. In-display fingerprint though? Ehhh... in its current incarnation, it's just not quite ready yet, as evidenced by the two other biometric unlock options used by the Mate RS. It's fun to demo, but not as fast or reliable as it needs to be. (That said, bear in mind I'm using non-final software on this unit.) The Xperia XZ2 Compact looks like the tall-screened miniature flagship many will have been waiting for. Every time I've gone back to a smaller phone, though, I've missed the extra real estate offered by 6-inch 18:9 handsets. There's a reason the high-end Android world has settled on this as the new standard. Interesting discussion here around what form navigation buttons in Android P and the Pixel 3 will eventually take. We're still at the point where Google's certainly experimenting with multiple options for its next phones, though. Oh, and go check out our Huawei P20 + P20 Pro video review, shot in Paris a couple of weeks ago. That's it for now. Next Editor's Desk from me will come just in time for some pre-I/O thoughts. -Alex

date: Sun, 15 Apr 2018 17:37:13 +0000