Android Vendors Need to Minimize the Patch Gap

Updated on 2022-11-26: Android Vendors Need to Minimize the Patch Gap

The patch gap is the length of time it takes for a patch from a vendor for a known flaw to reach device manufacturers. In June and July of this year, Google’s Project Zero (GPZ) discovered five vulnerabilities in the Arm Mali GPU driver. Arm released patches in July and August, but when GPZ recently examined major Android handsets, none of them had applied the fixes.

Note

• It has been an ongoing problem for Android users that updates to the operating system need to first pass handset makers and carriers, leading to long delays in the availability of patches, and in some cases, making patches unavailable at all for some handsets. Your best bet is a handset that is part of “Android One” which also avoids preinstalled bloatware.
• Google does patch its Pixel phone faster than other Android-based phone vendors much of the time, so it does seem odd that Google’s own Project Zero found the flaws and Google still hasn’t patched them on the Pixel phone. This undermines one of the claimed benefits of choosing a Pixel phone.
• Google has started work on doing several things to make the patch gap smaller. One of the significant issues is how forked the Android Linux Kernel is from the Linux Kernel. Check out Project Mainline to see how they are trying to address this. One of the other projects that Android has been working on is Android One. The biggest challenge will be proprietary drivers from the Smartphone makers. This is something Google will not be able to control entirely. Unfortunately, this is where Google Pixel and Apple may have the edge. Is this an area that needs to be addressed with regulation? Will regulation slow things down unnecessarily? It’s a complicated problem to solve. Maybe it’s best left to the hands of the consumer if that means that we sacrifice smaller players or cheaper devices.
• When it comes to Android, just as with Windows, there are multiple manufacturers to choose from. When assessing them, be sure to factor in both their plans for delivering updated versions of the OS and security patches, as well as deployment of firmware updates to their hardware components. Also make sure you have lifecycle replacement plans for mobile devices just as you would for more traditional IT; for Android devices that will be about three years.
• If “patch gap” is the “time if takes for a patch from a vendor …to reach device manufacturers,” then “patch lag” is how long it takes for it reach your device. Lag is what is more important.

Read more in

• News and updates from the Project Zero team at Google
• Google warns: Android ‘patch gap’ is leaving these smartphones vulnerable to attack
• ‘Patch Lag’ Leaves Millions of Android Devices Vulnerable

Updated on 2022-11-25: Android patch gap

Google’s Project Zero team warns that there is a patch gap in the Android ecosystem where patches for vulnerabilities in various drivers often linger for months before they are shipped to consumers. Google gives the example of several vulnerabilities in the Arm Mali GPU drivers for which fixes have yet to reach many end-user devices, despite receiving official patches from Arm this summer. Devices from Google, Samsung, Xiaomi, Oppo, and other phone makers are still vulnerable. Read more: Mind the Gap

Updated on 2022-11-24

Google’s Project Zero found five exploitable vulnerabilities in the ARM Mali GPU driver used in a large number of Android devices, but despite contacting ARM and patching the flaws they remain exploitable as Android phone vendors haven’t pushed the patches downstream. Read more: Mind the Gap

RIP the feature that was there forever and nobody wanted to report :)

— w0 (@jgrusko) September 19, 2022

Overview: Android zero-day write-up

Project Zero’s Maddie Stone has published an analysis of three Android zero-day vulnerabilities (CVE-2021-25337, CVE-2021-25369, CVE-2021-25370) that were used as part of an exploit chain in attacks against Samsung device users. All three zero-days were patched in March this year. Read more: A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

“TAG believes belonged to a commercial surveillance vendor. These exploits were likely discovered in the testing phase. The sample is from late 2020. The chain merited further analysis because it is a 3 vulnerability chain where all 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component.”