The last two years have proven interesting and important for security on Android devices. We’ve seen a number of high profile security issues, such as the iCloud photo hack, Snapchat and LinkedIn and of course the Stagefright security vulnerability. Although these security scares are not thought to be related, they illustrate the importance of keeping our data safe and secure. This starts with keeping our passwords safe but there are other ways to ensure our information is kept locked away, such as using a lock screen code or password on our devices. However, as well as these active security measures, the software running on our device has an important role to play. And here, many of us are at the whim of our carrier and device manufacturer to provide the necessary software updates.
Google has pushed the Android market along with a number of changes. One of these changes was introduced last year after the Stagefright security vulnerability: the company announced regular monthly patches for Android, designed to resolve any identified bugs and uncovered security flaws. For Nexus owners, these updates arrive every month and can be anywhere from a few megabytes to a few hundred. It’s easy to see the date of the software on the Nexus range of devices, as the date is showing in Settings, About. Other manufacturers have started patching their own customised software using Google’s revisions to the code; at the time of writing, Samsung and BlackBerry stand out as two manufacturers offering regular software updates. This is a very good thing, because it typically means that exposed security flaws are dealt with on the device via these monthly patches.
By way of an example of how the monthly security patches can work, back in June a critical vulnerability was unveiled that could allow an attacker to circumvent full disc encryption on Android devices using certain Qualcomm Snapdragon processors, the market leader for Android System-on-Chips. This particular vulnerability was identified before and Google released a critical vulnerability patch in the May 2016 software patch, meaning that providing customers of Nexus, BlackBerry and Samsung devices have received and applied the patch for May, their devices are no longer vulnerable to this issue. Unfortunately, it means that customers with unpatched devices are, potentially, at risk. This also means that customers with older devices are potentially at risk.
How big is the issue? This is an impossible question to answer, but one thing is clear: hardware manufacturers (and carriers) should be encouraged to ensure they deliver these critical security updates in a timely fashion. The best way to encourage vendors to update their devices is to vote with our feet and buy the devices that are supported with these regular patches. This may mean buying a Google Nexus, Samsung Galaxy S model, or Android-powered BlackBerry device for the time being.