Google security team says companies need to improve Android patch
Google is warning that Android Smartphone manufacturers need to get better at patching their devices.
in one blog post (opens in a new tab) Published by Google’s cybersecurity arm, Project Zero, researchers explain how Android’s greatest power – its decentralization if its ecosystem – is also its biggest weakness.
When everything stands now, it says that patch the process is too slow, too cumbersome, and too divisive, putting consumers at risk of known and relatively easy-to-exploit vulnerabilities.
Decentralized woes
Android, built by Google, is based on Linux and it’s essentially an open source solution, so third-party smartphone manufacturers like SAMSUNGOppo, LG, and OnePlus may own their own versions of their operating systems.
Therefore, when Google releases a patch, it first needs to be analyzed and modified by the manufacturer before it is put on the device. This means that Android users may be at risk of being hacked by malware in a long time.
If that period drags on too long and Google releases the details of the vulnerability to the public, then cybercriminals will have a unique opportunity to compromise. final point without looking for new zero-days.
In contrast, Apple provides a closed ecosystem for its devices. The company is responsible for building much of its hardware and software. So, with updates under the strict control of Apple, whenever the company releases a patch, most terminals get it pretty quickly.
That’s exactly what happened with CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by many Android devices. TechRadar Pro report in November 2022.
As soon as Google concluded its investigation of that zero-day in July 2022, it reported the results to ARM, which then patched the bug in August 2022. Thirty days later, Google released declare your findings.
However, Google found that all test devices using Mali are still prone to problems. “CVE-2022-36449 was not mentioned in any of the downstream security bulletins,” it said at the time, citing what it calls a “patch gap”.
“Just as users are advised to patch as quickly as possible after a release containing security updates is available, the same applies to vendors and companies,” the blog post said. write.
“Minimizing the ‘patch gap’ as a provider in these scenarios is arguably more important, as end users (or other providers downstream) are blocking this action first. when they can get the security benefits of the patch.”
“Companies need to remain vigilant, follow upstream sources closely, and do their best to deliver complete patches to users as soon as possible.”