You may have noticed that from time to time your Android smartphone prompts you to download and install a new version of its firmware. Maybe the first time it happened you thought you were receiving an update to the latest version of Android, or maybe some neat new features had been added. But ultimately it turned out to be a “boring” Android security update! While Android security updates are indeed boring, they are very important.
Let’s take a look at these security patches, and Android security in general, to see what is all the fuss about!
What are Android security updates?
It has been often said that “to err is human” and while, as Alexander Pope says, “to forgive is divine”, you will find that computers and hackers and not very forgiving! Whenever software is written it inherently contains errors, or bugs as developers like to call them. Trying to reduce the number of those bugs is one of the key aims of software engineers. Firstly, by trying to catch the bugs at the time that the software is written. Secondly, by fixing the bugs once they have been found.
There are two types of bugs. First, bugs which cause the software to behave incorrectly. Say, you type “001.300 * 02.7000” into the calculator app and it gives you the answer of 2.51. Clearly, something is wrong, maybe those extra zeros caused the software to behave unexpectedly? Once the problem has been found the software can be fixed and an update sent out to users. These bugs are generally a nuisance and if severe enough can impact sales/brand reputation etc, but they aren’t generally dangerous (but more about that in a moment).
The second category of bug is one that impacts the security of the software and of the device it is installed on. So, as a simple example, an app might ask for a username and password. A bug could exist where if the user enters the correct name but leaves the password blank then the user is granted access. This might sound stupid, but it has actually happened. Now there is a bug which allows unauthorized access to private data. Most security bugs are much more complicated and nuanced than that. But in essence, an error in the program allows a third party to gain access they shouldn’t have. Once these bugs are found they need to be fixed quickly and deployed rapidly to protect users.
Sometimes bugs in the first category, the unexpected behavior bugs, can be manipulated in such a way that they become bugs in the second category.
So, an Android security update is an accumulative group of bug fixes that can be sent over-the-air to Android devices to fix security related bugs.
Why are security patches important?
After a new security patch has been installed on your device you will see absolutely no difference in its functionality whatsoever! It almost seems like the update achieved nothing. But that, of course, is the nature of security bug fixes. You don’t notice them because they patch up holes, often very small holes, in the device’s security.
For example, there could be a vulnerability where if you receive a SMS message in mixed Korean and Russian characters that is exactly 160 characters long, then the clever crafting of the text in the message can trigger a bug which in turn can be used to open a hole in your device’s defenses. I don’t receive many messages like that, so if the bug was found and fixed I would be none the wiser. But here is the thing: when hackers find out about these esoteric bugs, they craft special messages and send them to targetted people with the aim of gaining access to their devices. Those who are targetted are vulnerable to the machinations of these cybercriminals. At your end you see an odd SMS message, frown a little and delete it. But you don’t know that your phone has been compromised.
After a new security patch has been installed on your device you will see absolutely no difference in its functionality whatsoever!
Therefore, security patches are important as they protect your phone from would-be hackers who want access to your device. Just imagine all the data that is on your phone. Forget photos and WhatApps messages. What about Banking? Amazon shopping? eBay? Google Pay? There is a long list of things that would be of interest to a hacker.
Which phones get security updates?
Theoretically, all Android smartphones should get around two years of security updates. However, the reality is often very different. The way it should work is like this: Google fixes a security-related bug in Android. Google posts those changes on AOSP and/or notifies its partners (every OEM which has a Google certified Android device). Google actually does this on a monthly basis. The smartphone makers then incorporate these fixes into their firmware and, if necessary, give a copy to the carriers. The carriers then approve the fixes and finally, the release is sent out to devices over the air.
This works very well on Google’s phones like the Pixel range. It also works well on Android One devices which are basically maintained by Google. It also works well for big brands. For example, the Samsung Galaxy Note 8 was launched in August 2017. I have one and can confirm it has received regular (almost monthly updates). In fact, it has also been upgraded to Android 9.0 Pie.
But, for some midsized brands, updates can be more sporadic, while for smaller brands they are often non-existent! The lack of security updates can be a real problem. It seems that some smartphone makers have a “sell it and forget it” mentality. This means that there are millions of current (less than 2 years old) Android phones in consumers hands that aren’t receiving any security updates, leaving them potentially exposed to all kinds of attacks. On the plus side, Google knows this is a problem and wants to fix it!
Android security best practices
Regardless of how often your device receives security patches, it is worth noting the following Android security best practices:
- Don’t click on links in emails, WhatsApp, Facebook Messenger, or SMS unless you are confident about the source of the link and where it will take you.
- Make sure you keep your apps up to date, including Chrome and other Google apps.
- Use unique passwords: Don’t use the same password across multiple accounts. Doing so is like using the same key to multiple houses: it increases your security risk. If that sounds like too much hassle then use a password manager.
- Protect your accounts with 2-Step Verification: Even if your username and password is stolen having 2-step verification enabled with help keep the attackers out.
- Take the Google Security Checkup: This is easy to do (g.co/securitycheckup) and analyzes your Google Account security status.
What about zero-day vulnerabilities and zero-day exploits?
There is one aspect of Android security that isn’t covered by the monthly security updates. Zero-day vulnerabilities. These are bugs that Google doesn’t know about, but someone else does. They are security bugs that Google has had zero days to try and fix. What happens here is that so-called “security research” companies, or cyber-criminals, try to find bugs in Android and then once found they don’t tell anyone. They become a secret arsenal which can be used for nefarious means.
Since this arsenal is secret and hard to acquire, these zero-day vulnerabilities are highly treasured. They get used in one of two ways. They are either sold to entities with lots of money, like the security forces of a nation-state, or they are used directly by the cybercriminals in a massive attack to try and defraud people of money.
In either case, they can be deadly, literally, as we saw recently with the death of Jamal Khashoggi. Once these zero-day vulnerabilities start to be used publicly (in the wild), then it often isn’t long before Google is able to isolate the problem and issue a patch. Again, highlighting the need to keep your phone up to date with the monthly security patches.
Security, like backups, can be boring. The problem with backups is the most people don’t think about them until after they have lost all their data. Likewise, most people don’t think about security until after their email account has been hacked, or fraudulent charges have been made via their online banking.
There will always be an element of risk, but Android security updates provide a way to reduce that risk while also improving the stability and reliability of your device. Bottom line, whenever your phone says it has an update, install it.