SnoopSnitch shows Android users what security patches are missing from their phone

Although Android device manufacturers are claiming their devices are completely up to date, researchers found that, for some OEMs, patches are secretly missing.

Uncertified Android devices will soon be shut off from Google services
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Researchers found Google, Samsung, and Sony phones to be the most complete in terms of security patches, with TCL and ZTE phones having the most missing patches.
  • Because of the structure of Android, security updates are dependent on device manufacturers, which can make the update process tricky.

Not all Android devices are equal in terms of security. Because of the structure of Android, security updates must be delivered by device manufacturers, and that can cause some delays.

Google provides Android security patches to AOSP once a month, which manufacturers pull from to integrate into the Android distributions on their devices. These security updates are distinct from Android OS updates, and are listed by "Security patch level" dates, which can generally be found in the "System > About phone" dialog in the Settings menu on Android devices. Though Google publishes updates monthly, device manufacturers are often late to deliver security updates by months at a time.

However, those patch level dates do not paint a complete picture, according to Security Research Labs. Despite devices reporting a given patch date, some of the patches distributed by Google may not be integrated in the updates provided by your manufacturer. In order to test this, Security Research Labs developed SnoopSnitch, to test the patch state of each vulnerability in a monthly security patch.

SEE: System update policy (Tech Pro Research)

By analyzing the results of SnoopSnitch reports, the team of at Security Research Labs found that phones developed by Sony, Samsung, and Wiko have between zero and one missed patch, from the samples available. However, they note that they have few (5-9) samples of Sony and Wiko phones.

Xiaomi, OnePlus, and Nokia were found to have between one and three missed patches, though again there were few samples of Nokia phones. HTC, Huawei, LG, and Motorola had between three and four missed patches, with few HTC samples available. TCL and ZTE were the worst, with more than four missed patches found, though few ZTE samples were available as well. (Results reported were as of April 11th, 2018.)

In particular, the results for Wiko are interesting. Wiko is effectively the French imprint of Shenzhen-based ODM Tinno Mobile, in much the same way that Tinno phones are marketed under the "Blu" brand in North America. While their updates are complete, according to SnoopSnitch, their actual ability to deliver updates is limited, as support lifetimes for Wiko phones are only between 1-1.5 years, with no security updates available within a month after publication by Google, according to findings in February by SecurityLab.

There are some limitations to SnoopSnitch as well. Some of the vulnerabilities that the app has the capability to test for can only be verified when testing with root access. Without that, the app returns "Test Inconclusive" for an unverifiable vulnerability.

As an example, testing SnoopSnitch on (my personal) Sony Xperia XZ1, with stock, un-rooted Android 8.0 (Oreo) with the March 1, 2018 security patch level shows 34 patched vulnerabilities and 20 inconclusive vulnerabilities.

The researchers will present their findings Friday, April 13, at the HackInTheBox Security Conference.

Also see

Image: CNET