Product reviews, deals and the latest tech news

Google’s security team advises businesses to improve their Android patching

As a result, Google is advising Android smartphone makers to improve their patching processes.

Researchers describe how Android’s greatest strength, the decentralisation of its ecosystem, is also its greatest weakness in a blog post released by Google’s cybersecurity branch, Project Zero.

According to the report, customers are now at danger due to known and relatively easy-to-exploit vulnerabilities since the patching process is too long, too difficult, and too divided.

Issues with decentralisation

Android was developed by Google, but it is open source and based on Linux, so other companies can release their own customised versions of the OS for use in their smartphones.

Therefore, when Google issues a patch, the manufacturer must first inspect it and make any necessary adjustments before it can be installed on the device. This indicates that Android users may be vulnerable to malware infection for a longer length of time.

If that time frame is stretched out too much and Google discloses vulnerability information to the public, then hackers will have a window of opportunity to compromise endpoints without the need to find fresh zero-days.

Apple, on the other hand, provides a more restricted environment for their gadgets. Most of the firm’s hardware and software is custom-built by the company itself. Now that Apple has complete control over the update process, it often takes only a few hours for the fix to reach most endpoints after the company publishes it.

This was the case with CVE-2021-39793, a flaw in the ARM Mali GPU driver used by a wide variety of Android devices.

After Google finished looking into the zero-day vulnerability in July 2022, it informed ARM, which released a fix in August of that same year. After 30 days, Google released their findings to the general audience.

Google’s testing revealed that every Mali-using device they used was still susceptible to the problems. At the time, it brought up the “patch gap” by saying, “CVE-2022-36449 is not referenced in any downstream security bulletins.”

“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” the blog post reads.

“Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”

“Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”