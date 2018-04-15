Your Android phone might not have all the security updates it claims to. As reported this week, research from SRL (Security Research Labs) has revealed that sometimes there's a discrepancy between the Android Security Patch date reported by a device, and the patches that are actually installed. So is your phone lying to you?

Like most Android security stories, what's going on here is complex and nuanced. And, like most Android security stories, it's been badly reported by most media outlets, conflating the few situations where a less reputable manufacturer will just YOLO it and arbitrarily set the patch date ahead, with other explanations for patches not being found by SRL.

SRL's method involves "two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings." It's important to highlight this upfront, because that's all the information we currently have on the method being used to draw some pretty significant conclusions. Even if this method is perfect, it fails to account for specific vulnerabilities either not affecting specific handsets, and thus not being required. Speaking to Wired, SRL's Karsten Nohl claims this is "definitely not a significant number" of the missed patches. However, the firm's own research shows very small numbers of missed patches in the timeframe of the original research: between 0 and 3 for manufacturers including Google, Sony, Samsung, Xiaomi, Nokia and OnePlus.

For others, like MediaTek, whose chips are often found in white-label devices that are lucky to receive any updates ever -- yeah, all bets are off.

In its response, Google rightly points out that even with a handful of missing patch levels, other security patches and Android's built-in protections makes taking advantage of a missing security patch extremely difficult. That's not to excuse shoddy programming, or even deliberate corner-cutting. Missing any part of a security patch is bad, and it's clear that SRL's important research has uncovered some manufacturers either being sloppy, or, in some cases that don't include major Western phone brands, cheaping out and just skipping the clock ahead. In most of these cases, given how few consumers even know what the Android Security Patch level means, the cause is likely something other than a master plan to mislead consumers while leaving their phones vulnerable. To put it another way, we should hesitate to attribute to malice that which can be adequately explained by stupidity.

But let's get back to the testing method itself, because there's one important nugget of info to be found in Google's official response to all this: