- How Monthly Android Security Patch Updates Work
- What actually makes a security patch?
- The timeline of a security patch from Google to your phone
- What it means to be an Android Partner
- Why do I need to wait so long to receive a security patch on my phone?
- What’s in a security patch?
- What about custom ROMs?
- What are Android Security Patches? Should We Care About Them?
- What does Android Security Patch mean?
- The Status of Security Patch support
- Find the Security Patch version you are running on
- How to get the latest Security Patches
- Conclusion
How Monthly Android Security Patch Updates Work
Google has been publishing monthly security bulletins since August of 2015. These security bulletins contain a list of disclosed security vulnerabilities that have been fixed which affect the Android framework, Linux kernel, and other closed-source vendor components. Every vulnerability in the bulletins was either discovered by Google or disclosed to the company. Every vulnerability listed has a Common Vulnerabilities and Exposures (CVE) number, along with associated references, the type of vulnerability, a severity assessment, and the AOSP version affected (if applicable). But despite the seemingly simplistic process behind how Android security patches work, there’s actually a somewhat complicated back-and-forth behind the scenes that allows for your phone to get monthly or (hopefully) near-monthly patches.
What actually makes a security patch?
You may have noticed that every month, there are actuallyВ twoВ security patch levels. The format of these patches is either YYYY-MM-01 or YYYY-MM-05. While the YYYY and MM obviously represent the year and month respectively, the “01” and “05” confusingly does not actually signify the day of the month in which that security patch level was released. Instead, the 01 and 05 are actually two different security patch levels released on the same day every month – the patch level with 01 at the end contains fixes to the Android framework but not vendor patches or upstream Linux kernel patches. Vendor patches, as we defined above, refer to fixes to closed-source components such as drivers for Wi-Fi and Bluetooth. The security patch level signified by -05 contains these vendor patches as well as patches in the Linux kernel.В Take a look at the table below which may help in understanding.
Monthly Security Patch Level | 2019-04-01 | 2019-04-05 |
---|---|---|
ContainsВ April Framework Patches | Yes | Yes |
Contains April Vendor + Kernel Patches | No | Yes |
Contains March Framework Patches | Yes | Yes |
Contains March Vendor + Kernel Patches | Yes | Yes |
Of course, some OEMs may opt to roll their own patches and updates into security updates as well. Most OEMs have their own take on Android, so it only makes sense that you may have, for example, a vulnerability on a Samsung phone that doesn’t exist on a Huawei. A lot of these OEMs also publish their own security bulletins.
The timeline of a security patch from Google to your phone
Security patches have a timeline roughly spanning about 30 days, though not every OEM can avail of the full length of that timeline. Let’s take a look at the May 2019 security patch for example, and we can break down the entire timeline behind the creation of this patch. Companies like Essential manage to get out their security updatesВ on the same dayВ as the Google Pixel, so how do they do it? The short and simple answer is that they’re an Android partner. The May 2019 security bulletin was published on the 6th of May, with both the Google Pixels and the Essential Phone getting near-immediate updates.
What it means to be an Android Partner
Not just any company can be an Android Partner, though admittedly basically every major Android OEM is. Android Partners are the companies that are granted a license to use the Android branding in marketing material. They are also allowed to ship Google Mobile Services (GMS – refers to pretty much all Google services) so long as they meet the requirements outlined in the Compatibility Definition Document (CDD) and pass the Compatibility Test Suite (CTS), Vendor Test Suite (VTS), Google Test Suite (GTS), and a few other tests. There are distinct differences in the security patch process for companies that aren’t an Android Partner.
- Android framework patches are available to them after being merged into AOSP 1-2 days before the security bulletin is released.
- Upstream Linux kernel patches can be cherry-picked once available.
- Fixes from SoC vendors for closed-source components are available depending on agreements with the SoC vendor. Note that if the vendor has given the OEM access to the source code of the closed-source component(s), then the OEM can fix the issue(s) themselves. If the OEM does not have access to the source code, then they must wait for the vendor to issue a fix.
If you are an Android Partner, you immediately have it a whole lot easier. Android partners are notified of all Android framework issues and Linux kernel issues at least 30 days before the bulletin is made public. Google provides patches for all issues for OEMs to merge and test, though vendor component patches are dependent on the vendor. Patches for the Android framework issues disclosed in the May 2019 security bulletin, for example, were provided to Android partners at least as early as March 20th, 2019*. That’s a lot of extra time.
*Note: Google can, and often does, update the patches for the latest security bulletin all the way until the public release. These updates can happen if new vulnerabilities and bugs have been found, if Google decides to remove certain patches from the monthly bulletin due to it breaking critical components, if Google updates a patch to resolve a bug created by the previous version of the patch, and other reasons.
Why do I need to wait so long to receive a security patch on my phone?
While it’s true that Android Partners (read: all major OEMs) received security patches well in advance of their release, many are painfully aware that they possibly won’t receive a security update for months after its release. This is generally down to one of four reasons.
- OEMs may need to make heavy technical changes in order to accommodate a security patch, as it may conflict with existing code.
- The vendor is slow at providing update source-code for closed-source components.
- Carrier certification may take time.
- Companies may be unwilling to release a security update without also releasing a feature at the same time.
While all of these are valid reasons for a business not to release a security patch, the end-user doesn’t always care about any of those. Admittedly, the end-user doesn’t always care about security patches either, though they should. Initiatives like Project Treble, extended Linux LTS, and Project Mainline are helping to eliminate the technical difficulties of merging these security patches, but it’s not enough to make OEMs consistently strive to put out updates. With a Generic Kernel Image, or GKI, SoC vendors and OEMs will have an easier time merging upstream Linux kernel patches, though we likely won’t see the first devices with GKI until next year.
But an interesting piece of information that most don’t know is that major OEMsВ must provide “at least four security updates” within a year of a device’s launch, and 2 years of updates overall. Google has not confirmed these specific terms, but the company did confirm that they “worked on building security patching into [their] OEM agreements”. As for Android Enterprise Recommended (AER) devices, devices are required to get security updates within 90 days of release for 3 years. Rugged AER devices are required to getВ 5 years of security updates. Android One devices are supposed to get security updates every month for 3 years.
What’s in a security patch?
A security patch is just another update, though generally a lot smaller with changes to individual frameworks and system modules rather than system-wide improvements or changes. Each month, Google provides device OEMs with a zip file that contains patches for all major Android versions currently still supported, along with a security test suite. This test suite helps OEMs catch gaps in security patches, to ensure that they don’t miss anything and that the patches were merged appropriately. As the month goes on, Google may make minor revisions such as deciding that one specific patch is optional, specifically if there are troubles implementing it.
What about custom ROMs?
If your smartphone doesn’t get many security updates, that doesn’t necessarily mean you’re better off switching to a custom ROM. While true that you will get security updates that you would not have gotten otherwise, that’s only half of the story. Unlocking your bootloader leaves you susceptible to physical attacks on your device, even if on the software side, security is hardened. That’s not to say you shouldn’t use custom ROMs, it’s just that there are other concerns when it comes to using them that don’t apply if your bootloader is kept locked. If you’re more worried about the software side of things, then you’re still better off with a custom ROM that gets frequent security patches.
But remember we talked about the difference between YYYY-MM-01 and YYYY-MM-05 patches? The -05 patch level contains Linux kernel patches as well as vendor patches – patches applied to closed-source software. This means custom ROM developers are at the mercy of whatever OEM they’re developing for, and if the OEM releases updated blobs or not. This is fine for devices that are still updated by the manufacturer, but for devices that aren’t, the patches applied can only be applied to the Android framework and the Linux kernel. This is why LineageOS‘ Trust Interface shows two security patch levels – one being platform, the other being vendor. Even though custom ROMs for unsupported devices can’t fully integrate all of the latest patches, they’re going to be more secure than the older, outdated ROM.
Источник
What are Android Security Patches? Should We Care About Them?
You must be receiving security patches from Google or your phone’s OEM via OTA updates on your device. Do you know what Android Security patches are, what do they mean and why are they important? In this article, we’ll take a detailed look at the Android security patches and explain what they have to offer.
Android has been focusing on security since day one. It is built on top of the Linux kernel and makes use of several of its strong security mechanisms. The whole operating system framework is developed following strict rules. These make it possible to provide full isolation between the operating system kernel, system processes and libraries, and Java Apps. Every new Android version uses a kernel in sync with the official (upstream) Linux kernel and defects found in the framework in previous releases are addressed by Google engineers.
Early in Android’s development process, it became apparent that security enhancements were usually coming late. During the annual release cycle of the Operating System, a big number of security defects were found. However, no fix would come until the next Android release. Most of the time, fixes were only made available on the next Android version and devices should be upgraded to be safe. Even if fixes were also applied to earlier versions of the Operating System, most manufacturers would not create Over The Air (OTA) updates for non-flagship devices to provide these fixes: The cost of such a task was just very high.
Google tried to come up with a solution to this issue: Since 2015, Google has been releasing monthly security bulletins. These include information about newly found security defects and links to the patches that address them (known in the community as security patches). Although Google usually splits these patches into several groups in their bulletins, they can be generally categorized as kernel patches – targeting the kernel versions currently officially supported by Android – and system patches – which fix issues affecting the rest of the Android stack. Patches for security defects are available around one month after the vulnerability is exposed, with the next bulletin.
What does Android Security Patch mean?
Google’s security patches cover Remote Code Execution, Elevation of Privilege, Information Disclosure and Denial of Service vulnerabilities. These types of vulnerabilities allow a possible attacker to gain special access on a device without the user’s input. For example, a malware app would need to be installed first and then opened by the victim in order to steal information or charge the user’s account. Do not forget to read my exhaustive article about malware on Android. On the other hand, an attack through Remote Code Execution could happen without the user even noticing it. Users are not able to do anything to protect their devices from the types of security vulnerabilities discussed above, except running an Android version with the latest security patches.
In general, running an Android with the latest security patches provides protection from attacks that can steal personal information (including passwords, bank accounts data and phone numbers), cause damage to the software of a device, and spy on the victim (through location tracking, voice recording, etc).
The Status of Security Patch support
One could find the above security vulnerability management very interesting. However, while the code available on Google’s code repositories is constantly updated with the latest security patches, it is still up to the manufacturer to implement these on their current (through OTA Updates) and future devices. This is considered difficult to achieve because most manufacturers do not have the human resources needed to complete this task. Moreover, versions of Android shipped with most devices are heavily customized by the manufacturer to add special features. Applying Google’s patches on top of these special Android builds might require extra modifications to the code.
Apart from the above, some security vulnerabilities affect proprietary code traditionally released by the System-On-Chip (SoC) distributors (eg Qualcomm, MediaTek). Only they would be able to fix these issues. Most of the time, these issues remain unaddressed on older hardware.
It becomes clear that, while Google does its best to provide easy solutions to most of the security vulnerabilities of its Operating System, the huge number of devices running Android and its great variation in hardware characteristics make it difficult to apply security fixes to all of them.
Find the Security Patch version you are running on
You can find what version of security patches your Android (6.x +) is patched with, by going to Settings and then About Phone. There, you should find a Text-view named Android security patch level. Google provides two types of security patch levels each month. One, on the first day of the month (e.g. September 1) and the other one on the fifth (e.g. September 5). The patch level of the first day of the month covers security issues addressed in that month’s bulletin, while the patch level of the fifth day covers all security issues addressed so far.
If you feel that your phone is lagging or running slow, you must read our tips to speed up lagging Android devices. Moreover, these Android RAM management tips would also help you tweak your phone for the best possible performance.
How to get the latest Security Patches
Unless you are a developer yourself, you have to rely on other developers or manufacturers to get security patches. Most manufacturers usually have a common code repository for each Android version, for all their supported devices. This means that budget and high-end devices could share code. In the end, though, only high-end devices will get any security patches due to reasons discussed before. So, if you want to always run the latest security patch level, you can either buy a high-end device from a manufacturer known to provide OTA updates often or buy any device that has a custom ROM available for active development. Most big names in the custom ROM space, like LineageOS and OmniRom, tend to apply security patches some days after their release by Google.
You should also keep in mind that, kernel patches are applied to devices differently on custom ROMs. Usually, each device (or devices running on the same SoC) has its own kernel code. It is the device maintainer’s responsibility to apply the kernel patches. While you can rest assured you will get the latest patches on the next update, your kernel might still be exposed to risk if it is not under active development. Most custom ROMs have strict rules for this scenario. A device that sports an unmaintained kernel for quite long is removed from the ‘official devices’ list.
Conclusion
To sum everything up, there are two ways to always run the latest Security Patches on your device:
- Get a high-end device from a manufacturer that has established a good name on OTA updates
- Get a device with custom ROM support, which also enjoys a big community of users and developers.
The second solution seems the best since most custom ROM distributions provide monthly updates. This is more often than most manufacturers on stock ROMs.
That is all you should know about Android’s Security Patches. If your current device is not capable of getting the latest Security Patches, you should definitely have Security Patches support in mind when buying your next device.
Источник