Site icon TechNewsBoy.com

Google’s security team says companies need to get better at patching Android

Google is warning that Android smartphone manufacturers need to get better at patching their devices.

In a blog post (opens in new tab) published by Google’s cybersecurity arm, Project Zero, the researchers explain how Android’s biggest strength – the decentralization if its ecosystem – is also its greatest weakness. 

As things stand now, it says the patching process is too slow, too cumbersome, and too divided, leaving consumers at risk of known and relatively easy-to-exploit vulnerabilities.

Decentralization woes

Android, while built by Google, is based on Linux, and it’s essentially an open-source solution, so third-party smartphone manufacturers like Samsung, Oppo, LG, and OnePlus can take ownership of their version of the operating system. 

As a result, when Google releases a patch, it first needs to be analyzed and modified by the manufacturer, before being pushed to the device. This means that Android users may be at risk of being compromised by malware for an extended period.

If that period draws out for too long, and Google releases vulnerability details to the public, that gives cybercriminals a unique opportunity to compromise endpoints without needing to look for new zero-days.

In contrast, Apple offers a closed ecosystem for its devices. The company is in charge of building most of its hardware and software. So, with updates firmly under Apple’s control, whenever the company releases a patch, most endpoints get it fairly quickly.

That’s exactly what happened with CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by many Android devices that TechRadar Pro reported on in November 2022.

As soon as Google concluded its investigation of that zero-day in July 2022, it reported the findings to ARM, who then patched it in August 2022. Thirty days later, Google made its findings public. 

However, all of the test devices that used Mali remained vulnerable to the issues, Google found. “CVE-2022-36449 is not mentioned in any downstream security bulletins,” it said at the time, raising the issue of what it calls the “patch gap”.

“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” the blog post reads. 

“Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.”

“Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.
Exit mobile version