Author: Thom Holwerda
One of the interesting and odd thing Google does is roast itself (and others) over security issues. In this year’s Year in Review of 0-days exploited in-the-wild, Google took particular aim at the Android ecosystem for being so bad at getting patches on users’ devices that Android doesn’t even need 0-days to be exploited in the first place. These gaps between upstream vendors and downstream manufacturers allow n-days – vulnerabilities that are publicly known – to function as 0-days because no patch is readily available to the user and their only defense is to stop using the device. While these gaps exist in most upstream/downstream relationships, they are more prevalent and longer in Android. This is a great case for attackers. Attackers can use the known n-day bug, but have it operationally function as a 0-day since it will work on all affected devices. The Android update problems are not just limited to devices not receiving updates to new major Android versions – it also extends to the monthly Android security patches that somehow need to make it to users’ devices. My Galaxy S21 has been getting these updates consistently, sometimes even before Pixel devices get them, but many, many devices never get these at all, or only sporadically. The Android update problem is by far the biggest problem in the Android ecosystem, and despite Google and OEMs promising to do better every year, we’re still far, far from where we should be.