Google Makes Android Security Updates Mandatory

Google Makes Android Security Updates Mandatory

Android OEMs Forced to Provide Updates

Android is great. It’s established a solid reputation when it comes to the wide and varied choices in handsets, reliable hardware, fast charging and a fantastic range of apps. Unfortunately, Android is not that great on all fronts. In fact, when it comes to security updates it’s quite a mess.

The problem with Android updates

There’s no issue with the availability of Android security updates. Even when security patches are rolled out in time, Android device manufacturers often take their time by delivering patches to their customer base. This leaves major parts of the Android ecosystem vulnerable to hackers. To combat this, it is crucial that patches are delivered regularly and on time – which is currently not happening.

What Google is doing about it

In Google’s I/O Developer Conference in May, the company revealed a plan to compel Android device manufacturers to roll out security patches on a regular basis. Later in the year, an unverified copy of Google’s new contract with OEMs was leaked. According to the contract, manufacturers will have to provide regular security updates for popular devices for at least two years. This is defined as all devices that have been launched after 31 January 2018 and have achieved over 100,000 users. The mandate specifies a minimum of four security updates during the first year but fails to specify an amount pertaining to the second year. It also stipulates that patches created for security risks may not be delayed for more than 90 days.

Change is on the horizon

According to a spokesperson from Google, 90 days is a minimum requirement when it comes to security hygiene. It was also stated that the most recently-deployed Android devices are running an update from the last 90 days. Although this ties in with the leaked contract, its authenticity has not been verified. Should it be genuine, the changes made by Google are set to make a profound impact on the state of Android security and be of serious benefit to Android users. In other news, Google has announced a plan to start charging licensing fees to Android OEMs in Europe who want to include Gmail, the Play Store, Maps, Chrome and YouTube on Android handsets.

BleedingBit – Bluetooth Chip Flaws

BleedingBit – Bluetooth Chip Flaws

Security researchers made a worrisome discovery of two major vulnerabilities in chips installed in millions of networking devices and access points around the globe.
Named BleedingBit, the two chip flaws in Bluetooth Low Energy (BLE) chips may allow hackers to run arbitrary code to take complete control of devices that don’t require authentication. This includes point-of-sales and IoT devices and well as critical medical devices such as pacemakers and insulin pumps. The discovery was made by researchers at Armis, an Israel-based security company that was also responsible for recently discovering BlueBorne, a range of Bluetooth-related flaws that affected billions of smartphones, TVs, laptops and watches using Android, Linux, iOS and Windows.

The Flaws

The vulnerabilities unveiled exist in BLE Stack chips manufactured by Texas Instruments and are embedded in a range of their enterprise products, used by companies such as Aruba, Meraki and Cisco. The first flaw affects many of Meraki and Cisco’s Wi-Fi access points. It uses a loophole in how incoming data is analysed by the chips. When excess data is sent to the chip, its memory is corrupted which makes the device vulnerable to malicious code. The second flaw stems from a firmware update done to a feature called Over the Air Firmware Download (OAD). All Aruba access points share the same password to this feature which can easily be obtained by hackers through sniffing a legitimate update or by reverse-engineering the Aruba BLE firmware. A malicious update can then simply be delivered to the access point and full control can be gained.

The Patch

After making the discovery, Armis reported it to all vendors and duly assisted companies with rolling out updates that address the issues. Texas Instruments confirmed the flaws and subsequently released security patches to affected companies. Cisco, Meraki (owned by Cisco) and Aruba released security patches for the hardware and announced that they are not aware of anybody exploiting these vulnerabilities.