1. Invictus0's Avatar
    GOOGLE HAS LONG struggled with how best to get dozens of Android smartphone manufacturers—and hundreds of carriers—to regularly push out security-focused software updates. But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle: Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches.

    On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.
    https://www.wired.com/story/android-...dates-from-you

    Has anyone run the app on a BB Android device?
    04-12-18 02:08 PM
  2. conite's Avatar
    https://www.wired.com/story/android-...dates-from-you

    Has anyone run the app on a BB Android device?
    Yup.

    KEYᵒⁿᵉ has "missed" 2 of 197 patches, and DTEK60 has "missed" 5 of 212 patches (and you had to go back over a year to find a miss).

    Without further explanation, I'm not sure how valuable this is.

    Was the vulnerability patched in a subsequent update anyway? Was BlackBerry Android vulnerable in the first place? Was there some extenuating circumstance? How does the app assess compliance? Etc, etc.
    Invictus0 likes this.
    04-12-18 02:26 PM
  3. Ment's Avatar
    might have been the PRIV but I remember BB saying that one patch didn't apply to them due to their own implementation of Android.
    04-12-18 02:33 PM
  4. Invictus0's Avatar
    Yup.

    KEYᵒⁿᵉ has "missed" 2 of 197 patches, and DTEK60 has "missed" 5 of 212 patches (and you had to go back over a year to find a miss).

    Without further explanation, I'm not sure how valuable this is.

    Was the vulnerability patched in a subsequent update anyway? Was BlackBerry Android vulnerable in the first place? Was there some extenuating circumstance? How does the app assess compliance? Etc, etc.
    My understanding of the issue is that if a device missed an update (i.e., the November 2017 KRACK fix) and KRACK wasn't fixed or mitigated in a subsequent update then that device would still be vulnerable despite the patch level implying otherwise.

    OEM specific modifications do complicate the issue, I don't envy security conscious users and IT admins who need to figure this out.

    might have been the PRIV but I remember BB saying that one patch didn't apply to them due to their own implementation of Android.
    You might be thinking of QuadRooter, IIRC BB Android wasn't vulnerable and it had mitigations in place but I think BlackBerry pushed the patch out anyway.
    04-12-18 02:39 PM
  5. conite's Avatar
    My understanding of the issue is that if a device missed an update (i.e., the November 2017 KRACK fix) and KRACK wasn't fixed or mitigated in a subsequent update then that device would still be vulnerable despite the patch level implying otherwise.

    OEM specific modifications do complicate the issue, I don't envy security conscious users and IT admins who need to figure this out.
    But if a fix for a subsequent vulnerability is the replacement of the same affected system file - it would likely take care of the first vulnerability too.

    Anyway, there are too many questions, and we'll never know enough to answer them.
    04-12-18 02:41 PM
  6. Invictus0's Avatar
    But if a fix for a subsequent vulnerability is the replacement of the same affected system file - it would likely take care of the first vulnerability too.
    Agreed but unless an OEM is transparent about it there isn't really an easy way to find out.

    I do wonder how this will impact Android's adoption in enterprise markets, especially those that have specific security requirements.
    04-12-18 02:47 PM
  7. EskeRahn's Avatar
    ...And with the newest version 2.0.5 they seem to have corrected/removed some tests, so now we no longer have any 'missing' on the BB Priv... see e.g.
    How Android Phones Hide Missed Security Updates From You-screenshot_20180426-001128.jpg
    (earlier they claimed 146 patched, 4 missing and 13 after claimed... where at the least one of the four should have been in "Not affected", as it was on fingerprint scan...)
    Nathan Conley likes this.
    04-26-18 06:46 AM

Similar Threads

  1. Transferring game data to and fro between bb z30 and an android phone
    By endy_young in forum Android Apps (Amazon Store & APK Files)
    Replies: 6
    Last Post: 04-19-18, 11:56 AM
  2. CrackBerry Poll: Do you use a password manager app?
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 2
    Last Post: 04-14-18, 03:23 PM
  3. Remove Dater for Tinder and HG10 from HUB
    By venugopal singri in forum BlackBerry Passport
    Replies: 4
    Last Post: 04-13-18, 04:00 AM
  4. Replies: 2
    Last Post: 04-12-18, 02:27 PM
LINK TO POST COPIED TO CLIPBOARD