Has Google got stagefright regarding OTA Android security updates?

Since Google started the monthly Android security bulletins in September 2015, there have been more than 30 Stagefright-related patches rolled out
Since Google started the monthly Android security bulletins in September 2015, there have been more than 30 Stagefright-related patches rolled out

The latest batch of monthly Android security updates are rolling out now, if you are one of the lucky few whose device gets them of course. The vast majority of the Android ecosystem will be left unprotected against the latest raft of vulnerabilities.

Which begs the question: is Google doing enough to secure Android users?

Of the 19 bugs fixed in this cumulative update, Google considers seven of them to be critical with a further ten rated as a 'high priority' and only two listed as moderate. The most serious of the critical vulnerabilities could allow mail, web, video or SMS attachments to execute remote code on impacted devices.

Steve Ward, senior director at iSIGHT Partners, doesn't necessarily agree with the Google take on vulnerability ratings though. "iSIGHT Partners considers the most recent Android vulnerabilities to be either low or medium risk," he told us, adding: "The number and types of vulnerabilities patched by Google this month are within expected values and consistent with previous patches."

However, the patches addressing CVE-2016-0815 and CVE-2016-0816 which concern the Android mediaserver platform do appear to highlight how Android has been plagued by Stagefright-related vulnerabilities since last summer.

"We surmise that researchers are paying increased attention to Android in recent months due to the high-profile discovery of several vulnerabilities affecting the Stagefright library in mid to late 2015," Ward insists. "We observed a similar increase in attention paid to, and a surge of disclosed and patched vulnerabilities for, OpenSSL following the Heartbleed disclosure in 2014."

The problem is, since Google started the monthly Android security bulletins in September 2015, there have been more than 30 Stagefright-related patches rolled out. Maybe this shouldn't be too surprising given that the security bulletin scheme was started in direct response to the Stagefright problem in the first place.

However, the fact remains that the mediaserver service is not something you want left buggy either, given that as well as having access to audio and video streams it can access privileges that are ordinarily out of reach of third-party apps.

Yet the vast majority of Android devices are running a version of the OS that isn't compatible with the security update system. Even if your device is compatible, that doesn't mean that the manufacturers or network has signed up to distribute the appropriate patches for those particular handsets.

“The old model was that carriers were responsible for shipping updates but thankfully that is slowly going away and vendors are starting to be able to provide updates directly," says Steve Manzuik, director of security research at Duo Security. "Today it's Nexus devices, certain Samsung devices and certain LG devices."

Let's hope others follow soon enough, as Manzuik points out that his service sees 30 percent of Android devices that are not Samsung, LG or Nexus. And that's a huge population of users not getting patches.

The whole update system does, to be frank, appear to remain something of a crock. One SCMagazineUK.com writer, for example, owns the very latest Google Nexus 6P flagship handset running Android Marshmallow. While he does get the security updates, they don't arrive until at least half way through the month which leaves a large open window of threat opportunity for malicious actors to jump through.

Or at least it would were there any evidence that the vulnerabilities being patched had actually been exploited in the wild, and there isn't. This is, however, just luck for the time being.

At some point the exploits will fall through those windows of opportunity. Let's face it, with the state of Android fragmentation in the marketplace the window is not only open but the wall it should be mounted in is non-existent.

So is Google doing enough to protect users from Stagefrightesque vulnerabilities in mediaserver components? Is it doing enough to protect the Android ecosystem more generally speaking, in fact?

"The problems that non-Nexus users face with their Android powered mobile devices continue to be concerning," Tod Beardsley, security research manager at Rapid7 told SC. "Google has implicitly (and occasionally explicitly) dropped support for Android components that are two or more versions behind, and now that Marshmallow (Android 6.0) has been released, that has thrown about 79 percent of all Android devices into this 'current version minus two' state."

However, the fact of the matter is that consumers generally don't buy Android smartphones based on security.

And the problem isn't just restricted to smartphones. This very week, so Beardsley told us, he bought a Fisher Price Smart Toy on clearance for use in an upcoming IoT talk he's giving at SXSW Interactive. This toy runs Android KitKat (version 4.4) and courtesy of the version lock it's almost certainly host to a number of remote code execution bugs and will never see a core operating system update.

"I would like to see a harder push from Google to move developers off of supporting older builds of the operating system," Beardsley says. "Google doesn't make that much money directly from the Android OS, compared to its other businesses, but the downstream app developers do."

Which is a big part of the problem as it's not in the financial interest of those developers to drop support for older versions. "If 35 percent of Android users are on KitKat," he warns, "no developer is going to voluntarily drop support of that base."

It rather blows apart the myth of Linux-based systems being somehow generically more security minded than most. The Nexus device example is a prime one to illustrate this. Yes, owners of Nexus devices get updates faster than most others, but the window between public upstream patches and OTA pushes is still a long one.

"Android is just about the only Linux-based operating system that hasn't benefited from the most recent rounds of multi-vendor disclosure discipline," Beardsley points out. "RedHat, Debian, Ubuntu, CentOS and other major Linux distributions all tend to release patches for major bugs around the same time, but it seems that handset manufacturers and carriers continue to struggle with this."

Steve Manzuik told us that "based on our interactions with the Android team over at Google it is my impression that their goal is to provide a functional and secure mobile operating system to all of their users."

He suggests that Duo's own research shows even if Google were to announce no support for older operating systems that "users still will not upgrade".

As David Kennerley, senior manager for threat research at Webroot, warns, "Getting carriers to deliver the updates has to be Google's problem to fix." At present there is no guarantee of monthly patches ever making it to the end user and that has to change.

"Where Android and Google have a brand to protect," Kennerley concludes, "that concern is not shared by all. Google will have to focus more on making its updates available over-the-air for all flavours of its OS, whatever complexities need to be overcome."