<< Back to article Print this page Loading page, please wait...

Huawei beats Samsung and all Android rivals on security patching

Liam Tung (CSO Online)
29 June, 2016 09:13

Samsung may dominate worldwide smartphone sales, but Huawei is doing a far better job of keeping its smartphones secure by one measure.

If you own a Huawei handset that is eligible to receive Google’s latest monthly Android security patches, you’re far more likely to receive the update than owners of an eligible Samsung device, according to a new analysis by security firm Duo Labs.

“Despite Samsung making up 62 percent of the Android devices in our dataset that could receive monthly Android updates, only 15 percent of eligible phones had applied the latest security patch, placing them fifth among the nine OEMs in our sample,” wrote Olabode Anise from Duo Labs’ R&D team.

“In stark contrast, 77 percent of Huawei phones that are able to receive security updates were running the most recent security patch,” he wrote.

The results are somewhat surprising, given Samsung's early commitment to Google's monthly patches and the fact the Korean electronics giant is by far the biggest Android vendor in the world.

Duo Labs said it compared the share of Android phones that can’t receive Google’s monthly Android security patches with phones that are eligible for the updates but don’t have the latest security patch, and those that can receive them and do actually have them.

However, it didn't explain in the blogpost what it considers as eligible devices, which may influence the results of the analysis.

Google's current distribution figures for different versions of Android show that 77 percent of Android devices the connect to the Google Play app store are running a version of Android that can receive a patch.

Google began providing monthly Android security patches in August and currently builds patches for Android 4.4.4 KitKat through to the current Android 6.0 Lollipop. The 23 percent of devices running on versions below Android 4.4.4 can't receive Google's Android security updates.

On top of this, it’s up to Android handset makers to customise patches for each model while delivery largely depends on carriers. Samsung was the first major Android OEM to join Google’s efforts, announcing in August plans to patch Galaxy S, Galaxy Note and Galaxy A series devices on a monthly basis.

Huawei, which Google contracted to make the Nexus 6P phablet, has never made a similar statement around monthly patching.

At a high level, Duo Labs analysis indicates Google’s efforts over the past year to nudge Android device makers into patch more regularly has had had a limited impact.

According to the security firm, 68 percent of Android devices are eligible to receive Google’s monthly Android security patches, but as of April 30, only a quarter of those handsets had the latest patch.

While Google provides patches for Android, there are currently around 60,000 unique Android models in the wild. Android device makers generally target the most popular devices for patching — such as Samsung’s Galaxy line, and LG’s flagships. Still, the vast majority of models never receive a security or operating system update.

Duo Labs' Anise told CSO Australia in an email that its report included Nexus devices and that it defined eligible phones in line with Google's Android patch support, covering Android 4.4.4 and higher. It did exclude phones between version 4.4 and prior to 4.4.4, even though the devices can technically be upgraded to a supported level.

And it does appear that Huawei's Nexus 6P influenced Duo Security's results, providing more evidence that Google's patching of Nexus devices are more effective than devices controlled by Android partners.

"The majority of the Huawei devices that we saw in our dataset were Nexus 6Ps, but the other devices that were eligible were the Ascend Mate 2, ‘Angler’ Nexus, and G7," said Anise.

Google stepped up its patching efforts in mid-2015 after security researcher Joshua Drake reported the first of a series of critical bugs in the Android Stagefright library, which processes media files. Around 95 percent of Android devices were vulnerable to the first Stagefright bugs.

According to a recent Bloomberg report, Google was considering naming and shaming Android partners that don't deliver its security updates to devices. The company's head of Android admitted patching was the weakest link in Android security. Bloomberg sources said Google's discussions about patching were trickier with carriers than handset makers.