Meltdown, Spectre, and mobile: A reminder that Android security patches exist

The relative success of Android Security Bulletins can get lost in all the “Android OEMs are bad at updates” noise.

Meltdown and Spectre are currently affecting just about everything with a chip, and among various mitigations, we’re going to be doing a lot of patching. Today, I want to look at the mobile angle. (For the desktop virtualization angle, see the Friday Notebook.)

The (correct) conventional knowledge is that Apple is good at patching, and this case continues the trend. They mitigated Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2, all released in early December, and mitigate Spectre yesterday in iOS 11.2.2 and a macOS 10.13.2 supplemental update.

The (mixed) conventional knowledge on Android is that many OEMs aren’t good at pushing out timely OS updates. However, these days Android patching is much better than it used to be, thanks to Google’s monthly Android Security Bulletins. I’ve found that not everybody in the EUC space knows about this program, so consider this to be a PSA for those that may be unaware.

The monthly security bulletins debuted as we know them back in August 2015 at Black Hat, in response to the Stagefright flaw. Of course, these patches still need to be pushed by OEMs and carriers, and your mileage may vary.

Overall, the situation is improving, according to Google’s Android Security Year in Review for 2016 (PDF). (The 2017 numbers should be out soon.) It reports that:

“In the United States, over 78% of active flagship Android devices on the four major mobile network operators reported a security patch level from the last three months. [...] In Europe over 73% of active flagship Android devices on the major mobile network operators reported a security patch level from the last three months.”

Regarding Meltdown and Spectre on Android, Google stated:

On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices. The Android 2018-01-05 Security Patch Level (SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017. Future Android security updates will include additional mitigations. These changes are part of upstream Linux.

This patch is available for Pixel devices, but again, the timing for other OEMs is varied. For example, over the weekend it became part of Samsung’s January patch, but their patches usually take a few weeks to make it all the way to phones. It’s not yet in LG’s January patch (as of Monday afternoon), but we’ll see if it too gets updated.

Again, for what it’s worth, both Apple and Google have said that they haven’t seen any exploits in the wild, exploiting the flaws should be fairly difficult, and the impact of patches should be minimal. Nevertheless, some EMM admins may be concerned about patching, if not for this incident, then for others to come.

EMM platforms can query Android devices for their patch level or query iOS devices for their OS version, allowing admins to create compliance policies as desired. Actually pushing out patches is somewhat limited, though. Samsung Knox’s recent E-FOTA feature gives complete control, and Apple’s Device Enrollment program provides the option to push iOS updates, but for other OEMs, there aren’t many options.

The Android update and patching situation has a long way to go, and many devices, including ones that are only two years old, aren’t getting them. But overall, between the security bulletins, Project Treble, and Android enterprise, the huge task of reigning in Android (and making it easier for EMM admins to deal with) is making progress.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.