Google took almost a year to fix known flaw in Android smartphones: researcher

09 Jul 2016

Gal Beniamini, a researcher, last week claimed in a blog post that 57 per cent of Android smartphones had still not received the monthly security patch released in May, which fixed a security vulnerability affecting the devices and users' privacy.

The researcher further dwelt on loopholes in Qualcomm's security and how it could be used to weaken the Android device's encryption.

TechCrunch reported that the researcher was later awarded by Google for hunting down the bug via the company's bug bounty programme. Google added that while it appreciated the effort of the researcher, it rolled out patches for these Qualcomm-related issues "earlier this year."

However, according to Qualcomm, it had discovered the same vulnerability back in August 2014 and had also made its patches available to Google in November 2015 and February 2015. Google should therefore have rolled out the patches itself instead of fixing it almost after a year.

The researcher, however, has blamed the OEMs instead of Google. "Apparently, even though they fixed the issue internally, OEMs (original equipment manufacturers) did not apply the fix (perhaps they forgot or simply missed it)," he told TechCrunch.

Beniamini in his report has suggested that customers only buy Nexus or Samsung Galaxy devices as 75 per cent of these smartphones had been patched.

Meanwhile, in July, Google, issued the largest security update for Android and while the June update for 2016 only patched 40 issues to Google's mobile operating system, the new update addressed 108 different vulnerabilities. This made up a total of 271 patches in 2016.

The July update also introduced a new method of patching, with dual patches that helped accelerate the process and more quickly fix vulnerabilities.