​As Stagefright 2.0 emerges, HTC can’t commit to monthly Android patches

In the wake of the Stagefright bug, Google, LG and Samsung vowed to deliver monthly Android security updates, but HTC says the schedule is “unrealistic” due to carriers.

The Stagefright bug, caused by a media file sent as an MMS to affected Android device, scared Google, Samsung and LG into promising monthly security updates for Android. Google has now released two patches since August for its own Nexus devices while LG and Samsung, depending on each carrier, has delivered Stagefright fixes for their flagship devices.

But HTC’s US president Jason Mackenzie said on Twitter over the weekend that monthly security updates for Android are “unrealistic”.

“We will push for them” said Mackenzie, but added that it would be “unrealistic” for any vendor to honestly “guarantee” they would be delivered every month.

His comment suggests he doubts that LG and Samsung can deliver monthly security updates for all their devices on a regular monthly basis, despite vendors’ previous statements.

The problem, he pointed out in the same thread, was that it’s difficult to push updates to devices that require certification by carriers compared with unlocked Android handsets, like Google’s Nexus devices (the Nexus 4, 5, 6, 7 and 9) as well as HTC’s and Samsung’s Google Play Edition handsets.

“Sometimes you won't receive [updates] due to lack of space in [carriers’] labs,” Mackenzie noted. These days HTC ships relatively few handsets compared to LG, Samsung and even newcomers like Huawei and Xiaomi.

Nexus and unlocked devices were a “completely different story”, Mackenzie said in a different thread, noting that if a product required third-party certification HTC could not fully control the update process.

When Google releases updates for Android, handset makers integrate them into their Android builds but then rely on carriers to authorise them and push the update to end users. Updates for Google’s Nexus devices on the other hand come directly from Google.

Telstra’s crowd-sourced support pages indicate that HTC had intended to release an update to address Stagefight for the HTC One M8 in late September. The update has now been delivered to One M7 and One M9 devices on Telstra, but the One M8 update was held back by HTC due to an error with the over the air firmware package. A new update is scheduled for testing in October.

HTC is not alone in delaying monthly updates. Huawei, which also hasn’t committed to monthly updates, in late September delayed its Stagefright fixes for two Ascend devices on Telstra’s network, alongside delays to updates for Android devices from both Sony and Telstra.

The incidents show that while Google may be doing its best to lead the way and ensure Nexus devices are patched as soon as possible, security updates for tens of thousands of other devices remain a challenge that is yet to be solved by Google and the Android ecosystem. British app maker OpenSignals reported earlier this year that there were over 24,000 unique Android devices in use today.

One initiative that is aiming to fix the problem of updating devices tied to carriers is the Zimperium Handset Alliance (ZHA).

Read more: ​Android phones patched once a year, 87 percent exposed. Which brand is the most secure?

CSO Australia understands that Telstra, which invested $12 million in Zimperium last year, is one of the major carriers to have signed up to the alliance.

Zimperium, at the August launch of ZHA, outlined the difficulties carriers and handset brands face i trying to deliver security updates from Google’s Android Security Team.

“When the Android Security Team supplies patches to their partners, it’s only the beginning of a long process. Many vendors received the patches we submitted in April, only in June. Some vendors said they didn’t receive the patches at all,” Zimperium said.

Vendors that don’t receive advance notification of security updates are those that operate outside of Google’s Open Handset Alliance (OHA). These include Silent Circle, the maker of the privacy-focussed Blackphone handsets, which, ironically, was one of the first device vendors to ship fixes for Stagefright bugs.

ZHA hopes to be more transparent and better at reporting vulnerabilities to carriers and handset makers than OHA has been.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Tags GoogletwitterhtclgsamsungHuaweiAndroid securityXiaomiGoogle’s NexusAndroid patchesStagefright 2.0Mackenzie

Show Comments