Speaker(s): Karsten Nohl & Jakob Lell, SRLabs
The Android ecosystem has a long-standing reputation of haphazard security, with regular headliner bugs. Despite its open source roots, Android security is still a black box for most users. Security patches are little understood, and users have to blindly trust their phone vendors to install patches.
We find that this trust in the vendor's ability to patch has not always been warranted for all Android vendors.
Using a novel analysis approach, we find missing Android patches on phones or from firmware files. The analysis compares function signatures to large collections of pre-compiled samples.
Based on measurements from tens of thousands of different phone builds we quantify and investigate the Android patch gap.