​As Stagefright 2.0 emerges, HTC can’t commit to monthly Android patches

In the wake of the Stagefright bug, Google, LG and Samsung vowed to deliver monthly Android security updates, but HTC says the schedule is “unrealistic” due to carriers.

The Stagefright bug, caused by a media file sent as an MMS to affected Android device, scared Google, Samsung and LG into promising monthly security updates for Android. Google has now released two patches since August for its own Nexus devices while LG and Samsung, depending on each carrier, has delivered Stagefright fixes for their flagship devices.

But HTC’s US president Jason Mackenzie said on Twitter over the weekend that monthly security updates for Android are “unrealistic”.

“We will push for them” said Mackenzie, but added that it would be “unrealistic” for any vendor to honestly “guarantee” they would be delivered every month.

His comment suggests he doubts that LG and Samsung can deliver monthly security updates for all their devices on a regular monthly basis, despite vendors’ previous statements.

The problem, he pointed out in the same thread, was that it’s difficult to push updates to devices that require certification by carriers compared with unlocked Android handsets, like Google’s Nexus devices (the Nexus 4, 5, 6, 7 and 9) as well as HTC’s and Samsung’s Google Play Edition handsets.

“Sometimes you won't receive [updates] due to lack of space in [carriers’] labs,” Mackenzie noted. These days HTC ships relatively few handsets compared to LG, Samsung and even newcomers like Huawei and Xiaomi.

Nexus and unlocked devices were a “completely different story”, Mackenzie said in a different thread, noting that if a product required third-party certification HTC could not fully control the update process.

When Google releases updates for Android, handset makers integrate them into their Android builds but then rely on carriers to authorise them and push the update to end users. Updates for Google’s Nexus devices on the other hand come directly from Google.

Telstra’s crowd-sourced support pages indicate that HTC had intended to release an update to address Stagefight for the HTC One M8 in late September. The update has now been delivered to One M7 and One M9 devices on Telstra, but the One M8 update was held back by HTC due to an error with the over the air firmware package. A new update is scheduled for testing in October.

HTC is not alone in delaying monthly updates. Huawei, which also hasn’t committed to monthly updates, in late September delayed its Stagefright fixes for two Ascend devices on Telstra’s network, alongside delays to updates for Android devices from both Sony and Telstra.

The incidents show that while Google may be doing its best to lead the way and ensure Nexus devices are patched as soon as possible, security updates for tens of thousands of other devices remain a challenge that is yet to be solved by Google and the Android ecosystem. British app maker OpenSignals reported earlier this year that there were over 24,000 unique Android devices in use today.

One initiative that is aiming to fix the problem of updating devices tied to carriers is the Zimperium Handset Alliance (ZHA).

CSO Australia understands that Telstra, which invested $12 million in Zimperium last year, is one of the major carriers to have signed up to the alliance.

Zimperium, at the August launch of ZHA, outlined the difficulties carriers and handset brands face i trying to deliver security updates from Google’s Android Security Team.

“When the Android Security Team supplies patches to their partners, it’s only the beginning of a long process. Many vendors received the patches we submitted in April, only in June. Some vendors said they didn’t receive the patches at all,” Zimperium said.

Vendors that don’t receive advance notification of security updates are those that operate outside of Google’s Open Handset Alliance (OHA). These include Silent Circle, the maker of the privacy-focussed Blackphone handsets, which, ironically, was one of the first device vendors to ship fixes for Stagefright bugs.

Read more: ​Android phones patched once a year, 87 percent exposed. Which brand is the most secure?

ZHA hopes to be more transparent and better at reporting vulnerabilities to carriers and handset makers than OHA has been.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags HuaweilgAndroid securityAndroid patchestwitterStagefright 2.0Google’s NexusXiaomisamsunghtcGoogleMackenzie

More about AscendCSOGoogleHTCHuaweiLGSamsungSilent CircleSonyTwitterXiaomi

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place