Huawei beats Samsung and all Android rivals on security patching

Samsung may dominate worldwide smartphone sales, but Huawei is doing a far better job of keeping its smartphones secure by one measure.

If you own a Huawei handset that is eligible to receive Google’s latest monthly Android security patches, you’re far more likely to receive the update than owners of an eligible Samsung device, according to a new analysis by security firm Duo Labs.

“Despite Samsung making up 62 percent of the Android devices in our dataset that could receive monthly Android updates, only 15 percent of eligible phones had applied the latest security patch, placing them fifth among the nine OEMs in our sample,” wrote Olabode Anise from Duo Labs’ R&D team.

“In stark contrast, 77 percent of Huawei phones that are able to receive security updates were running the most recent security patch,” he wrote.

The results are somewhat surprising, given Samsung's early commitment to Google's monthly patches and the fact the Korean electronics giant is by far the biggest Android vendor in the world.

Duo Labs said it compared the share of Android phones that can’t receive Google’s monthly Android security patches with phones that are eligible for the updates but don’t have the latest security patch, and those that can receive them and do actually have them.

However, it didn't explain in the blogpost what it considers as eligible devices, which may influence the results of the analysis.

Google's current distribution figures for different versions of Android show that 77 percent of Android devices the connect to the Google Play app store are running a version of Android that can receive a patch.

Google began providing monthly Android security patches in August and currently builds patches for Android 4.4.4 KitKat through to the current Android 6.0 Lollipop. The 23 percent of devices running on versions below Android 4.4.4 can't receive Google's Android security updates.

On top of this, it’s up to Android handset makers to customise patches for each model while delivery largely depends on carriers. Samsung was the first major Android OEM to join Google’s efforts, announcing in August plans to patch Galaxy S, Galaxy Note and Galaxy A series devices on a monthly basis.

Huawei, which Google contracted to make the Nexus 6P phablet, has never made a similar statement around monthly patching.

At a high level, Duo Labs analysis indicates Google’s efforts over the past year to nudge Android device makers into patch more regularly has had had a limited impact.

According to the security firm, 68 percent of Android devices are eligible to receive Google’s monthly Android security patches, but as of April 30, only a quarter of those handsets had the latest patch.

While Google provides patches for Android, there are currently around 60,000 unique Android models in the wild. Android device makers generally target the most popular devices for patching — such as Samsung’s Galaxy line, and LG’s flagships. Still, the vast majority of models never receive a security or operating system update.

Duo Labs' Anise told CSO Australia in an email that its report included Nexus devices and that it defined eligible phones in line with Google's Android patch support, covering Android 4.4.4 and higher. It did exclude phones between version 4.4 and prior to 4.4.4, even though the devices can technically be upgraded to a supported level.

And it does appear that Huawei's Nexus 6P influenced Duo Security's results, providing more evidence that Google's patching of Nexus devices are more effective than devices controlled by Android partners.

"The majority of the Huawei devices that we saw in our dataset were Nexus 6Ps, but the other devices that were eligible were the Ascend Mate 2, ‘Angler’ Nexus, and G7," said Anise.

Google stepped up its patching efforts in mid-2015 after security researcher Joshua Drake reported the first of a series of critical bugs in the Android Stagefright library, which processes media files. Around 95 percent of Android devices were vulnerable to the first Stagefright bugs.

According to a recent Bloomberg report, Google was considering naming and shaming Android partners that don't deliver its security updates to devices. The company's head of Android admitted patching was the weakest link in Android security. Bloomberg sources said Google's discussions about patching were trickier with carriers than handset makers.

Join the CSO newsletter!

Error: Please check your email address.

Tags smartphoneHuaweisamsungGoogleKoreansecurity patchingCSO Australia

More about AscendBloombergCSODrakeGalaxyGoogleHuaweiLGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts