The Android ecosystem has a long-standing reputation of haphazard security, with regular headliner bugs. Despite its open source roots, Android security is still a black box for most users. Security patches are little understood, and users have to blindly trust their phone vendors to install patches.
We find that this trust is not warranted for many Android vendors, most of which skip at least some patches.
Using a novel analysis approach, we find missing Android patches on phones or from firmware files. The analysis compares function signatures to large collections of pre-compiled samples.
Our binary-only analysis technique applies to Android and many other domains where patch levels need to be measured without access to source code.
For Android, we find that most vendors forget to include, or deliberately omit, some critical patches in their updated firmwares. Based on our analysis of hundreds of phone firmwares we provide an overview of which sets of bug fixes are missing.
This talk enables you and the larger Android ecosystem to check patch level, and drive a higher protection level for everyone.
