Google is Possibly Splitting the Android Security Patch Levels for Faster Security Updates

Google is Possibly Splitting the Android Security Patch Levels for Faster Security Updates
  1. Google is Possibly Splitting the Android Security Patch Levels for Faster Security Updates

For a long time in its early history, Android had a reputation for being less secure than iOS because of Appleā€™s ā€œwalled gardenā€ approach to applications. Whether or not that past reputation is deserved isnā€™t something that weā€™re going to dive into, but itā€™s clear that Google has made great strides in securing Android against vulnerabilities. Not only is the company providing new security features in the latest version of Android,Ā Android P, but they are also providing ā€ in their latest devices thanks to a hardware security module in theĀ Google PixelĀ 2/2 XL. Keeping a device secure also requires continuous updates to patch all of the latest threats, too, which is why Google hasĀ monthly security bulletinsĀ for all device makers and vendors to incorporate patches against all known active and potential vulnerabilities. Now, it appears that the company may be making changes to the Android Security Patch system by providing a way toĀ distinguish between the Android framework patch level and the vendor patch levelĀ along with the bootloader, kernel, etc. to either split the security patch levels so OEMs can provide pure framework updates or better identify to the user what patch level they are running.


Monthly Android Security Patches ā€“ A Primer

We all know security patches are important, especially after a string of high-profile vulnerabilities were made public in the second half of last year. TheĀ Ā attacked the Bluetooth protocol and was patched in theĀ September 2017 monthly patches,Ā KRACKtargets a weakness in Wi-Fi WPA2 and was patched inĀ December 2017, and the Spectre/Meltdown vulnerabilities were mostly fixed with theĀ January 2018 patches. Patching vulnerabilities such as these typically require cooperation with a hardware vendor (such as Broadcom and Qualcomm) because the vulnerability concerns a hardware component such as the Wi-Fi or Bluetooth chip or the CPU. On the other hand, there are issues in the Android operating system such as thisĀ toast message overlay attackĀ that only require an update to the Android Framework in order to fix.


Whenever Google rolls out a monthly security patch, device makers are required to fix ALL of the vulnerabilities outlined in that monthā€™s security bulletin if they want to say that their device is secure up to that monthly patch level. Each month, there are two security patch levels that a device can meet: the patch level at the 1st of the month or the 5th of the month. If a device says it is running a patch level from the 1st of the month (eg. April 1st rather than April 5th) then that means the build contains all framework AND vendor patches from the last monthā€™s release plus all framework patches from the newest security bulletin. On the other hand, if a device says it is running a patch level from the 5th of the month (April 5th, for example), then that means it contains all framework and vendor patches from last month and this monthā€™s bulletin. Hereā€™s a table that exemplifies the basic difference between the monthly patch levels:

Monthly Security Patch LevelApril 1stApril 5th
ContainsĀ April Framework PatchesYesYes
Contains April Vendor PatchesNoYes
Contains March Framework PatchesYesYes
Contains March Vendor PatchesYesYes

Youā€™re probably familiar with how dismal the security patch situation is in the Android ecosystem. The chart below shows that Google and Essential provide the fastest monthly security patch updates while other companies fall behind. It can take months for an OEM to bring the latest patches to a device, such as how theĀ OnePlus 5 and OnePlus 5TĀ recently received theĀ April security patchĀ when they were previously on Decemberā€™s patch.

Android Security Patch

Android Security Patch status as of February 2018. Source: @SecX13

The problem with providing Android Security Patch updates isnā€™t necessarily that OEMs are lazy, as sometimes it can be out of their control. As we mentioned previously, monthly security patch updates often require the cooperation of a hardware vendor, which can cause delays if the vendor is unable to keep up with the monthly security patch bulletins. To combat this, it appears that Google may begin separating the Android Framework security patch level from the vendor patch level (and possibly the bootloader and kernel level) so that in the future, OEMs may be able to provide purely Android framework security updates.

Faster Android Security Patch updates for Framework Vulnerabilities?

A newĀ commitĀ has appeared in the Android Open Source Project (AOSP) gerritĀ that hints at a ā€œvendor security patch propā€ which would be defined in the files whenever a new build for a device is being created. This property will be called ā€œā€ and will be analogous to ā€œā€ which currently exists on all Android devices to specify the monthly Android Security Patch level.

Android Security Patch

This new property will instead tell us the ā€œVENDOR_SECURITY_PATCHā€ level of the device, which may or may not match the Android Framework security patch level. For instance, a device may be running on the latest April 2018 framework patches along with February 2018 vendor patches. By distinguishing between the two security patch levels, itā€™s possible that Google intends to let OEMs ship the latest Android OS security patches even though vendors havenā€™t provided updated patches for that monthly patch level.

Alternatively, GoogleĀ may just display the minimumĀ of the two patch levels (alongside possibly the bootloader and kernel patch levels) in order to more accurately show to the user what security patch their device is on. We donā€™t yet have confirmation on the intention behind this patch, but we hope to find out more soon.

Google Pixel 2 XL on Android P Developer Preview 1 with March 2018 Security Patches

At the very least, this will be helpful for those of us onĀ Project TrebleĀ Generic System ImagesĀ (GSIs) and other AOSP-based custom ROMs as often custom ROMs only provide framework updates without patching all of the vendor, bootloader, and kernel patches that are specified in a monthly security bulletin, so the mismatch causes confusion among users as they think they are running the latest patches when in reality their device is only partially patched against the latest monthly security bulletin.

Ā n

Leave a Reply

Your email address will not be published. Required fields are marked *