Google doubles Android update to cope with rash of Qualcomm bugs

Google has released a monster 108 fixes in its Android security update for July, and has even split the update in two to due to flaws in the drivers of chips from Qualcomm, MediaTek, and NVIDIA.

The latest update is a little more complicated than others Google has issued since kicking off monthly updates a year ago. Until now, Android owners could tell how up-to-date their phones were by checking ‘About Phone’ in Settings to view the Android Security Patch Level. The screen would display the first day of the month that the patch was issued.

But for July, Google split this month’s update into two security patch levels: one for July 5, 2016 that covers devices with vulnerable drivers from Qualcomm, MediaTek, and NVIDIA and includes general Android fixes; and another for July 1, 2016 that guarantees to fix Android bugs, but may fix device-specific bugs.

Google split the update to help Android handset makers fix critical issues faster. Just under three-quarters of the bugs Google fixed were “device specific”, affecting drivers of certain chips that may be used one model, but not another. The update highlights the so-called fragmentation issues that Android has become known for.

“Devices that use the security patch level of July 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins,” Google explains in its July bulletin.

“Devices that use the July 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use July 1, 2016 security patch level may also include a subset of fixes associated with the July 5, 2016 security patch level.”

The update puts a spotlight on how far Google is from matching Apple’s relatively smooth update process for iPhone owners. One measure of this can be seen in the adoption of the latest versions of iOS and Android; while 10 percent of Android devices run Google's latest version of Android, version 6.0 Marshmallow, 84 percent of iOS devices run Apple’s latest major release, iOS 9. Both were available within a month of each other.

There are two “critical” issues in Google’s July 1 patch level, which include seven distinct flaws affecting Android’s Mediaserver component. Mediaserver bugs have dominated critical bugs in Android since Google began monthly patching. Google has made the component more secure in the next version of Android, Nougat, by restricting system permissions.

The July 5 patch level covers seven “critical” issues spanning 12 vulnerabilities that affect drivers from Qualcomm, MediaTek, and NVIDIA.

The update includes fixes for dozens of high severity bugs in Qualcomm chips for Android devices and follows new evidence that Qualcomm’s implementation of ARM’s hardware security module could be broken to undermine encryption on Android devices.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful cybersecurity companies