Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities

05/22/2019
by   Sadegh Farhang, et al.
0

In this paper, we perform a comprehensive study of 2,470 patched Android vulnerabilities that we collect from different data sources such as Android security bulletins, CVEDetails, Qualcomm Code Aurora, AOSP Git repository, and Linux Patchwork. In our data analysis, we focus on determining the affected layers, OS versions, severity levels, and common weakness enumerations (CWE) associated with the patched vulnerabilities. Further, we assess the timeline of each vulnerability, including discovery and patch dates. We find that (i) even though the number of patched vulnerabilities changes considerably from month to month, the relative number of patched vulnerabilities for each severity level remains stable over time, (ii) there is a significant delay in patching vulnerabilities that originate from the Linux community or concern Qualcomm components, even though Linux and Qualcomm provide and release their own patches earlier, (iii) different AOSP versions receive security updates for different periods of time, (iv) for 94 date of disclosure in public datasets is not before the patch release date, (v) there exist some inconsistencies among public vulnerability data sources, e.g., some CVE IDs are listed in Android Security bulletins with detailed information, but in CVEDetails they are listed as unknown, (vi) many patched vulnerabilities for newer Android versions likely also affect older versions that do not receive security patches due to end-of-life.

READ FULL TEXT

page 6

page 9

research
02/22/2020

An Empirical Study of Android Security Bulletins in Different Vendors

Mobile devices encroach on almost every part of our lives, including wor...
research
05/29/2021

A Measurement Study on the (In)security of End-of-Life (EoL) Embedded Devices

Embedded devices are becoming popular. Meanwhile, researchers are active...
research
01/08/2018

An Empirical Study of Android Changes in CyanogenMod

Many phone vendors use Android as their underlying OS, but often extend ...
research
02/04/2023

Detecting Security Patches via Behavioral Data in Code Repositories

The absolute majority of software today is developed collaboratively usi...
research
01/24/2020

Learning to Catch Security Patches

Timely patching is paramount to safeguard users and maintainers against ...
research
06/26/2020

Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses

Vulnerability databases are vital sources of information on emergent sof...
research
04/12/2022

ASVAAN: Semi-automatic side-channel analysis of Android NDK

Android is the most popular operating systems for smartphones and is als...

Please sign up or login with your details

Forgot password? Click here to reset