Qualcomm: We Told Google About Android Encryption Flaw Over A Year Ago

Last week, researcher Gal Beniamini uncovered a flaw in the full disk encryption scheme of Google’s Android mobile operating system. Basically, such flaw made Android powered devices vulnerable to decryption. When news of this flaw broke out, it appeared to be some sort of a groundbreaking discovery. But it turned out that Qualcomm had told Google about the vulnerabilities back in November of 2014 and February of 2015. Google had only deployed fixes for the vulnerabilities in January and May earlier this year, which means that the tech giant may have been already aware of the issue for about a year or so before releasing patches for the problem.

The patches were issued by Google right around the time when the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) revealed that they were conducting parallel investigations into the frequency in which Google and other mobile manufacturers deploy security updates. According to the FCC, the investigations came to be because of the Stagefright bug that affected Android mobile users at that time.

So how come it took Google more than a year to issue a patch for the encryption flaw? It mainly has something to do with the nature of Android. As an open source mobile OS, the Android platform is being used by a ridiculously wide range of phone makers, wireless carriers, and mobile app developers, each of them adding their adjustments and tweaks to the system. The fact of the matter is: Google almost has no control with regards to how its Android OS will ultimately end up on users’ devices. 

What happened was that even though Google had already issued a patch by January and May this year, some original equipment manufacturers (OEMs) have not quite managed to deploy the fixes at their end. It is also quite possible that the Android folks just did not fully realize how the vulnerabilities could be exploited by hackers in the Android environment, that is, until Beniamini demonstrated how it could be done. And with the platform being used by an ocean of different devices of various makes and models, you can just imagine how daunting the task of deploying a quick fix would be.

Still, the Android team is constantly working to try to fix everything in any way it can, including working more closely with its OEM partners. Just this week, Google revealed a series of updates for Nexus handsets that specifically tackle certain security issues across several OEMs.