Google warns of security holes in other vendors’ Android phones

And it’s going to keep on doing it…

Graham Cluley
@gcluley

Let’s not beat around the bush – Google is pretty fed up with people believing that the Android ecosystem might not be as secure as it should be.

And it most be particularly galling for those residing in the Googleplex that sometimes these flaws are not present in up-to-date versions of Google’s Pixel smartphone, but in those manufactured by other vendors.

Last week Google revealed it had taken another step to fix the problem, announcing an initiative to “drive remediation and provide transparency to users about issues we have discovered at Google that affect device models shipped by Android partners.”

What does that mean?

It means that Google’s Android Partner Vulnerability Initiative (APVI) will be publicising security issues it finds in third-party Android devices, in the hope that they will be fixed more quickly.

Sign up to our newsletter
Security news, advice, and tips.

APVI only applies to vulnerabilities in code that isn’t serviced or maintained by Google – flaws in Google’s own code continue to be handled by Google’s Android security bulletins.

AVPI’s bug tracker has already uncovered a number of third-party vulnerabilities, including:

  • Weaknesses in the password manager built-in to the Transission web browser pre-installed on many devices.
  • Insecure backups on Huawei devices.
  • Sideloading vulnerabilities affecting Oppo and Vivo phones.

Google’s plan appears to be to notify vendors before disclosing a flaw, and so far most of the reported flaws appear to have been fixed.

With luck, the threat of having a security vulnerability publicised will encourage more Android smartphone manufacturers to take greater care squashing bugs before they end up in the hands of unsuspecting consumers.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 comments on “Google warns of security holes in other vendors’ Android phones”

  1. What of telcos that refuse to release available updates to force users to update their hardware to more recent devices?

    Unless you unlock the vice grip they have on their firmware releases, this problem will vastly overshadow any minor software updates for fixing bugs.

    Start releasing generic versions so users have choices. Force the telcos to unbundle their forced addons, or alternatively have them on a middle plane that doesn't retard updates to the underlying operating system while retaining their often unwelcome bundleware.

    Bundleware and firmware should be unlinked so users can keep their operating system more current.

    Yes, name and shame.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.