Android’s April update just landed and this month the headline story is two critical CVE-level patches among a total of 11 affecting anyone with handsets running versions 7, 8, and 9.
The good news is that as far as Google knows, none of this month’s flaws are being exploited. That could change, of course, which is why getting the updates should be a priority as soon as they become available from this week.
The first two criticals are identified as CVE-2019-2027 and CVE-2019-2028, affecting all versions 7.x, 8.x, and 9.0 of the core AOSP, the part of the OS that is universal to anything running Android.
Both are Remote Code Execution (RCE) vulnerabilities in the oft-patched media framework, either of which could allow an attacker to “execute arbitrary code within the context of a privileged process.”
The final critical bug is CVE-2019-2029, another RCE affecting all versions from 7.x and up that will be shipped to users on the 2019-04-05 patch level (see below for an explanation of what that means).
The other eight AOSP flaws are all marked high priority, including six elevation of privilege (EoP) flaws and three information disclosure.
Qualcomm
As usual, Qualcomm gets a small blizzard of fixes, 30 of which are in open-source components and another 44 in proprietary software. The first group includes one critical along with others rated high. The second includes six criticals with the rest marked high priority.
This is what’s good about Android’s now-monthly patch update – users applying it are fixing a lot of important security problems that might once have lingered for months or years.
Android’s confusing patching system
Assuming you’re running Android 7 or later, the latest update will appear as either ‘1 April 2019’ or ‘5 April 2019’ in Settings > About phone >Android security patch level.
Although announced this week, when they become available to download depends on which Android handset you own.
If it’s one of Google’s Pixel smartphones, the patches should be available almost immediately. For other vendors, it could take from weeks to a month or two.
For example, a handset I use for testing runs Android 8.1 but as of April 2019, its patch level is still set to 1 December 2018. Because vendors now have the job of offering updates, this isn’t Google’s doing.
What’s the difference between the two patch dates?
If your device’s security patch level is set to the first day of the month (i.e. 1 April), that means you have the Android updates up to that month but the vendor updates only up to the previous month (i.e. March).
If you’re lucky enough to see the fifth day of the month (5 April), that means you have updates from both Google and the device maker.
From a security perspective, being on the first of these tracks isn’t as much of a disadvantage as it sounds because the most valuable flaws attackers look for are always ones applying to all handsets, not simply those from a specific vendor. The important thing is to receive the updates as frequently, and soon, as possible.
Debb White
Whatever PATCH they did, my phone has LOST important contacts, switched contacts, lost messages etc HELP PLEASE
Jared Marsh
Same, as well as having to re organize several thousand pictures. Reorganizing and tracking down old work has made for a hell of a day.
John E Dunn
As long as you enabled backup, this data should be stored in your Google account.
Kurt S.
So, OK, we need to install patches in order to be “safe”. I note that I’m showing an Android Security Patch Level date 1 October 2107 on a Motorola X Pure Edition. Methinks that 1) the vendors don’t give a fig for older phones, 2) the carriers don’t either, 3) You do not provide any indication of where to get the patches or methods of installation (ie sideload the things) for find the things on Google Store. Much FUD.
John E Dunn
As long as your phone is at least Adroid 7.x, you should receive an update to a more recent patch level at some point.
Kurt S.
“should receive” the update? None received since Oct 2017. Any update, whether Security or OS, is quite unlikely unless you are using a Google developed phone, i.e a Nexus or Pixel. Motorola aka Lenovo abandons their customers as soon as they can. The point being that unless one has the latest and greatest hardware, you are on your own and it will not be likely that you will find your hardware being supported during it’s life of use.
John E. Dunn
You didn’t say which version of Android you’re running – version 7.0 is the oldest for which Google mandates updates I know for a fact that Motorola phones from the G5 generation (2017) onward have been receiving updates so perhaps there is another problem with your handset.
Kurt S
My phone, a Motorola X Pure Edition is running Android 7.0.
Scott B
Anyone not have able to use Bluetooth connectivity since the Android update a few days ago??
bruno-pierre lavigne
and with this update i don’t get message notification like before, i have to physically hit an icon on the lock screen to see my sms, before it would show me the message directly there.
anyone have a fix for that, i hate when they change everything thats worked properly
John Macleod
The patch information details are highly important for the perfect running and overall safety of the device and I’m grateful to have been made more aware of exactly what these patches contain.
MarkyMark
How in the world do we patch devices like my 2013 nexus 7? Its still used daily for web browsing and games, but the security updates stopped a LONG time ago. I don’t want to have my email address associated with something unpatched. Would rooting even help?
Paul Ducklin
You could try an alternative version of Android. There are still some mainstream ROMs (alternative firmware builds) available for the Nexus 7 2013. If you haven’t looked at LineageOS, that would be a good place to start.
The Google-branded Nexus devices can all be “firmware unlocked”, meaning that you are free to install your own firmware without using any tricks or hacks and without needing to root your device first. Once you’ve reflashed you can re-lock the firmware to prevent unexpected modification until you next choose to reflash. It’s a bit of a science project but not too difficult.
You could even build your own Android distro directly from AOSP, the Android Open Source Project – the good news is that you get no bloatware. The bad news is you don’t get much at all – not even Google Play, which you have to acquire separately (try searching for a project called OpenGapps) before you can download apps from the mothership. Otherwise you have to get all your apps “off market”, which doesn’t inevitably end in malware but does need a good dose of caution.
Of course, there are roundabouts and swings here. Freeing yourself from a long unpatched Android build is a step up in security, and lets you enjoy your Google device again even though it has long been disowned by Google.
But replacing Google’s clapped out old Android version with an enthusiast’s ROM image could be a step down in security.
Even if the person who “cooked” the replacement ROM (and there is a very lively and helpful Android ROM cooking scene) is well-known and generally trusthworthy, they may have had to cut all sorts of corners to get their unofficial build to work reliably. They’ll often document any known corner-cutting and missing features quite clearly, e.g. “must disable boot checks and forced encryption, Bluetooth not working”), but who knows what problems they haven’t spotted yet?
If your old Nexus isn’t a critical device in your online life – i.e. you’d still be able to work if it broke, and you’re willing to invest a good number of hobbyist hours trying out new firmware builds, each time with a very small chance of “bricking” it so it will neither boot up nor let you reflash it – then I strongly recommend playing with alternative ROMs. You will find it time well wasted!
Steve
“time well wasted”: could be my new favorite phrase! It certainly describes a large chunk of my life. Thanks for that!
Michelle P Bryant
since the update my calendar does not show dates or events. My text will show up but when I try hold down on a text to populate the screen to forward the mess, it brings up a big blank box….. there’s nothing there. Have tried restarting and still the same. Starting to see other issues as well with my G8. How do I fix these issues?
Anonymous
Since this current update, my voicemail calls me and when I answer, it hangs up on me. I think it happens when I receive a text.