Why Enterprises Should Avoid Android OS Security Patch Backporting

Every new cyberattack is an important reminder why keeping your Android operating system (OS) up to date is so important. That’s why it is critical to keep all your software and handheld devices up to date.  Operating system updates improve the end user experience and increase security. An operating system like Android may be the most complex piece of software you will ever use.

Each new Android OS contains critical and significant improvements along with important security and privacy enhancements. The updates go far beyond bug fixes that are provided each month. Android also introduces expansions and restrictions to APIs, which permit third-party apps to interact with your devices and data and perform a variety of advanced functions.

Regardless of rigorous testing during OS development, an OS will never be flawless. To fix OS errors, Android is patched as software updates. These updates are released to protect users from all sorts of cyberattacks, especially when they’re releasing scheduled security updates.

When a company ignores or refuses such updates, it can have serious consequences because a cybercriminal can seek to exploit security vulnerabilities to infect systems with dangerous malware.  According to Gartner, “Operating Systems are one of the most likely vectors for attack, and the availability of security patches is a critical requirement.” ¹

Android Backporting is NOT the Same As Android Version Update

Backporting a security patch to an older Android OS is not the same as updating to the current Android OS version.  Backporting is essentially taking parts of a newer version of a software system or software component and porting them to an older version of the same software.  It is used for fixing security and feature issues in older versions of software.  It’s an attempt to extend the useful life of an operating system.

Not all devices can upgrade to the latest Android version.  This presents the user with a limited lifecycle and creates a higher security threat risk, reliant on backporting.  Honeywell, however, provides each and every Android version on Mobility Edge devices, guaranteed through Android 11, and is committed to continuing compatibility through Android 13.

Hidden Issues with backporting. Some mobile device OEMs refer to their backporting practices as security updates.  These backporting practices, marketed as security updates, come with hidden issues that enterprises need to understand.

• New OS features not available for backporting. New security features included in new OS versions may not be available to backport to earlier OS versions.
• Incomplete security patching. Vendors cannot guarantee that every vulnerability found in newer Android versions can and will be backported.
• Patches for processor vulnerabilities. Patches for proprietary low-level processor code must come from the chipset vendor and may not be available in later years.

Backporting to Older Android OS May Leave Your Company’s Cyber-Security at Risk

Honeywell and Google recommend maintaining the latest OS version.  At Honeywell, we believe that anyone promoting backporting over OS upgrades may not have the customers best interest in mind. Honeywell works closely with customers to make it as smooth of a transition as possible to upgrade from one Android OS to the next.  Here’s why:

• Android uses an incremental approach.  Each version builds on the last, maintaining backwards compatibility, making maintenance and upgrades easier.
• When following Android best practices, little to no adjustment should be needed beyond updating the device OS version. 

Honeywell customers always have the choice when they believe it is their best interest to upgrade. So, whether to patch or upgrade is the customer’s choice.

Honeywell offers backporting service as a last resort, as some customers have situations in which they have decided to delay OS upgrading. Why would a company decide to stay on an old Android OS? Some common reasons include:

• Lack of awareness or having been misled to believe that it’s not a big issue.
• Companies have made the false assumption that updating Android versions requires substantial effort.  In reality, Google’s approach to Android is different. 
• Companies have developed their own applications that weren’t developed using best practices, and those applications need to be updated in order operate on a newer OS version.

Bottomline: Backporting may leave your devices with a security gap because not all OS changes/updates can be patched. And the older your OS, the more risk you have of being exposed to cybersecurity threats. Below is a sampling of security and privacy features that were added to recent Android versions:

Android 10 OS Over 50 privacy and security updates: ^{2, 3}

• New Privacy section under Settings with important controls like Web & App Activity and Ad Settings in one place.
• External storage access is restricted to an app’s own files and media, meaning, that an app can only access files in the specific app directory.

• Users now have detailed control over the location data they share with apps. You can grant location access to an app at all times, turn it off completely, or give access only while the app is in use.
• Apps can no longer launch activities in the background without user interaction. This is intended to minimize screen interruptions for users and provide more control over what happens on their device.

• Restrict apps from knowing the IMEI or Serial number of your device which keeps device identifiers from being misused for illegal activities like IMEI spoofing.
• Create a QR code for your Wi-Fi network or scan a QR code to join a Wi-Fi network from the device's Wi-Fi settings.
• Developers can now use the BiometricPrompt API to specify the biometric authenticator strength required by their app to unlock or access sensitive parts of the app.

Android 9/P:

• DNS over TLS (encryption)
• TLS by default
• Pre-App SeLinux Domains
• Strongbox Keymaster HAL (HSM)
• Secure Keystore From HSM (secure enclave)
• APK Secure signing w/ key rotation (proof of rotation)
• UnlockedDeviceRequired Flag for Keystore
• Camera + Mic limited functionality if background
• Accelerometer + sensor limited data if background
• Client-side secret encrypted backups
• OS downgrade protection
• Shift worker mode
• Lock task mode
• Kiosk mode
• Profile hardening
• Advanced logging
• And more….

Android 8/O:

• WebView object changes for process isolation
• Safe Browsing APIs for Webviews
• UI Overlay detection
• FIDO2 for Biometric/2FA
• App install permissions no longer global
• Dev Options require PIN
• SecComp kernel features to filter bad system calls (over-privileged app)
• Play Protect malware analysis
• Boot rollback protection
• Sandboxing enhancement to protect kernel
• Network logging for threat analysis and forensics
• File based encryption improvements
• Zero Touch enrollment
• Failsafe system updates
• And more…

Honeywell Mobility Edge, Security Patches/Updates

Honeywell Mobility Edge is a leader in Android version support, providing the best available security to our customers. Mobility Edge is the first and only platform to guarantee support through Android 11 and Honeywell is committed to working towards Android 12 and 13 compatibility.

Honeywell is deeply committed to the longevity and quality of the Mobility Edge platform. The following products are built on the Mobility Edge platform: Honeywell CT40, CT40XP, CT60, CT60XP, CN80, CK65,  VM1A, VM3A, and RT10A.

Contact a Honeywell Solutions Expert today! Call 1-800-934-3163

¹ Source: Avoid Ransomware Disasters With a Better Backup and Recovery Strategy, Michael Hoeck, Published 22 July 2019.

² Google Android 10 Review

³ Android 10 rewind: Throwback look at privacy features before Android 11 lands

Android and Google are trademarks or registered trademarks of Google LLC. All other marks are property of their respective owners.

Article Updated October 24, 2020