Encryption is in everyone's mind these days, with authorities such as the Congress and FBI trying to bypass it in special circumstances and the tech industry attempting to guard it more often than not.
Last week, a security researcher found a flaw in the full disk encryption of Android, and it looked like the decryption method will rock the safety of digital mobile devices.
However, chipmaker Qualcomm affirms that it informed Google about the vulnerabilities as early as November 2014 and February 2015. In January and May 2016, Google rolled out patches to address the issues, setting a gap of more than a year between when it caught word of the issues and when it sent out the fixes.
It would look like such a long delay is a considerable slip from such a big company, but the devil is in the details.
To have a good grasp on why it took Google until May to send out a second patch, we need to look at the intricate supply chain of Android's mobile devices, as well as Android's approach to its security infrastructure.
Android vs. iPhone
Users constantly compare Android's handsets to those of its main rival, Apple. The big difference is that Apple has an iron grip on the manufacturing of its devices, while Android lands on thousands of devices that Google has little or no control over.
In this case, it looks like the diverse supply chain created the frame for the exploit that can plow through Android's full disk encryption.
Security researcher Gal Beniamini uncovered a few several issues in the implementation of Android's full disk encryption, which would pave the way for hackers attempting to decrypt Android mobile devices packing Qualcomm's chips.
Without going into details about the complicated procedure, the essential information is this: as opposed to iPhones that store their encryption keys in hardware, Qualcomm-carrying Android devices store the encryption keys in software.
Google rewarded Beniamini through the bug bounty program in response to his signals.
Qualcomm notes that it notified Google of the same problem that Beniamini recently showcased back in August 2014. What is more, the OEM delivered patches to fix the problem in both November 2014 and February 2015.
"Even though they fixed the issue internally, OEMs did not apply the fix," Beniamini told TechCrunch. It leaves room for speculation whether they simply forgot about it or missed it entirely.
It is unclear why Android took so long before delivering a fix, but there is a chance that the Android team was unaware of how to use the exploits described by Beniamini.
The research shows that a few scenarios exist where the exploit would be effective. For example, if the device did not receive the security updates, if Qualcomm will be forced to cooperate with law enforcement or if the device gets a downgrade.
Security No Longer Black And White
Android's take on security may also have something to do with the long process of releasing the fix. As opposed to Apple, Android takes a more nuanced approach to digital safety.
Android's security lead Adrian Ludwig affirmed in June that the "white and black model" used by the security community is set to be all black unless "we accept that there are going to be shades of gray."