Less than a week ago, security researcher Gal Beniamini revealed that millions of Android devices running on Qualcomm processors were vulnerable due to issues with their full disk encryption. The issues were found in devices running Android 5.0 Lollipop and later versions of the Android operating system. The vulnerabilities, named CVE-2015-6639 and CVE-2016-2431, were resolved by Google via two security patches released in January and May of this year, respectively. That being said, Qualcomm now claims that it informed Google about the two security vulnerabilities in November of 2014 and February of last year, which leaves us with the question as to why Google took over a year to deliver the patches.
According to Tech Crunch, the delay might have resulted from the fact that since Android is an open-source operating system, security patches sent out by Google need to be applied by a large number of OEMs on their devices running Android operating systems. It is possible that OEMs might not have applied the fixes on their handsets in time which could be the reason why Beniamini could discover the flaws months after they were supposedly fixed by Google. Another reason why Beniamini was able to decrypt the Full Disk Encryption in Android phones could be because such devices with Qualcomm processors store their encryption keys in software unlike Apple which stores encryption keys on iPhones and iPads (hardware, not software). Encryption keys stored in software can be removed through certain processes which render them powerless, leaving Android phones vulnerable to third party intrusions. If Qualcomm's claims are correct, the fact remains that Google took over a year to deliver the patches, even though it is not known yet if any devices were actually compromised because of the delay.
As of now, the Federal Trade Commission and the Federal Communications Commission are running their own investigation on whether Google and other OEMs are rolling out security updates at a pace expected from them. The two commissions are going through the process "to better understand, and ultimately to improve, the security of mobile devices" and both of them have contacted 14 companies to accumulate more information in this regard. These companies include Apple, Alphabet, BlackBerry, HTC, Microsoft, Samsung and Motorola, among others. The principle factor behind them initiating such investigations was the Stagefright bug issue which had hit the headlines last year. If both FCC and FTC can come out with new findings and set new standards, especially for phones running older versions of various operating systems, it will create an environment where security vulnerabilities will be patched as soon as they are discovered by companies as well as security researchers.