Security updates in the Android ecosystem is a complex, multi-stage affair, with each downstream manufacturer responsible for incorporating security fixes and deploying them to individual user devices. Manufacturers have diverse device portfolios with different models running different versions of the Android operating system and related software, which means they are responsible for multiple updates versions. As it currently stands, updating Android devices is both time-consuming and labor-intensive.

Vanir, Google's latest open-source security patch validation tool, speeds up the process of figuring what security patches are missing from the platform by scanning custom platform code using static code analysis. By automating this process, OEMs can identify missing security updates much faster than current methods, according to an announcement post on the Google Security Blog.

Vanir covers 95% of all Android, Wear, and Pixel vulnerabilities that already have public fixes, and has a 97% accuracy rate, the company said. Inside Google, Vanir is part of the build system and tests against over 1,300 vulnerabilities, and has saved internal teams "over 500 hours to date in patch fix time," according to Google.

The tool does not rely on metadata (such as version numbers, repository history, or build configurations) to identify which updates are missing. Instead, Vanir utilizes automatic signature refinement techniques and multiple pattern analysis algorithms. Google claimed these algorithms have low false-alarm rates, noting that in two years of testing Vanir, only 2.72% of signatures triggered false alarms.

"This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts," the company said.

A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across downstream branches, Google said, noting that the engineer did so in just five days.