The U.S. Federal Communications Commission and Federal Trade Commission have entered the fight for mobile device users’ security, opening parallel investigations into how smartphone security updates are created and dispersed by major mobile carriers and device makers.
Letters were sent by the FCC to four major US carriers -- AT&T, Sprint, T-Mobile and Verizon -- as well as to US Cellular and Tracfone inquiring about the processes used for reviewing and releasing security updates to consumer devices.
Meanwhile, the FTC targeted eight mobile device and software makers , including Apple, Google, and Samsung, sending similar inquiries about how they issue security updates for vulnerabilities found in smartphones, tablets and other mobile devices
The growing number of business and personal mobile users conducting an increasing number of activities on their devices combined with the severity of security bugs like ‘ Stagefright,’ which has affected millions of Android devices worldwide, has prompted the two government entities’ investigation into how mobile device makers and service providers determine when to release patches.
“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use. There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device … Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC letter read.
Android’s Security Patch Deployment Problem
The business of patching vulnerabilities on mobile devices can be messy one – particularly for Android users. While Apple and Google frequently deploy patches soon after vulnerabilities are reported, for Android users, it can be a long wait before the patch actually makes it to their devices – if at all. This is because of the fragmentation of the Android platform .
Unlike Apple, which controls both its operating system and the hardware, there are a plethora of smartphone manufacturers that utilize the Android platform on their devices. This would be fine if the devices ran a pure form of the Android firmware. Unfortunately most do not. Instead the original equipment manufacturer (OEM) will load its own customized version of Android onto its device, making it impossible for users to simply download the latest patch created by Google. Instead, they must wait for the OEM to test and modify Google’s Android patch so that it will work on the device in question.
Why Mobile Carriers Share Blame In Android Security Problems
While the larger burden for user security falls on the device manufacturers, mobile carriers aren’t completely off the hook. Major carriers like Verizon or AT&T for instance, often have their own custom version of the Android OS created for devices they sell. This allows them support specific hardware and apps or to disable functionality. Sometimes it’s just to add the carrier’s logo to the phone’s splash screen. Regardless, the original Android firmware has been modified and so it requires testing and approval from the wireless carrier before the patch can go out to users.
Since mobile carriers are in the business of sales, not security, they will sometimes choose not to focus their attention of creating patches or do little to pressure OEMs into releasing updates quickly. According to a 2013 report by Ars Technica , Android users often wait more than a year before they get their first software patch. More current reports don’t appear much better. Android Marshmallow, for example has been out more than six months now and yet only 7.5 percent of Android users have it running on their phones. By comparison, more than 50 percent of Apple devices were updated to iOS 9 just one month after its release.
The sluggish rate at which Android devices receive security patches lead The American Civil Liberties Union (ACLU), to file a complaint against US wireless carriers with the FTC in 2013.
Stating that major mobile carriers were engaging in “unfair and deceptive business practices” when they failed to warn customers about known, unpatched security flaws in products they sold, the complaint requested that the commission investigate AT&T, Verizon, Sprint and T-Mobile.
“These companies have sold millions of Android smartphones to consumers. The vast majority of these devices rarely receive software security updates. [Therefore] a significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners. Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous,” the complaint states.
The ACLU’s complaint calls for carriers to allow consumers to return or receive a full refund or exchange on any carrier-supplied Android smartphone that is less than two years old and has not received “prompt, regular security updates.”
Though these demands are not likely to be met, the FTC and FCC’s investigations are, nonetheless, an encouraging step in the right direction for the security of mobile device users.
