Mobile
Commentary
4/18/2013
02:13 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Smartphone Sellers Should Patch, Refund Or Perish

FTC should crack down on wireless carriers and smartphone manufacturers that put their customers at risk by failing to update Android devices.

Should wireless carriers be held responsible for keeping the devices they sell up to date and patched against known vulnerabilities that are being actively exploited by attackers?

If that question pertained to Microsoft and its Windows operating system, the answer would be an easy yes. But some wireless carriers that profit from devices that run the Android mobile operating system appear to believe differently.

The American Civil Liberties Union Tuesday accused the nation's four biggest wireless carriers -- AT&T, Sprint Nextel, T-Mobile USA and Verizon Wireless -- of too often failing to distribute Android security updates to their customers in a timely manner, thus putting them at risk. Accordingly, the ACLU called on the Federal Trade Commission to investigate carriers' "deceptive business practices" and force refunds or free smartphone replacements for consumers.

With those allegations and requests on the table, here's how wireless trade group CTIA, which counts the four carriers as members, responded: "Based on recent reports, U.S. wireless networks are among the most secure in the world because the carriers and the overall mobile industry are vigilant in preventing and protecting against malicious attacks."

The emailed statement came on Wednesday from John Marinho, CTIA's vice president of cybersecurity and technology. He continued, "CTIA and its members are constantly investing in their networks to guard against cyberattacks. We will continue to work with all interested parties so that U.S. wireless users are able to have the best experience possible."

[ Think the House Committee learned from its earlier missteps with CISPA? Think again. CISPA 2.0: House Intelligence Committee Fumbles Privacy Again. ]

Just to be clear, the problem identified by the ACLU isn't the security of carriers' wireless networks, as CTIA seems to want to address. Instead, the problem is carriers sticking it to Android customers with two-year contracts, and then failing to patch their smartphones in a timely manner. Furthermore, regardless of whether subscribers are connecting to carriers' wireless networks or not -- perhaps they're using a Wi-Fi hotspot -- no network magically cyber-scrubs away all the Internet-borne malware, including malicious applications that target Android devices.

Does CTIA -- or its members -- think that by ignoring this problem, it might somehow disappear? Because unpatched Android devices pose an increasing information security risk, and carriers are responsible for selling and supporting millions of Android devices. Research released by Duo Security in September 2012, for example, found that of 20,000 Android devices scanned, more than 50% needed patching. Furthermore, the volume of malware targeting Android devices continues to rise.

Google isn't at fault here. "Although Google's engineers regularly fix software flaws in the Android operating system, these fixes aren't packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners," said ACLU senior policy analyst Christopher Soghoian, who co-authored the group's complaint, in a blog post. "For consumers running these devices, there is no legitimate software upgrade path. The problem isn't that consumers aren't installing updates, but rather, that updates simply aren't available."

Accordingly, the ACLU recommended the FTC put this simple fix in place: any consumer who has purchased an Android smartphone from a carrier in the last two years and who has not received timely updates from the carrier may return the device for a full refund. Alternately, they would be allowed to exchange it -- at no cost -- for another phone that will receive prompt, regular updates directly from Apple, Google, Microsoft or another mobile operating system vendor.

Might smartphone manufacturers, rather than carriers, be to blame for the update holdup? Perhaps, but carriers are selling the devices to consumers and servicing them, so they should be on the hook, and if necessary, sort out their supplier relationships.

For comparison's sake, imagine if Microsoft didn't distribute Windows operating system security updates directly to end users but to OEMs such as HP, Lenovo or Dell, who along with their distributors -- think Amazon.com or Best Buy -- collectively took months to push the updates to their customers who used the devices both at home and work. Cue outrage. Now imagine if those OEMs and resellers considered the Windows laptops and desktops to be "end of lifed" after a year and stopped supporting them altogether? Cue more outrage.

Despite the ACLU's allegations, some carriers do patch faster than others -- but which ones? To answer that question, on Wednesday I emailed the four carriers named in the ACLU's complaint, asking them to respond to the ACLU's allegations and to share a list of their current Android devices, together with a timeline of all security and operating system updates they've released for those devices.

Interestingly, the carrier that sells the most Android devices in the United States, AT&T -- formerly known as Cingular -- failed to respond at all. Sprint, however, said that it "follows industry-standard best practices designed to protect its customers," while T-Mobile said that it "regularly provides security updates to our customers, including those using the Android operating system."

Verizon, meanwhile, pointed to information on its website to help answer the "how fast do you patch?" question. "You can find a list of Android devices available from us on www.verizonwireless.com and update information is included with individual phones," Verizon spokeswoman Debra Lewis said via email. "We also update our News Center stories on individual devices when we update phones."

For example, Verizon's news center announced this week that the carrier will begin over-the-air (OTA) updates for Droid Bionic smartphones to Android 4.1 Jelly Bean. The phone was originally released in September 2011 with Android 2.3.4 Gingerbread, and received OTA updates in December 2011 and April 2012. In other words, the device appears to have been last updated by Verizon about a year ago.

The new update has been brought to Verizon's customers in part via Google, given that it purchased Motorola in May 2012. Google then announced in October 2012 that owners of some older devices would receive a $100 credit if they've purchased one of 11 Motorola devices that can't be upgraded -- for technical reasons -- to at least Android 4.1.

In other words, Google has promised to not leave its legacy Motorola customers out in the cold. Will carriers that fail to patch Android devices in a timely manner need their feet held to the fire before they do the same?

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Major_Pita
50%
50%
Major_Pita,
User Rank: Apprentice
5/9/2013 | 7:31:01 PM
re: Android Smartphone Sellers Should Patch, Refund Or Perish
Agreed, the carrier should bear the brunt of this simply because of the level of - well, let's call it 'customization' for the sake of civility, that they bestow upon their Android Handsets. In many cases the OEM has their portion of an update ready for months before carriers finish their testing and approval process and release the update as an OTA package.

Case in point: I purchased a Droid Bionic from Verizon in September 2011 at what was probably the most expensive price Verizon had charged for a handset to-date 300 dollars. The purchase was heavily influenced by the promise of a priority Ice Cream Sandwich update. Verizon subsequently released the Droid Razr line which used the same processors and chipsets but somehow received an Ice Cream Sandwich update months before the Bionic did, even though the Bionic was a more costly phone.

In fairness The Bionic was recently resurrected from the dead with an unexpected update to Jelly Bean 4.1.2 although I believe this was largely due to Google's purchase of Motorola and subsequent outreach to Bionic users rather than any good-will effort on the part of Verizon.

I am now using a Google Nexus phone which is about the only way to avoid the Android update circus, theater and dog&pony show...
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2013 | 2:39:14 AM
re: Android Smartphone Sellers Should Patch, Refund Or Perish
I think it makes a lot of sense to lay this issue at the feet of the carriers, especially as Washington wavers back and forth as to whether or not the end user can root and then modify their own devices.

Example - latest version of the Android OS is 4.2.2, released 2 months ago. My personal phone, from one of the big manufacturers on one of the big carriers, is only at 4.1.2 and reports with "Your device is up to date". My wife's phone is on 2.3.6, same carrier, different manufacturer, and also reports as being up to date.

So, the update from 4.1.2 to 4.2.2 is an eye-candy update? Maybe, haven't researched it, but I think that's not quite true. The update from 2.3.6 to 4.2.2, I'm betting, has a few more security updates in it. Now, doing a little research, I'm walking around with a 6+ month old OS load on my device (even though it hasn't been 6 months since the last update was applied) and the wife's phone is running an OS that's 18+ months old.

Coming from a long history in the Windows world, if you're 18 or even 6 months behind in OS patching, you're a target, simply put. Given the ubiquity of these devices and the personal information that gets carried on and processed through them... emphatically yes, the carriers should be held responsible for securing the devices on their network by at least offering appropriate OS upgrades to end users in a more timely manner.

Andrew Hornback
InformationWeek Contributor
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.