The State Of Mobile OS Patching - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile
Commentary
5/20/2011
07:56 PM
Kurt Marko
Kurt Marko
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The State Of Mobile OS Patching

We expect our PC operating systems to be regularly patched to counter the latest security hole, but we don't have that same assurance with our phones and tablets.

The recent uproar and subsequent congressional hearings over location-tracking software embedded in iOS and Android devices highlights a disturbing dichotomy between their respective vendors' (Apple and Google) approaches to patching the operating system: Who's in control when pushing out an OS update, the user or the carrier? The answer becomes significant as smartphones become increasingly attractive malware targets, with new vulnerabilities, like this one opening up Android phones on open Wi-Fi networks to snooping, popping up weekly.

One of the oft-cited shortcomings of Apple's OS update distribution scheme for the iPhone and iPad is that it can't be done over the air. Instead, the device must be tethered to a computer, with updates downloaded and installed via iTunes. Note that Research in Motion uses a similar client application for updating firmware in BlackBerrys.

In contrast, Android phones are updated wirelessly over a 3G or Wi-Fi connection. Yet what Android gives in convenience it takes away in control, since users are at the mercy of their carriers for providing an over-the-air update (the only user-initiated approach requires jailbreaking the phone, downloading a compatible Android binary of questionable authenticity and security, and following a detailed installation process that usually involves booting the phone into recovery mode). The problem is that carriers' cavalier attitudes toward their customers means OS upgrades are few and far between.

The tracking imbroglio provides a case in point on the security ramifications of the two approaches. Kvetching about Apple's weeklong delay in responding to the initial report documenting the unsecured iPhone location cache aside, it clearly has been more responsive in documenting and fixing the problem than Google. Apple released a detailed statement about a week after initial media reports of the problem (Google waited until last week's hearing before providing similar detail) and released an OS patch fixing the problem a week after that (and a full week before the hearing). While Google says location tracking can be turned off by application, it admits that storing and securing location data is the responsibility of individual apps and isn't something users or Google can control other than to disable what is often a critical piece of the application software.

What this incident highlights, however, is a user's helplessness in the face of a potentially more serious OS flaw. While we expect our PC operating systems to be regularly, and in many cases, automatically, patched to counter the latest security hole, we don't have that same assurance with our phones and tablets.

Apple has been quite vigorous in patching iOS, with three updates since the latest major version rolled out with the iPad 2 in March, and leaves control over downloading and installation with the user. Google, on the other hand, keeps the ball in the carriers' court, and let's just say, I'm still waiting for Android 2.3 (Gingerbread) to hit my Droid X more than five months after its release. This leaves me with the sinking feeling that I may have to live with a gaping security hole for a long time should a major Android threat hit the wild.

So, before updating your smartphone or getting that new tablet, think about how you'll keep it patched and secure, since your interests and the vendors' aren't necessarily aligned.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
News
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Commentary
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll