ACLU takes wireless carriers to task for poor Android security

The American Civil Liberties Union has called on wireless carriers to either take responsibility for Android security on the mobile devices they sell or let Google handle updates to protect the millions of people using the operating system.

Christopher Soghoian, principal technologist for the ACLU, also urged federal legislators to pressure carriers into reversing their dismal handling of Android security. Soghoian made his remarks on Monday at the Kaspersky Lab Security Analyst Summit in San Juan, Puerto Rico.

"If they want to control the software that runs on the device, then they need to take responsibility for the software that runs on the device," Soghoian told CSO Online. "If they don't want that responsibility, they need to give the control to someone else."

"Right now, we have the worst of both worlds," he said. "Where the carriers get the control and don't take the responsibility."

Wireless carriers did not respond to requests for comment.

Because of the carriers, millions of Android users are currently using older versions of the operating system with known vulnerabilities that can be exploited by cybercriminals, Soghoian argues. In many cases, Android users are running versions of the OS that is two generations old.

The lack of a consistent mechanism for pushing Android security updates to all users regularly has been a problem for years. Google provides a baseline implementation of the OS through the Android Open Source Project, and lets carriers and their hardware device partners add whatever features they wish.

As a result, thousands of versions of Android are in use, making it impossible under the current conditions to secure all of them through one update.

Lawrence Pingree, an analyst for Gartner, said, "It is very unlikely that Google has the resources required or the wherewithal to offer significant support for all the flavors of Android deployed in the world and since the OS is open-source, it likely has no obligation to do so."

The ACLU has chosen to raise the issue at a time when recent cyberattacks from China have made front-page news. Last week, The New York Times and The Wall Street Journal reported that Chinese hackers broke into their computer systems.

Also, Twitter reported that "extremely sophisticated" hackers stole the user names and passwords for a quarter million users.

[Also see: Android vs iOS vs BlackBerry: Which is the most secure?]

With so many high-profile security breaches, Washington lawmakers are more likely to become receptive to putting in place regulations for mobile phone security, Soghoian said.

"The position that the wireless carriers are in right now, to be honest, is indefensible," he said. "The only reason they've been able to get away with this as long as they have is because the average consumer, and many policymakers, just didn't know that this was happening."

Coming up with a practical solution will be difficult, experts say. With Android, Google provides carriers with a business model much different than that of rival Apple, which controls all the software on the iPhone and iPad.

With Android, carriers and manufacturers work together to compete for customers based on the features built into the devices. "A key benefit of Android and their handset base is the ability of the carrier to provide a product to their market rather than receive the Apple experience where you get what you get," said Glenn Chisholm, chief security officer for Cylance.

Theoretically, Google could revise its agreements with carriers to require that security updates get pushed out within a specified time. However, Google has shown no interest in taking such steps.

"Honestly, based on current practice, I cannot find a good solution," said Xuxian Jiang, assistant professor for computer science at North Carolina State University.

Meanwhile, the number of Android malware is growing substantially faster than any other Web-delivered malicious app, according to Cisco's recent 2013 Annual Security Report.

In addition, cybercriminals appear to be building better tools for attacking the OS. The first documented Android botnet was discovered in the wild in 2012, Cisco said.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsmobile securitysmartphonesAndroidsoftwareData Protection | Wirelessdata protectionkaspersky labAmerican Civil Liberties Unionconsumer electronicsGooglesecurity

More about AppleBlackBerryCiscoCSOGartnerGoogleKasperskyKasperskyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts