Shaming is a step forward, but more work is needed for faster smartphone patching

Shaming works to a point, but more work is needed in order to improve Android security

Shaming carriers and smartphone manufacturers into applying patches faster is a step forward, but a lot more needs to be done to improve security of the Android platform, security experts say.

Last month, Bloomberg, citing unnamed sources, is considering releasing a list of vendors ranked by how up-to-date their headsets are.

This has long been a problem for Android. Unlike Apple, which can unilaterally push out updates to its customers as they come out, the situation with Android is a lot more complicated.

When a patch comes out, only Nexus phones get them automatically, said Kyle Lady, research and development engineer at Duo Security.

"If it isn't a Nexus phone, the manufacturer has to apply the path to the software, then send it to the carrier, who has to approve it, and send it to customers running that phone," he said. "So there's a substantial delay."

For example, 60 percent of Android phones still don't have a patch for the QSEE exploit, even though the patch came out in January.

"There are way too many devices in the wild left completely unprotected from well-known, high severity exploits," said John Michelsen, chief product officer at Zimperium. "Manufacturers have a responsibility to provide important updates to the Android platform as soon as possible."

It's not just patches that aren't being distributed to the phones in a timely manner.

The Android 6 "Marshmallow" operating system, released last October, is currently only on 7.5 percent of Android devices.

"The older version of Android may have vulnerabilities that are not being patched by the OEM," said Kia Behnia, CEO at mobile security firm PowWow Mobile. "Google and OEMs must have a better model for updating those older devices for both security and usability reasons."

And some Android phones never get any patches or updates at all.

"According to Google’s own report, a large portion of Android users -- over 30 percent -- never receive security updates," said Michael Shaulov, head of mobility product management at Check Point Software Technologies. "This leaves users defenseless against malware."

Putting pressure on manufacturers is a good step, he added.

"I’m not sure there’s much Google can do," he said.

For example, many manufacturers have customized the interfaces to better appeal to their users, he said, since many customers prefer customization to security. And carriers also add bloatware. All this customization slows down the patch process considerably.

Arian Evans, vice president of product strategy at security firm RiskIQ, agreed that Google's new tactic could be a move in the right direction.

"Hackers are increasingly using mobile as a new attack vector, using trusted brands with a high-profile public presence or associated with valuable data as lures to deceive end-users and steal sensitive information and taking advantage of relatively immature security practices in the mobile channel to conceal fraudulent activities," he said.

One problem is that patches and updates cost money while producing additional revenues, since the customers have already bought their phones.

"The phone manufacturers have enjoyed a lower development and maintenance cost for their non-undateable or high latency updatable devices," said Chris Wysopal, CTO and CISO at security vendor Veracode.

Google should continue to put pressure on them, he added.

"Perhaps they could force a logo program where you need to have some minimum update latency to achieve the Android logo or perhaps a new 'Android Safe' logo," he said.

For carriers, releasing patches without fully testing them could disrupt their networks, which is a significant risk to them, said Stephen Newman, CTO at security vendor Damballa.

"Imagine if a carrier allows security patches to go untested and one of them brings down a major carriers network or multiple carrier networks," he said. "Colossal damage."

If Google presses harder for faster updates, it needs to make testing easier for the carriers, he added.

"Ultimately the carriers may elect to limit even further the number of devices they will sell, thus limiting the number of options for consumers but also limiting the amount of devices they have to test," he said.

Limited choices could mean that carriers lose customers, said Tim Strazzere, director of mobile research at security firm SentinelOne. In addition, carriers and manufacturers may become reluctant to use the Android operating system.

"If they push for updates while providing better tools and helping the OEMs and carriers, they definitely stand a fighting chance to improve the ecosystem, which in turn makes everyone have more up to date and hopefully safer devices," he said.

Meanwhile, if the industry is unable to make progress on the issue, the government may step in.

Last month, the FCC and the FTC announced that they are asking mobile carriers and device manufacturers about how they release security updates.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," said the announcement.

"Shaming manufacturers and carriers may not be a silver bullet, but combined with pressure from the FCC, we may see security update timeframes start to improve," said Chris Eng, vice president of research at security firm Veracode.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleBloombergCheck PointCheck Point Software TechnologiesCSOFCCFTCGoogleNewmanPoint Software TechnologiesSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts