The US Federal Trade Commission has warned the smartphone industry to simplify patching and get more updates to end-users faster.
The FTC on released a report on Wednesday with findings based on responses to a survey it sent to the US offices of Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung in mid-2016 — a year after the Stagefright bugs surfaced, affecting nearly every Android device and prompting Google to push key Android partners to release security-only updates on a monthly basis.
The Federal Communications Commission (FCC) also probed US wireless carriers about their role in updating devices.
The 74-page report covers update processes, from finding bugs to installing updates; how long vendors commit to delivering updates; public statements about support periods; the frequency of updates; and how handset vendors communicate the status of a handset model in relation to updates.
A key recommendation is that the mobile industry needs to “ensure that mobile devices receive operating system security updates for a period of time that is consistent with consumers’ reasonable expectations.”
However, the FTC doesn't have a baseline for what consumers expect and encouraged consumer advocacy groups to conduct surveys to find this out, in particular how long support is provided and the frequency of updates.
The commission doesn’t name and shame specific vendors or carriers, however the report highlights FTC fines against Oracle, Asus, and HTC over various security and privacy failings. It also acknowledges the challenges to patching mobile devices, including the number of different models and delays during testing before patches are released to end-users.
Many of the findings aren’t surprising either, given the known challenges behind slow security and version updates for Android devices. Google’s Project Treble redesigned Android to help handset makers deliver faster feature and security updates to devices, but this only applies to phones that ship with the 2017 release of Android Oreo 8.0 and later.
However, the report does offer a comprehensive look at why end-users don’t receive patches and lays out the inconsistencies in patching between vendors and carriers, communication about updates, and support periods that. All of which amount to major obstacles consumers protecting their information on mobile devices.
For example, it notes: “Google, LG, Microsoft, and Samsung make (or have made) at least qualified statements about update frequency on their websites. Most device manufacturer websites, however, do not include any information about support length or precise information about update frequency.”
The FTC’s report is limited to the US, but it offers a snapshot of the state of mobile security that is likely replicated across the world.
As Google highlighted last week, there are now 2 billion active Android devices globally from 1,300 brands across 24,000 unique products. Google promotes this diversity as a strength of Android security in relation to malware, however the FTC notes that it “also contributes to security update complexity and inconsistency”.
The investigation found a range of inconsistencies in how devices are serviced, with wide discrepancies between support periods and update schedules.
Apple’s iPhone, Google’s Pixel phones, and Microsoft’s former Nokia devices fared better than the wider Android ecosystem, according to the FTC.
“Device manufacturers that develop and control their own operating systems tend to commit in advance to longer support periods (usually for several years) for devices,” the FTC notes.
Some device makers told the FTC they couldn’t commit to support periods for all devices because they didn’t know which ones would be popular. However, the FTC’s analysis of two brands found that the price and age of a device was as closely linked to support periods as a device’s popularity.
Many device makers also didn’t keep records about update support and so couldn’t even answer the FTC’s questions about the time it takes to release a patch and how many end-users actually install it.
The FTC said in a statement that many handsets remain un-patched because vendors and carriers don’t release updates, often because the process for approving and deploying them is cumbersome.
“Consumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection.
“Our report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure.”