Enterprises worried that cell phone carriers are doing a poor job of patching mobile devices may receive some help from the federal government.
The American Civil Liberties Union (ACLU) this week filed a complaint (PDF) with the Federal Trade Commission asking the agency to look into the top wireless providers' alleged failure to warn Android users about buggy software.
The ACLU claimed that, despite selling millions of Android phones to consumers, AT&T, Verizon, Sprint and T-Mobile USA have not provided timely patches for the devices, the complaint filed Tuesday said. While the developer behind the Android operating system, Google, regularly fixes bugs in its software, mobile carriers have been too sluggish in pushing fixes to customers.
The advocacy group requested that the FTC force carriers to warn their customers about unpatched flaws, and provide "reasonable steps those consumers can take to protect themselves, including purchasing a different smartphone."
"A phone running software that can be hacked, may be fine for using the Angry Birds [app], but you might not want to do online banking [on it]," Chris Soghoian, principal technologist and senior policy analyst for the ACLU's speech, privacy and technology project, told SCMagazine.com on Thursday.
The complaint called Android smartphones that did not receive "regular, prompt" security updates "defective" and "unreasonably dangerous."
Soghoian said consumers should be able to end their cell phone contracts early, without paying a penalty, if they have phones that do not receive timely updates – another measure the group asked the FTC to mandate.
Customers with devices less than two years old who still don't receive “prompt, regular security updates” should also be allowed to exchange their phone for one that does, or receive a full refund for their device, according to the complaint.
The ACLU stopped short of asking the FTC to require certain things of the carrier's technology, preferring instead that the agency plays more of a consumer advocacy role.
“We did not ask the FTC to force the carriers to give people updates,” Soghoian said. “We are cautious about the government telling companies how to [make] their products."
The hodgepodge nature of Android phone patching can be a particularly thorny issue for enterprises that have adopted a bring-your-own-device policy, in which employees may be using their own Android models to access sensitive corporate data. But those devices may be vulnerable, and there often is little the company can do to get patches to them.
Paul Henry, a forensic analyst with Lumension Security, a Scottsdale, Ariz.-based endpoint management and security firm, told SCMagazine.com Friday that users are too dependent on carriers to dispatch fixes for security flaws.
"I've seen carriers drag their feet for months and months," Henry said. "You can't just simply download a patch [directly] from Google. It might break your phone – what the security community calls ‘bricking'."
Henry added that in order to save money, carriers often make patches available after a substantial number of consumers need them.
"It's better math for [carriers] to hold things close until it's a big enough patch so they don't have to do it frequently," Henry said. "It's all about saving money, but people are inadvertently being put at risk.Google has gone as far as to take matters into its own hands. In 2011, the company used a remote security tool to contain a malware outbreak in its official app store.
Android vulnerabilities continue to stir up concern in the security community.Nearly 95 percent of all mobile malware discovered last year targeted the Android platform, according to Dallas-based security firm NQ Mobile. On Monday, the company released a new study that found that more than 32 million Android devices were infected with malware in 2012, an approximately 200 percent rise from the previous year.
Regarding the recent FTC complaint, SCMagazine.com reached out to Verizon, where a spokeswoman called the company's protocols for testing software "rigorous."“Verizon Wireless is focused on ensuring our customers have good experiences with their smartphones and tablets," she wrote in an email. "We are known for our rigorous testing protocols, which lead the wireless industry, and we thoroughly test every update before delivering it to customers. We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience. We will review the complaint when it is filed with the FTC.”
In a Thursday email to SCMagazine.com, a Sprint spokesman said the company "follows industry-standard best practices designed to protect its customers.”
T-Mobile similarly defended its security practices, saying that it “regularly” provides updates to customers using the operating system, a spokesperson said Thursday via email.
The ACLU maintains that cell phone carriers aren't distributing patches to their customers in a timely fashion once Google has addressed software bugs.
“Where the carriers are involved or in control, things are slow,” Soghoian said.
