Nobody ever said security was easy (other than just about every vendor at just about every expo) but claiming 'difficulty' as a reason not to bother is something of a first.
Yet that's precisely what Motorola appears to have done. When journalists asked at the launch of the Moto Z smartphone if it would commit to monthly Android OTA security updates, Motorola replied with a straight no.
One review of the device then went on to suggest, quite rightly, that this was not a good thing. Motorola responded with a statement that the "Moto Z and Moto Z Force will be supported with patches from Android Security Bulletins" which left the matter as clear as mud.
It certainly didn't clarify if the rather important matter of adopting the monthly Android OTA security update cycle was being supported or not. Suspecting not, the journalists at Ars Technica kept pushing Motorola for an answer.
They eventually got one. This:
"We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it's difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade."
So there you have it, there won't be any monthly OTA security updates but instead the security patches will get bundled together, possibly, in the next Android point upgrade. Or maybe when Motorola decides to issue a maintenance release.
Which leaves SCMagazineUK.com wondering why, if Google Nexus can do it, Samsung can do it, HTC can do and even the likes of Xiaomi can do it it's just so 'difficult' for Motorola when their devices are running the nearest thing to stock Android there is in the market?
So we asked the industry whether it thought "it's difficult" is ever an acceptable stance on why your products are less secure than they could, and indeed should, be?
"It's difficult is only an acceptable stance if you want to achieve two things" insists LOGICnow Security Lead, Ian Trump "demonstrate your company does not value the protection of customer data and that it wants to give away market share to a mobile device maker that does."
Mark Loveless, senior security researcher at Duo Security, told us that he appreciates the honesty of Motorola specifically stating why they are not committing to monthly patches, adding that "this is not something that works long term in the mobile device marketplace; after end users are bitten a few times they will switch devices to ones that are considered more secure."
Meanwhile, IOActive CTO Cesar Cerrudo points out that yes it is difficult and a lot of testing is necessary. "That said", Cerrudo told SC "it's difficult, but not impossible." He thinks that, like many things, it ultimately comes down to a cost versus benefit equation for the manufacturer. "That's true for all vendors, not just Motorola" Cerrudo concludes.
Chester Wisniewski, senior security advisor at Sophos, thinks that the Motorola response is "simply unacceptable" and reminded us that Google, Samsung and others have made an effort to lead the way toward Android devices being more secure on a predictable calendar. "It would mean a lot if Motorola could join them in leading the way forward" Wisniewski states.
Mark James, security specialist at ESET, argues that while companies cannot control how much malware is lurking out there, they can control how secure their hardware is and how often it gets updated. "These days security is everyone's job" James told us "protecting your customers could be the deciding factor on how well your company prospers in the future."We will finish up with the words of Appmobi CEO, Mark Stutzman, and words that Motorola might like to take on board: "It's difficult to do this on a monthly basis for all of our devices is a totally acceptable answer if they are not interested in selling their devices to huge chunks of the market..."