Android Smartphone Sellers Should Patch, Refund Or Perish

Should wireless carriers be held responsible for keeping the devices they sell up to date and patched against known vulnerabilities that are being actively exploited by attackers?

If that question pertained to Microsoft and its Windows operating system, the answer would be an easy yes. But some wireless carriers that profit from devices that run the Android mobile operating system appear to believe differently.

The American Civil Liberties Union Tuesday accused the nation's four biggest wireless carriers -- AT&T, Sprint Nextel, T-Mobile USA and Verizon Wireless -- of too often failing to distribute Android security updates to their customers in a timely manner, thus putting them at risk. Accordingly, the ACLU called on the Federal Trade Commission to investigate carriers' "deceptive business practices" and force refunds or free smartphone replacements for consumers.

With those allegations and requests on the table, here's how wireless trade group CTIA, which counts the four carriers as members, responded: "Based on recent reports, U.S. wireless networks are among the most secure in the world because the carriers and the overall mobile industry are vigilant in preventing and protecting against malicious attacks."

The emailed statement came on Wednesday from John Marinho, CTIA's vice president of cybersecurity and technology. He continued, "CTIA and its members are constantly investing in their networks to guard against cyberattacks. We will continue to work with all interested parties so that U.S. wireless users are able to have the best experience possible."

[ Think the House Committee learned from its earlier missteps with CISPA? Think again. CISPA 2.0: House Intelligence Committee Fumbles Privacy Again. ]

Just to be clear, the problem identified by the ACLU isn't the security of carriers' wireless networks, as CTIA seems to want to address. Instead, the problem is carriers sticking it to Android customers with two-year contracts, and then failing to patch their smartphones in a timely manner. Furthermore, regardless of whether subscribers are connecting to carriers' wireless networks or not -- perhaps they're using a Wi-Fi hotspot -- no network magically cyber-scrubs away all the Internet-borne malware, including malicious applications that target Android devices.

Does CTIA -- or its members -- think that by ignoring this problem, it might somehow disappear? Because unpatched Android devices pose an increasing information security risk, and carriers are responsible for selling and supporting millions of Android devices. Research released by Duo Security in September 2012, for example, found that of 20,000 Android devices scanned, more than 50% needed patching. Furthermore, the volume of malware targeting Android devices continues to rise.

Google isn't at fault here. "Although Google's engineers regularly fix software flaws in the Android operating system, these fixes aren't packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners," said ACLU senior policy analyst Christopher Soghoian, who co-authored the group's complaint, in a blog post. "For consumers running these devices, there is no legitimate software upgrade path. The problem isn't that consumers aren't installing updates, but rather, that updates simply aren't available."

Accordingly, the ACLU recommended the FTC put this simple fix in place: any consumer who has purchased an Android smartphone from a carrier in the last two years and who has not received timely updates from the carrier may return the device for a full refund. Alternately, they would be allowed to exchange it -- at no cost -- for another phone that will receive prompt, regular updates directly from Apple, Google, Microsoft or another mobile operating system vendor.

Might smartphone manufacturers, rather than carriers, be to blame for the update holdup? Perhaps, but carriers are selling the devices to consumers and servicing them, so they should be on the hook, and if necessary, sort out their supplier relationships.

For comparison's sake, imagine if Microsoft didn't distribute Windows operating system security updates directly to end users but to OEMs such as HP, Lenovo or Dell, who along with their distributors -- think Amazon.com or Best Buy -- collectively took months to push the updates to their customers who used the devices both at home and work. Cue outrage. Now imagine if those OEMs and resellers considered the Windows laptops and desktops to be "end of lifed" after a year and stopped supporting them altogether? Cue more outrage.

Despite the ACLU's allegations, some carriers do patch faster than others -- but which ones? To answer that question, on Wednesday I emailed the four carriers named in the ACLU's complaint, asking them to respond to the ACLU's allegations and to share a list of their current Android devices, together with a timeline of all security and operating system updates they've released for those devices.

Interestingly, the carrier that sells the most Android devices in the United States, AT&T -- formerly known as Cingular -- failed to respond at all. Sprint, however, said that it "follows industry-standard best practices designed to protect its customers," while T-Mobile said that it "regularly provides security updates to our customers, including those using the Android operating system."

Verizon, meanwhile, pointed to information on its website to help answer the "how fast do you patch?" question. "You can find a list of Android devices available from us on www.verizonwireless.com and update information is included with individual phones," Verizon spokeswoman Debra Lewis said via email. "We also update our News Center stories on individual devices when we update phones."

For example, Verizon's news center announced this week that the carrier will begin over-the-air (OTA) updates for Droid Bionic smartphones to Android 4.1 Jelly Bean. The phone was originally released in September 2011 with Android 2.3.4 Gingerbread, and received OTA updates in December 2011 and April 2012. In other words, the device appears to have been last updated by Verizon about a year ago.

The new update has been brought to Verizon's customers in part via Google, given that it purchased Motorola in May 2012. Google then announced in October 2012 that owners of some older devices would receive a $100 credit if they've purchased one of 11 Motorola devices that can't be upgraded -- for technical reasons -- to at least Android 4.1.

In other words, Google has promised to not leave its legacy Motorola customers out in the cold. Will carriers that fail to patch Android devices in a timely manner need their feet held to the fire before they do the same?

Attend Interop Las Vegas May 6-10 and learn the emerging trends in information risk management and security. Use Priority Code MPIWK by March 22 to save an additional $200 off the early bird discount on All Access and Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 300+ exhibiting companies, and the latest technology. Register today!