2 Comments

Summary:

Carriers and handset makers have long made Android updates a patchwork process, leading to long delays in new getting new OS updates. The ACLU claims that practice poses big cybersecurity risks.

The mobile industry’s practice of slowly parceling out Android smartphone updates has earned the ire of the American Civil Liberties Union. On Tuesday, the ACLU filed a complaint with the Federal Trade Commission to investigate the major U.S. carriers for not updating their customer’s phones whenever new security patches are available and for not warning consumers of the dangers that exposes them to.

In the ACLU’s blog, Principal Technologist and Senior Policy Analyst Chris Soghoian wrote:

“Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available. Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners.”

As the ACLU hints in that last sentence, carriers aren’t the only culprit here. Before they can send out an Android update, carriers have to wait until handset makers tweak Google’s code for their own purposes since no one – save Google – is running a generic version of Android on their devices. Recently, Android device makers have gotten faster at releasing updates for their phones, but it’s by no means instantaneous.

Still, carriers are definitely a large part of the bottleneck, often asking for Android features to be removed from a build for competitive reasons. A case in point is Verizon’s disabling of Google Wallet on its NFC-capable phones. The fragmentation and politics of the Android ecosystem has led my colleague Kevin Tofel to call for Google to take back control of Android’s distribution from carriers and device makers.

Getting timely updates for services and features is one thing, but the ACLU is saying that critical security fixes are getting lost in the shuffle. Carrier industry group CTIA didn’t comment directly on the ACLU’s accusations, but it did imply that the threat of security vulnerabilities in the U.S. was overblown. In a statement, CTIA VP of Cybersecurity and Technology John Marinho said:

“Based on recent reports, U.S. wireless networks are among the most secure in the world because the carriers and the overall mobile industry are vigilant in preventing and protecting against malicious attacks. In addition, most U.S. wireless users shop at trusted application stores, which is why we have an app infection rate of less than 2 percent. Meanwhile, many other countries have app infection rates that are more than 10 times greater, and in the case of Russia, the app infection rate is reported at more than 90 percent.”

Image courtesy of Shutterstock user gosphotodesign

You’re subscribed! If you like, you can update your settings

  1. Apple has a more effective update system. Most Android phones lag considerably in receiving security updates. These delays wouldn’t be tolerated in the PC world for Windows, Flash, Java, etc.

    1. That is true, and Apple excels at updates because they have only one phone to deploy the updates to. Though there are different models of the iPhone, Apple only sends out updates to the three or four most current, so at the very most they must tailor their operating system to four different hardware configurations. I would assume they also have an agreement with the carrier that forbids modifying iOS, but Android, being open source, likely has no such agreement. There are literally hundreds of models Android phones, so there is not really a “one size fits all” solution. However, the pure version of Android is usually designed for phones with minimal specifications; the manufacturers add “bells and whistles” to phones that have the capability of supporting them, and the carriers bog them down with junk that they think will coerce people into spending more money. While it could be argued that some of the OS tweaks could benefit the customer, IMO having a uniform operating system between brands and carriers would be more beneficial.

      To address this issue, the carriers/manufacturers could simply offer the upgrade of stock Android from day one, but recommend that customers wait for the Android version “optimized” for their particular phone. Of course, they would never agree to it because it would cripple their ability to be greedy monopolists.

Comments have been disabled for this post