FTC Investigating Android Patching Practices

It's a known truth that most Android vulnerabilities don't get patched. It's not Google's fault. It releases the patches, but the phone carriers don't push them down to their smartphone users.

Now the Federal Communications Commission and the Federal Trade Commission are investigating, sending letters to major carriers and device makers.

I think this is a good thing. This is a long-existing market failure, and a place where we need government regulation to make us all more secure.

Posted on May 11, 2016 at 2:37 PM • 64 Comments

Comments

K.S.May 11, 2016 2:53 PM

It is Google failure to not implement direct patching and market failure to offer more alternatives to insecure unpatched Android OS.

JdLMay 11, 2016 3:06 PM

This is a long-existing market failure, and a place where we need government regulation to make us all more secure.

Heaven forbid we should let the market (people dumping an insecure product for a more secure one on their own initiative) take care of the problem! No, let's pass another LAW. We surely don't have enough of those yet.

Bruce's solution to every problem seems to be to take another bite out of freedom.

AnuraMay 11, 2016 3:07 PM

@K.S.

If you get an Unlocked Nexus phone, everything is patched through Google about as quickly as you can expect. It's just that every manufacturer has their own customizations, and carriers have their own customizations on top of that, both of which control the patching.

Nick PMay 11, 2016 3:09 PM

@ jDL

You gotta be trolling cuz it's been in the market's hands the whole time and they're keeping it a problem intentionally for extra profit. Or just apathy given automated system to build and send updates probably wouldn't cost much. Tiny startups and volunteer efforts do it. Multi-billion dollar carriers could. They just refuse to.

AnuraMay 11, 2016 3:11 PM

@JdL

Leaving it to the market is why we have the problem in the first place.

I also don't see how ensuring your phone has the latest security updates available is a reduction in your freedom. To me, I think not being able to get the latest security updates makes me less free.

Jesse ThompsonMay 11, 2016 3:29 PM

@Anura

You misunderstand. JdL isn't concerned about your freedom, or the freedom of a hundred million smartphone users around the world. He's concerned primarily about the freedom of wealthy corporations to fleece the public. :P

When he says "people dumping product X for product Y", he means despite the fact that there isn't a product Y. Kind of like how most Americans are free to drop their Cable/DSL connections in favor of Doesn'tExistCo's fiber to the home service.

dbCooperMay 11, 2016 3:32 PM

From the article here: http://www.dslreports.com/shownews/FCC-FTC-Launch-Inquiry-Into-Sluggish-Mobile-Security-Updates-136925

"For its part, the wireless industry's biggest lobbying group, the CTIA, was quick to issue a statement implying that not much needs fixing.

“Customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers, OS providers and OEMs," the CTIA said. "As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats."

If you've ever waited for a carrier update when the stock version has been in the wild for what seems like forever, you probably find this statement to be a little disingenuous. One of the biggest problems is carriers have stuffed their devices with so much bloatware and snoopvertising, it can take carriers a significant amount of time to ensure stock updates don't impact these money-making services."

CarlMay 11, 2016 3:36 PM

@Jesse Thompson

When he says "people dumping product X for product Y", he means despite the fact that there isn't a product Y.

Apple and Nexus devices, most prominently, are "product Y".

KALMay 11, 2016 3:45 PM

"I think this is a good thing. This is a long-existing market failure, and a place where we need government regulation to make us all more secure."


Why not let the "free market" fix that problem? If it hasn't yet, then we should ask why hasn't it?

These kinds of things don't get fixed by "laws". If a law is passed that says "critical vulnerabilities must be fixed within X days", you can bet your life that vulnerabilities won't exceed "severe" from that point on. There are many ways to circumvent laws, and that's assuming the laws are well intended and well written to being with. The recent "mandatory backdoor" bills should tell you just how utterly incompetent (and insidious) these "laws" are when it comes to technology, and especially so for matters of privacy and security.


I agree there are many things the government SHOULD regulate, but software from a vendor to a user isn't one of them, and I cannot imagine our software getting more secure because of new laws. I would consider us lucky if the politicians who pass these laws have ANY clue what they're talking about, and I seriously doubt their intentions are to "make us all more secure". Where's the critical thinking?

Ergo SumMay 11, 2016 3:56 PM

People had the choice in the platform and they've been keep buying the same smartphones that don't receive updates. Just because people didn't care and the cell companies listened, let the government for the carriers to provide update. Tell me again, how this makes sense?

AnuraMay 11, 2016 4:06 PM

@Brent Longborough

That's a related, but separate issue. That device is end of life, despite being relatively new (i.e. within the last few years). In this case, manufacturers/carriers are often months behind on security updates for phones that are supposed to be supported.

I think the biggest problem here is that your software is tied to hardware, and manufacturers don't want to keep releasing updated ROMs. If it was more like a PC, you could always get the latest OS updates, even if drivers get out of date.

EvilKiruMay 11, 2016 4:07 PM

@Ergo Sum: The vast majority of the people don't know that they need to care.

JoshMay 11, 2016 4:28 PM

JdL and KAL seem to have missed that no one has mentioned the need for any new laws - this is about a regulatory body contacting companies to ensure existing rules are abided by, in an area where there has been a market failure. Clearly they need a sharp reminder to follow reasonable protocols when updating software.

Nick PMay 11, 2016 5:05 PM

@ KAL

The funny thing is that what you're saying is exactly what the automobile companies said when safer cars or regulations were discussed. They talked about demand, expenses, and stupid regulators while letting people die unnecessarily for higher profits. Illustrated nicely in this presentation on IT security market, analogies, and recommendations. Fast forward, we find that the regulations saved a lot of lives by producing safer cars. We've seen the same thing in aerospace and medical. The more sensible regulations in finance do in fact prevent or detect many crimes.

So, regulators might do stupid things and crooked companies might work around them. Yet, sensible regulations have been proven to improve situation in much harsher environments. A regulation for this situation, providing easy way to get patches in reasonable time, is actually so easy to do it's available in all kinds of FOSS projects and startups. So, there's no excuse for this crap outside negligence by vendors. The regulation is also simple with tons of expertise available for carrying it out properly.

ChrisMay 11, 2016 5:18 PM

Can we please have this for other software running systems as well, e.g. DSL routers, internet-of-things things, cars?

DeanMay 11, 2016 5:44 PM

@Ted Lapis

I tried iOS devices a couple of years ago. I'll admit I use my phones for far more than many do. Let's see, no root access, no sdcard, no removable/replaceable battery, no mouse support, no third party keyboards, no built in (read:free/bypass carrier) wifi hotspot/tethering, limited usb device support, no file system access, no ability to change versions (i.e. closed source), forced upgrades, no way to install apps from other sources, limited ability to change look and feel..in short, it's a toy. And I'll add most of the latest of Google's Nexus devices into this list as they are trying to be just like Apple in some of these areas. I don't really mean to insult anyone but I see iOS devices more for followers, for those who like to be told what their device will and won't do and have change for the sake of change foisted on them, for those who just accept the dictates of a dictator-type ecosystem. No thanks.

But different strokes I guess...

rMay 11, 2016 7:01 PM

I'm not sure Google is entirely without blame here: they are the architects of this dilemma.

My gingerbread devices didn't have modular webview updates... My ICS++ ones do.

Site, the carrier's and manu's have a good reason to delay or review certain patches but certain areas of the OS/deployment when designed properly should be implementation exempt... Android makes heavy use of Java and how much does arm change from tick to tock?

Coyne TibbetsMay 11, 2016 7:58 PM

@K.S. It is Google failure to not implement direct patching and market failure to offer more alternatives to insecure unpatched Android OS.

It was a Google mistake, not a failure, to assume that the OEMs building on Android would do what is right instead of what is expedient. Google expected the OEMs to take security seriously, just like Google and Microsoft and Oracle and...every other software manufacturer on the planet.

Instead they got a mulish shrug and the customers got a sneer and a, "You want an updated OS? Buy a new device already; what you doing carrying around a phone that's a whole 3 months old? Buy, buy, buy...! If that phone is hacked because you won't buy a new one, it's on you!"

As a case in point, my Sony Xperia Z hasn't been updated since January 2014, about three months after I bought it. It's running 4.3 Jelly Bean and has the Heartbleed exploit. Google deployed a fix for that exploit in April 2014, but neither Sony nor my carrier, T-Mobile, has passed the update on. Even though my phone was only 7 months old when the patch came out--they'd prefer I simply buy a new $400 phone.

I read somewhere that Google was going to start updating the OS directly but that will probably piss the OEMs off; first of all because they will no longer be allowed to leave little tailoring footprints all over every OS module, but mostly because it will extend the life of devices (slower sales). I don't know what version Google planned that for and can't find the article now; or maybe they gave up.

WhiskersInMenloMay 12, 2016 12:03 AM

Long overdue. The more folk use phones for payment and multi token authentication the more important this is. This was key to Apple. Data at rest in their cloud have at it but corrupt the trust of the platform and the cash cows dry up.

DroneMay 12, 2016 1:24 AM

DO NOT GET BIG GOVERNMENT INVOLVED IN THIS! You're just asking for over-regulation, mis-regulation, and inevitable government abuse. The solution is YOU. You must support products that receive reasonable support, and shun those that don't. The power resides in your purse or wallet, not in Washington. If you are buying a carrier-locked device that doesn't get updates, then YOU are the problem. There are perfectly acceptable alternatives to carrier-locked devices available. Just spend a little while before buying - reading reviews and understanding the manufacturer's commitment to updates. It's called being an intelligent and informed consumer.

vMay 12, 2016 3:48 AM

T Lapis is correct - iOS is definitely the safer ecosystem.
But it's more expensive and there's no good reason why Android shouldn't be safer - it's simply a case of manufacturers/networks being required to push Google's updates to consumers.
I guess it will take a test case or two... end users sues manufacturer/network provider for losses - class action - probably vs Samsung; Google in clear - we pushed solution to known security flaw; Samsung sat on it for 6-12 months; end-users not able to get update they know is available.
JChristensen - yep, how many old smart phones would be returned to life with a Puppy Linux for Mobile? Now that's an OS I'd drop iOS for in a flash...

WinterMay 12, 2016 4:33 AM

There are a lot of comments along the lines:
"DO NOT GET BIG GOVERNMENT INVOLVED IN THIS! You're just asking for over-regulation, mis-regulation, and inevitable government abuse. The solution is YOU."

This reminds me of the USA open market for cell-phone standards which set back the US mobile market some 10 years. On the other hand, the EU big-government simply forced all providers to select a single standard (GSM + SIM) and started a fiercely competitive global mobile handset market.

Big Government in the EU gave us an open market in mobile, while the hands off approach in the USA gave its consumers a bunch of oligopolies with high prices and low service.

I see the same in their call for no security in Android.

stevenMay 12, 2016 5:01 AM

@Ted Lapis: "Best reason for staying in the IOS realm"

Even better to be in the free software realm, where you can replace the firmware yourself. You can get updated Galaxy S II firmware by Replicant, 5 years after the device's release. You can still find *various* free operating systems to use on the Nokia N900 after 7 years.

The heart of the issue is planned obsolescence: selling you a new device is more profitable than supporting the one you've already paid for.

"sending letters to major carriers and device makers"

A handful of company execs must be terrified... /sarcasm

stevenMay 12, 2016 5:14 AM

"being an intelligent and informed consumer"

I guess there are not enough of those around. Maybe it means only a larger body, like a government regulator, has enough power to intervene, and it has the opportunity here to do some good, for a change.

Even where most people were well-informed (buying this product harms X), many still do act selfishly and do it anyway, if they perceive some advantage (e.g. convenience or lower cost). We sometimes do need some kind of regulation.

Martin PerssonMay 12, 2016 5:33 AM

As for the Law vs. Market debate; make sure it is more expensive to not patch, perhaps through liability and extended consumer rights. Then the market solution might work. The benefits would apply to more areas than just handheld security. The carriers already locks the devices down "for your protection", so ask them to live up to that.

Pseudonymous BoschMay 12, 2016 5:38 AM

Martin Persson wrote:

> [...] perhaps through liability and extended consumer rights.

So by law/regulation, in other words?

> Then the market solution might work.

Well, yes, with extra laws/regulation the market might work.

Fascist NationMay 12, 2016 8:10 AM

As long as consumers really have no say in the operating systems that run their phones they will remain at the mercy of whom makes their phones. And that is just the way "they" want it.

Still awaiting my Linux phone. No, not Android, Linux. Where I choose. Where all the code is transparent.

Miguel SanchezMay 12, 2016 9:35 AM

Winter wrote:

Big Government in the EU gave us an open market in mobile, while the hands off approach in the USA gave its consumers a bunch of oligopolies with high prices and low service.

Big Government vs Mobile Handset Zombie Bot Apocalypse


As Nick P pointed out, they have not been doing their needful in this. We have seen this much before in the industry. At a time, there was hardly any systematized update system for software, and almost all vendors treated security bug findings as criminal activity (I suppose because it made them actually fix their work).

Much of security now being done, in fact, was not being done before because of no regulation. While no one should build their internal program on regulation alone, regulation ensures budget.

Whether that regulation comes from the industry (PCI), from customer requirements, or from Government.

While anti-big government theology certainly has its' merits (we could overhaul our justice system... just a little), there is no way to say that anti-regulation is often just a cover for allowing big business to make shortcuts that are bad for consumers.

Anti-regulation, regardless of whatever other influences, was certainly the major cause of the financial disasters of the late 2000s.

Companies should do this sort of thing on their own, but they simply will not. It is a horrible, short sighted program clearly designed to put short term profits over the safety of the internet.

It reminds me of another area of a lot of debate, regulation required on domestic and foreign surveillance. Where, really, what you are talking about is, in the US, UK, Australia, and some other countries (China, North Korea, Russia)... there is no regulation put on intelligence and law enforcement agencies of any meaning.

ianfMay 12, 2016 9:46 AM


@ Fascist Nation is awaiting his Linux phone. No, not Android, Linux. Where he chooses. Where all the code is transparent.

Hate to be saying it, but it won't happen. Not as ordinary consumer-grade over-the-counter item available to anyone anyway. The economies of scale (design, manufacturing, distribution and aftermarket upsales model) are stacked against it.

Plainly speaking, the highly-competitive cell phone market is not asking for it, so there are too few potential buyers to make it profitable. Thus, should it somehow "happen," it will be a very high profit margin/ luxury item for OEM enterprises needing a clean slate phone substrate onto which to install their own (custom/ secure, etc) OS and apps. Hence its ability to run Linux will be more of a sideline, for true hardcore aficionados only who can afford it.

Before there was Android, I recall seeing a prototype of something called Freefone (I think), running on GNU GPL & other FOSS licenses, which was beyond clunky even for those times' bulky handsets. It sank without a trace even though the competition then was nowhere as fierce as it is now. So… dream on, but remember that unless you assemble it all yourself, it will remain an impossible dream.

    PS. the above caveat does not apply to potential Linux-based cell-IO embedded systems where neither bulk, the handheld GUI/ UX, nor battery life would be critical.

JeffPMay 12, 2016 9:57 AM

"It's called being an intelligent and informed consumer."

Sometime in the 60s I noticed we stopped being called "customers" and started being called "consumers" and I recall it was tied to "mass production and mass consumption".

Now I hear us referred to as "revenue streams".

AnneMay 12, 2016 10:04 AM

This is good. I feel it's all to easy to forget that big corporations (like car manufacturers) wouldn't even put seat belts in cars, if the Government didn't make them do it.

Jan WillemMay 12, 2016 10:44 AM

Even in a nearly monopolic environment Microsoft has maintained Windows XP nearly ten years and now windows 7 will be maintained even til 2020 (although MS is pressing its customers to switch to Windows 10 now). It could have taken the decision to stop maintenance on XP as soon as in released Windows 7 to force users to switch to it or even better, to make it impossible to switch and to force users more or less to buy new computers with the latest OS. MS didn't. It is maybe not the most responsible supplier, but it felt here the responsibility to update the systems when a new threat came up.

Android suppliers seem not to feel this responsibility. Samsung for example stops maintaining its Android implementation two years after initial delivery of a new model; even if that model is still for sale! In the Netherlands it is tried in court to force Samsung to maintain Android for a longer period, but in vain.
So only two options remain: naming and shaming or proper regulations that force suppliers of Android phones to maintain its systems w.r.t. security for a much longer period; say up to six or seven years until the majority of the systems of that generation are at the end of their technical life.

The current society is at the moment fully dependent on this technology and this lack of responsibility of the suppliers make our society vulnerable to a lot of threats, varying from surveillance by government or secret services to malware like ransomware. As phones and tablets are also used in company networks (BYOD), also the systems of these companies are vulnerable due to this behaviour of the phone providers.

So, not only simple citizens / customers will have the problems, but in the end (large) companies and governments itself will be attacked due to these vulnerabilities in more or less current phones.

My conclusion: actions must be taken now, by regulations or by other ways.

Nick PMay 12, 2016 11:39 AM

@ Winter

Very good example.

@ JeffP

Or referred to as "the product." At least it's slowly getting more honest. Some people will vote with their wallet in a better direction once their brain processes that. They'd rather be a customer instead of a product. ;)

@ Jan

" It could have taken the decision to stop maintenance on XP as soon as in released Windows 7 "

No, it couldn't. You're missing a key reason why Windows desktops shouldn't be compared here: financial incentive for backward compatibility & support. Microsoft (and Intel's) main profit comes from a lock-in model where they keep old stuff going for as long as possible while adding new stuff. Many of their customers were still on XP and paying for support. Since they were making money... specifically on support and bugfix contracts... they had an incentive to backport fixes to older releases. At some point, even they cut it off but long-term support is a core part of their business model.

The phone companies, on other hand, make money providing the service and/or regular cycles of phone sales. So, their incentives, if any, are to support maybe 2-5 years worth of phones with forced upgrades otherwise. Maybe two years for smartphones given that's the upgrade cycle.

"Samsung for example stops maintaining its Android implementation two years after initial delivery of a new model; even if that model is still for sale! "

Oh shit, I guessed that one with prophetic accuracy! :)

"So only two options remain: naming and shaming or proper regulations that force suppliers of Android phones to maintain its systems w.r.t. security for a much longer period"

People don't keep phones for 6-7 years usually. So, I'd say 5 is reasonable. That means I agree with your second option for regs forcing updates. Regarding the first, it can actually go two ways: shaming the bad parties; independent suppliers (or VAR's) differentiating on security/patching. Just that they'll try to fix something if it's a problem should win *some* market share. More private or secure by default definitely has potential given mobile privacy app and cryptophone markets. So, potential although I can't predict the details of what it takes and how it pans out.

Ken in NHMay 12, 2016 12:22 PM

This is a long-existing market failure, and a place where we need government regulation to make us all more secure.

BS. The rise of unlocked phones that work on U.S. carrier networks is already solving the problem. Government is great at making things worse and stifling innovation.

Patrick JarroldMay 12, 2016 1:50 PM

It's easy to complain about market failure to satisfy all your needs and to advocate for initiating force against big business, forgetting that a government free to initiate force against some has always proven more than willing to initiate force against anyone.

Liability and laws are fine and necessary so long as they are retaliating against those who violate rights. But lets make a destinction between that and preemptive regulation that assumes guilt and penalizes intent, good or bad. Failure to provide what you need is not the same as failure to provide what they agreed to. And any reasonable definition of rights can't support the right to forced labor, though it can support the right to the fulfillment of mutually-voluntary agreements. To what, exactly, have the smartphone vendors agreed?

NotmyopinionMay 12, 2016 2:01 PM

If you really believe a market solution will be better, how about a simple method to allow customers to claim consequential damages from the carriers, if they are affected by an unpatched vulnerability? Removes that externality the carriers like to exploit...

Barry HorneMay 12, 2016 2:06 PM

I have owned HTC and Samsung branded Android phones and grew frustrated at their customisations and lack of updates. Since I adopted the Google Nexus model, smart phone and tablet, I have neverr looked back. So what if my device isn't as sexy looking as a Samsung, at least it sports the latest Android version, fully patched!

Ken in NHMay 12, 2016 3:22 PM

@Notmyopinion

Hmm, a simple method, like filing a lawsuit? If only we had such a system.

Clive RobinsonMay 12, 2016 5:35 PM

@ Ken in NH,

BS. The rise of unlocked phones that work on U.S. carrier networks is already solving the problem. Government is great at making things worse and stifling innovation.

It's amazing how many people call "BS" and then go on to talk in a way that makes it at best ironic.

Whilst I can not comment on the USG legislation in depth, I can talk about other Governments, standards organisations and the EU and some international standards bodies.

In the European Union the standards process is an open framework approach and generaly only prescriptive in measurand limits when it gets down to the lower layer of standards. Thus alowing relatively easy upgrading and additions and improving methods, which alows prompt innovation (some USG regulation is extrodinarily prescriptive not just in measurands but in methods as well, which means it quickly ages and becomes a hinderance to innovation).

This open framework approach was based on that of one or two EU Countries standards processes. Perhaps the most well known of which are the Quality standards that originated with the British Standards Institute (BSI), which were then addopted by the EU as european standards and in turn were adopted by the International Standards Organisation (ISO) as international standards. There are similar standards for Information Systems Security and various others for electrical safety (LVD etc) and Radio, Telephone and Telecommunications Equipment (RT&TE). These have alowed harmonised standards across not just Europe but many other parts of the world --China and India have adopted some as have other nations-- and are considered an essential part of forming a common market, that is vital for free trade and economic development.

As a general rule most EU standards are not patent or Royalty encumbered, a few are, but in a way that generaly prevents them being used as weapons against free trade which was not the case for many years in the US (hence the US cellular failure, and MPEG arguments etc).

Most of the world has a grudging respect for EU standards because they can be seen to raise not just interoperabiliry, but safety and quality, which result in better products and innovation. Oddly against the protestations of "free marketers" the mandated minimum standards results in a better market and generaly increased profitability for both new and existing entrants.

In the US however there are a number of "free markets" and many of them are regarded as bad news because they encorage a "race for the bottom" where product quality is low, lacks inovation and the respect of the buyers within what is frequently a "closed / tied market" monopoly or cartel market place is likewise very low.

Often US products in those "free markets" are considered by many others to be either unsafe or actually harmfull to people (look up "Southampton six" food colourants in injestable products aimed at children).

Rather than clean up their act and come in line with other world markets that are partialy or fully regulated in ways that work effectively, US Corporates are flouting regulations and getting regularly penalised for doing so. Worse under Pres Obama US corps are writting trade deals legislation in secret that they are trying to force down other nations throats. TTIP is a case in point, and as parts get leaked, citizens have become horrified on what the US Corps want. Needless to say there has been considerable kick back especially over the dispute resolution system, that France has indicated it will not be able to sign it and Germany is starting to make similar noises, thus TTIP may well be rejected by Europe, whos citizens do not want potentialy dangerous US goods forced down their throats by secret US/UK led tribunals that take precedent over national legislation brought in to not just protect the citizens but also maintain a better quality market place, which the US Corps traditionaly do not do well in.

Others have pointed out car safety and GSM phone system that benifit from EU regulation, it's fairly easy to find others, but it's as easy to find US "free market" failures.

So arguing against regulation in general is a lost cause. However arguing against the way the USG choses to regulate, is a different matter. Because the implication is that the USG goes about regulation the wrong way, and from the little I've actually read of US legislation (FCC rules and Environmental Protection regs) the implication appears to be valid. Thus the sensible thing would be to fix the USG regulatory process, but that would for some reason not be popular with a large percentage of the US public. Why this might be so is a conversation for another day.

Oh one astoundingly unbelievable bit of recent USG regulation, is that on e-cigarettes. Whilst I would be the first to put my hand up to say the market does require some regulation, the regulatory changes the USG has made will stop the US market effectively dead in it's tracks, and make it a closed market for one or two major players, who just happen to be large tobacco corps... Thus I don't expect to see any US based innovation in that market in the future, which means the potential "smoking-cessation" health benifits will largely go unrealised, at excessive cost to US Health Insurance customers...

Coyne TibbetsMay 12, 2016 5:40 PM

@Drone - "It's called being an intelligent and informed consumer."

The usual statement is, "Let the buyer beware." Of course you didn't want to use that because it leaves such a bad taste in consumer mouths; what with it being an assurance that the seller will f**k the sucker in every way possible.

ArclightMay 12, 2016 7:12 PM

My Note II received exactly two Android updates from Verizon. The second included a special bootloader update that locked me out from customer-installed updates. They stopped supporting the phone shortly after. No easy workaround exists.

This particular brand of lock-in is the kind of thing I would like to see addressed punitively.

ZackMay 12, 2016 11:39 PM

WOW!!

I literally contacted the FTC three weeks ago to request that they take a look at Android vulnerabilities due to the inability to update or patch phones.
They asked me if I wanted to make a formal complaint, but I didn't bother.

I guess the squeaky wheel gets the oil after all...

WaelMay 13, 2016 12:00 AM

If you worked in the industry you'd understand the challenges. First, there is type approval, then there are maintenance and release schedules (MR1, MR2,...) Also, it depends what "Android" means. A typical Android smart phone has the HLOS (High Level Operating System -- basically the user-mode component), the Linux kernel, which can either come from the OS provider or the chip-set provider, or both. Then there is the modem stack. Some changes will require the Carrier to test the changes, testing is a lengthy process. Some patches in the HLOS layer can be done OTA. This also doesn't cover system partitions that run on TrustZone (which has some sub partitions. Some can be updated over the air, some can be done with a USB connection, and some need to be taken to a service center.)

On top of that, resources will be allocated to new projects, new devices, etc... It's not a simple matter of negligence -- there is a cost and time associated with the process. This is but a "glimpse" to some of the challenges. Also, typically, a carrier assumes the useful lifetime of a device is about two years. It's expected that most people will upgrade the hardware once every two years.

WooMay 13, 2016 3:15 AM

I think there really is need for some regulation, be it governmental or by FCC et al.
There should be a heavily fined obligation to provide updates to electronic devices for a certain timeframe (I'd suggest two years after initial sale). If the manufacturers don't provide that, they lose sales approval for upcoming products. Since new devices need to be approved by FCC before being allowed to be sold anyways, adding the "manufacturer cares for security" factor into this approval process should be possible.
Perhaps it will get Samsung going if they have to fear losing access to the US market.. (and yes, I consider them to be the worst offender in that area).

Marcos MaloMay 13, 2016 4:22 AM

Following business regulations infringes on my religious beliefs.

Yes, friends and neighbors. I bring you GOOD NEWS! News of salvation via the CHURCH OF THE FREE MARKET. We're actually more of a cargo cult at this point, and none of our charter members actually wants a free market. We just like the way it sounds. Sort of like Manifest Destiny! But nevermind all that. All you need to remember is that the FREE MARKET will solve all your problems (eventually), just as surely as all pious Christians go to heaven.

James SutherlandMay 14, 2016 6:43 AM

Google really screwed up by introducing not one but two extra chokepoints for any update: first the handset manufacturer needs to build an updated Android release for their hardware, then the various carriers need to receive, approve and distribute it.

I don't need Dell or HP's permission or involvement to update Windows on my laptop, nor do I need my ISP's approval. Dell and HP can add their own drivers (and all the usual shovelware) - but they don't get to block Windows Update or version upgrades: why should they?

I'm all in favour of customer choice, but Google screwed up here. Perhaps they're willing to admit that and fix it - change the Android release process so Samsung and co contribute drivers to the public source tree, and get to build and distribute releases from that - but anything they add has to come in the form of applications, not direct modifications to the platform. That way, Google will be able to distribute updates, bypassing both bottlenecks entirely.

There's a legal requirement for a reasonable warranty/durability in the EU - shouldn't that include update availability, at least for security issues and bugfixes? Perhaps when Samsung are told they're obliged to issue Android updates timeously or stop selling them, they'll stop being obstructive and letting telco inertia deny their customers updates.

Apart from anything else, security updates are a public safety issue: every unpatched host online is one more node in a botnet, one more opening for spammers ... you don't get to take a car with faulty brakes on the road, why can an unpatched three year old OS be taken online and put us all at risk?

JeroenMay 14, 2016 11:07 AM

Re: ianf, Linux-based phones

There was a Linux-based, open source phone called Neo FreeRunner. http://wiki.openmoko.org/wiki/Neo_FreeRunner

There was also the Nokia N900, N9, Jolla, and the NeoN900. Wikipedia and such got all the info.

Warning! You may wanna look into how much of the hardware was/is open source, and how much firmware was/is open source.

There's more recently the Ubuntu phone which is from a certain vendor and has support for convergence (yeah, before Microsoft announced some of the Lumia series would even get that even though Microsoft shipped their devices supporting convergence before Ubuntu phone shipped).

There's also the Fairphone which runs Android and has plans to run Sailfish. The Fairphone is also a modular phone, which isn't made from child labor.

https://www.fairphone.com

I'm going for the Fairphone since it is modular, pretty powerful, and I like the fair value of the hardware. Mine hasn't shipped yet, so can't recommend yet!

rMay 14, 2016 2:11 PM

@woo,

Going as far to say that Samsung is the worst offender may be a little unfair. Certainly by market share they're pretty bad but there's alot of other manufacturers and service providers who have provided absolutely zero updates for devices in the past. Samsung might be the leader of the pack in quantity of devices to market advertiser the board but alot of their devices receive at least a few updates before being EOL'd... ZTE, Huawei, blu and other low end manufacturers often make what are effectively burner devices respectively.

rMay 14, 2016 2:27 PM

@wael,

Certainly the 'useful life' of phones from 2010 was maybe two years but as the underlying hardware and technology has advanced and caught up (maybe even giving Intel/MS a run for the money) with the preexisting personal computing market the lifetime of device's has extended as the plateau of Moore's Law has been reached. I find quite a few 2012/2013 devices to be more than satisfactory both pre and post modification, aside from wireless protocols and RF capabilities there's really no difference between high end back then and mid to low end now.

I think the trend will continue and I don't expect the carrier's or anyone else to exactly be thrilled at the idea of longer windows of usability.

WaelMay 15, 2016 4:48 PM

@r,

I think the trend will continue and I don't expect the carrier's or anyone else to exactly be thrilled at the idea of longer windows of usability.

Many carriers make customers sign up for two year contracts. Then they offer new hardware to customers at significant discount (sometimes free upgrade) if they renew the contract for an additional two years.

rMay 15, 2016 5:30 PM

@wael,

I don't enjoy paying 800% the value of a phone purchased off-contact and $100+ a month for a decent unlimited plan. Thank the Lord for the MVNOs here in the States.

I also tend to buy devices I can drop in your bushes or tape to the bottom of your car. I'm pleased to see Samsung has moved towards that trend with the s7.

AmyMay 16, 2016 4:01 PM

I would object to forcing carriers to push updates on phones for 3 reasons: 1) carriers NEVER install just the security updates (or updated Android OS). They much with your privacy settings (defaulting them back to completely non-private options), they screw up your apps - no longer using built in email due to it deleting an entire month's worth of email as it was downloading it (deleted from device and server), and they change the user interface to make it unusable.

I have my phone locked down from a privacy and security perspective and it wastes a lot of time for me to not only go set all those settings again, but to FIND them. The carriers even removed one privacy setting I previously relied on. If carriers had an option to install security updates ONLY - i would take it, but they don't.

Dirk PraetMay 16, 2016 6:27 PM

@ Amy

I would object to forcing carriers to push updates on phones for 3 reasons: ...

I know of no single OS or firmware where new versions, upgrades, PTF's, security patches and the like do not regularly introduce new features and settings, change existing ones, modify the UI and every once and a while even scr*w up stuff. Upgrading and patching is probably one of the most important parts of securely operating any device/service and comes with the territory just like parenthood comes with diapers.

Admittedly, some vendors do a better job than others, which is why you always make backups before upgrading/patching and preferably run them on test devices/environments (or someone else's) first. Whereas compatibility issues may be a valid reason to postpone or even forego upgrading/patching at times, convenience or laziness never is.

mbMay 16, 2016 6:36 PM

It's a waste of time. Android is just one aspect of the problem and it's not even the big one. We have the very same problem with routers and seeing how a lot of those hipster home automation guys are handling it I expect a very bright future for exploits from that general direction. With the number of networked devices multiplying massively in the coming years when IOT picks up speed I think it's a pretty good idea to mitigate this problem before it becomes a mess.

We need mandatory lifecycles in which security patches have to be provided for every networked product and customers need to be informed about those lifecycles when they buy the product. There's really no way the market is going to fix it. Manufacturers have little incentive to fix anything in low-cost products and their customers can't easily identify broken products. It's a win-win situation for these jerks. They save money by not maintaining their products which allows them to undercut the competition that does. At the same time there's not much of a clue that tells potential customers to stay the fuck away from that crap.

I don't think we really need a law that regulates the time. Different devices have vastly different average lifecycles. But manufacturers need to specify a time and that has to be communicated prominently. What we need on top of that is just a campaign that explains customers what these lifecycles mean. That they are not the same as warranties. A 2 year lifecycle pretty much means that you can safely use whatever it is for 2 years. After that chances are that you won't have more than 6 months before the product effectively is unusable.

That would have the desirable side effect that manufacturers that offer more expensive products but also offer longer lifecycles effectively provide are more attractive product.

I switch out phones rather frequently. So anything past 2 years would not be much of a selling point for me. But why would I want to switch a router? And I absolutely don't want to switch my smart-locks just because those crack smoking hipsters won't fix the latest and greatest OpenSSL bug of the day.

A regulation that requires clear declaration isn't tampering with the market in any way. And if a manufacturer sees that otherwise it's a pretty clear sign that those guys should be avoided.

rMay 17, 2016 1:37 PM

@mb,

No ill will to Google here, but an anti trust case about binding a specific OS to these systems may stir the pot on this issue. Have we reached that point in the architectural maturity though? Considering closed source binary blobs I would think not... We have Linux, Linux and more Linux as choices.

FeebMay 21, 2016 8:46 PM

Glad I went with a unlocked Nexus 6 phone.

Android version: 6.0.1
Android security patch level: May 1, 2016

Unlocked Nexus 6 us usable on GSM and CDMA networks. So it works on Verizon, AT&T, T-Mobile, Sprint, and any MVNO subsidiary networks of the four.

Then again, that's the reason I bought the Nexus 6. Works on any network, runs the latest Android operating system and receives regular security updates directly from Google every month.

Unfortunately, most people don't know about all this technical mumbo jumbo and how network carriers and phone manufacturers are jeopardizing their safety and security.

PrashantAugust 29, 2016 9:31 AM

Google needs to be the one patching with a centralized mechanism like windows update. This is why windows sense of the updates and not HP or gateway or lenovo individually

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.