40.02KB
109 downloads
Another huge stone has been cast in an effort to force wireless carriers and handset makers to provide regular security updates to Android mobile devices.
ACLU principal technologist and senior policy analyst Christopher Soghoian brought the issue to light earlier this year at the Kaspersky Lab Security Analyst Summit where he said millions of Android devices were multiple versions in arrears and vulnerable to not only attacks on their personal digital information, but potentially physical attack as well.
In the complaint written by Soghoian, the American Civil Liberties Union asks the FTC to investigate Verizon, AT&T, TMobile and Sprint Nextel, adding that the carriers’ reluctance to patch security vulnerabilities in Android phones is a deceptive and unfair business practice.
Further, the ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange at no cost their phones for another that receives regular security updates, or return the phone for a full refund.
The FTC already came down hard on mobile hardware manufacturer HTC in late February (article here:
), when a settlement was reached after a complaint was filed against HTC America charging them with putting the security and privacy of customers at risk by failing to provide regular security patches to Android devices. HTC, at significant costs, will have to not only develop at release patches, but establish a program that injects security into its development processes, submit to security assessments for 20 years and provide adequate security training for its developers.If the FTC decides to investigate, Soghoian stated they won’t know about it until the investigation is over and a settlement is reached.
Ars Technica did a detailed study (here:
) on Android handset updates, and the numbers aren’t pretty for the four carriers in question here, as well as for a number of handset makers. Verizon, AT&T and TMobile sometimes took up to 13 months to provide updates, while many models from all four carriers never received a second update.The ACLU complaint is 16 pages long (Downloadable from here:
) and goes into detail on the influence carriers have in terms of which features manufacturers are to include in smartphones, including carrier-specific apps and the removal of certain features, such as tethering capabilities, that would threaten the carriers’ revenue stream, the complaint said.For context, the complaint cited numbers from ComScore Reports that 53 percent of smartphones used by consumers are Android devices, and that 70 percent of devices sold in the fourth quarter of 2012 were Android based. In addition, the complaint said that Google statistics show only two percent of Android devices are running the latest version of the OS, 4.2.x. Meanwhile, Android 2.3 (Gingerbread), released in 2011, is on 40 percent of Android devices, according to Google’s developer dashboard (Dashboard:
)Android malware, meanwhile, is an extraordinary problem. Research done by Kaspersky Lab indicates that 99 percent of mobile malware targets Android because of its open source nature and the ease of which attackers can get malicious applications up on the Google Play store. The level of vetting, for example, does not yet match that of Apple’s App Store.
“Widely distributed Android malware has exploited known security vulnerabilities in the Android operating system for which fixes from Google existed, but which the vast majority of consumer devices had not received at the time of infection,” the complaint said. “The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch. “
VIA: