The Federal Communications Commission (FCC) and the Federal Trade Commission (FCC) have partnered to investigate concerns about how devices are patched. Both the FCC and FTC have issued orders to eight mobile device manufacturers, with Samsung, BlackBerry, LG, HTC, Microsoft and Motorola joining Apple and Google on the list. In particular, the FCC and FTC want to know the details about each company's policies and processes for identifying and addressing security threats for devices that they have sold on the US market since 2013. The aim of the exercise is purportedly to improve the protections of consumers from malware and other hacking methods that pose an ongoing threat to consumers, many of whom use devices no longer supported by makers.
The statement issued by the FTC
states that it has directed the company's to explain: the factors that the company's consider in deciding whether to patch a vulnerability on a particular mobile device; detailed data on the specific mobile devices they have offered for sale to consumers since August 20131; the vulnerabilities that have affected those devices; and whether and when the companies have patched such vulnerabilities. The FCC statement
also makes special reference to the known Android vulnerability 'Stagefright,' which it says may affect upwards of 1 billion devices globally.
Of all the manufacturers, Apple probably has the least to be concerned about, and will probably see this as an opportunity to underscore its ongoing security efforts. Its iOS mobile operating system is generally considered the most secure of the mobile platforms, as it is able to get its patches directly to end users without a lengthy evaluation process by the carriers. Apple also supports its devices typically for two or more years, thereby ensuring that most older devices still get patched.
Google, on the other hand, has had long standing issues with its patching efforts. Although Google releases security updates for its Android operating system, these have historically taken a considerable amount of times to reach consumer devices, if at all. Part of the reason for this is that Android manufacturers rarely run stock versions of the Android operating system, which requires them to test patches with their particular build of Android before it is released.
Compounding Android security patch woes, is that Android makers are beholden to carriers, who prefer to test each version of the Android operating system that manufacturer sell on their particular networks. Making matters worse for consumers who use Android devices, most Android makers have numerous models in their line-up. The most likely of these to receive patches are the higher end models. With most consumers of Android devices running older versions of the operating system on cheaper devices, many, if not most, of these lower end devices rarely receive updates beyond the original version installed on their devices.