Android's security patch quagmire probed by US watchdogs
Feds finally wake up to sorry state of firmware fixes
Mobile carriers and gadget makers will be investigated over how slow they push important software security patches to people.
The probe will be carried out by US trade watchdog the FTC and America's internet mall cop the FCC.
The two agencies will work together to scrutinize manufacturers of phones, tablets and other gear, plus US phone carriers, to find out why so many folks are not able to obtain security updates in a timely fashion.
The probe will hopefully lead to some improvement in what has become a troubling bugbear for Android owners.
Google's Play services software on Android devices can install some security fixes quietly in the background, but it cannot squash critical bugs at the lowest levels of the operating system – such as in the kernel or in libraries used by core apps.
Comprehensive Android security updates must be approved and distributed by the manufacturers to their devices – and with carriers' approval, too, if it's for a phone. Google Nexus devices get their updates direct from the mothership.
By relying on gadget makers and carriers to approve and distribute critical low-level security fixes, some users are often left waiting months for high-profile vulnerabilities to be patched on their devices – or simply receive no patches at all because manufacturers simply don't care.
"As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use," the two agencies said in a statement.
"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including Stagefright in the Android operating system, which may affect almost one billion Android devices globally."
The agencies are asking both the carriers and hardware vendors to provide them with details on how they handle security updates and issue fixes for tablet and handset firmware. The agencies did not say whether any enforcement action will be taken against the carriers or vendors.
The agencies referenced the Stagefright bug as one such example of a vulnerability carriers have been slow to act on. That flaw has left hundreds of millions of Android devices vulnerable to remote code execution attacks. ®