Shaming is a step forward, but more work is needed for faster smartphone patching

Shaming works to a point, but more work is needed in order to improve Android security

More work is needed to ensure Android security
Credit: frankieleon

Shaming carriers and smartphone manufacturers into applying patches faster is a step forward, but a lot more needs to be done to improve security of the Android platform, security experts say.

Last month, Bloomberg, citing unnamed sources, reported that Google is considering releasing a list of vendors ranked by how up-to-date their headsets are.

This has long been a problem for Android. Unlike Apple, which can unilaterally push out updates to its customers as they come out, the situation with Android is a lot more complicated.

When a patch comes out, only Nexus phones get them automatically, said Kyle Lady, research and development engineer at Duo Security.

"If it isn't a Nexus phone, the manufacturer has to apply the patch to the software, then send it to the carrier, who has to approve it, and send it to customers running that phone," he said. "So there's a substantial delay."

For example, 60 percent of Android phones still don't have a patch for the QSEE exploit, even though the patch came out in January.

"There are way too many devices in the wild left completely unprotected from well-known, high severity exploits," said John Michelsen, chief product officer at Zimperium. "Manufacturers have a responsibility to provide important updates to the Android platform as soon as possible."

It's not just patches that aren't being distributed to the phones in a timely manner.

The Android 6 "Marshmallow" operating system, released last October, is currently only on 7.5 percent of Android devices.

"The older version of Android may have vulnerabilities that are not being patched by the OEM," said Kia Behnia, CEO at mobile security firm PowWow Mobile. "Google and OEMs must have a better model for updating those older devices for both security and usability reasons."

And some Android phones never get any patches or updates at all.

"According to Google’s own report, a large portion of Android users -- over 30 percent -- never receive security updates," said Michael Shaulov, head of mobility product management at Check Point Software Technologies. "This leaves users defenseless against malware."

Putting pressure on manufacturers is a good step, he added.

"I’m not sure there’s much Google can do," he said.

For example, many manufacturers have customized the interfaces to better appeal to their users, he said, since many customers prefer customization to security. And carriers also add bloatware. All this customization slows down the patch process considerably.

Arian Evans, vice president of product strategy at security firm RiskIQ, agreed that Google's new tactic could be a move in the right direction.

"Hackers are increasingly using mobile as a new attack vector, using trusted brands with a high-profile public presence or associated with valuable data as lures to deceive end-users and steal sensitive information and taking advantage of relatively immature security practices in the mobile channel to conceal fraudulent activities," he said.

One problem is that patches and updates cost money while producing additional revenues, since the customers have already bought their phones.

"The phone manufacturers have enjoyed a lower development and maintenance cost for their non-undateable or high latency updatable devices," said Chris Wysopal, CTO and cofounder at security vendor Veracode.

Google should continue to put pressure on them, he added.

"Perhaps they could force a logo program where you need to have some minimum update latency to achieve the Android logo or perhaps a new 'Android Safe' logo," he said.

For carriers, releasing patches without fully testing them could disrupt their networks, which is a significant risk to them, said Stephen Newman, CTO at security vendor Damballa.

"Imagine if a carrier allows security patches to go untested and one of them brings down a major carriers network or multiple carrier networks," he said. "Colossal damage."

If Google presses harder for faster updates, it needs to make testing easier for the carriers, he added.

"Ultimately the carriers may elect to limit even further the number of devices they will sell, thus limiting the number of options for consumers but also limiting the amount of devices they have to test," he said.

Limited choices could mean that carriers lose customers, said Tim Strazzere, director of mobile research at security firm SentinelOne. In addition, carriers and manufacturers may become reluctant to use the Android operating system.

"If they push for updates while providing better tools and helping the OEMs and carriers, they definitely stand a fighting chance to improve the ecosystem, which in turn makes everyone have more up to date and hopefully safer devices," he said.

Meanwhile, if the industry is unable to make progress on the issue, the government may step in.

Last month, the FCC and the FTC announced that they are asking mobile carriers and device manufacturers about how they release security updates.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," said the announcement.

"Shaming manufacturers and carriers may not be a silver bullet, but combined with pressure from the FCC, we may see security update timeframes start to improve," said Chris Eng, vice president of research at security firm Veracode.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.