ACLU asks FTC to investigate AT&T and Verizon over Android security updates

“These companies—AT&T, Verizon, Sprint and T-Mobile—have sold millions of smartphones to consumers running versions of Google’s Android operating system,” said Chris Soghoian, principal technologist and senior policy analyst for the ACLU, in a blog post. “Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks.”

And so, the ACLU is asking the agency to investigate the major wireless carriers for behavior – or rather, a lack thereof – that it says is placing consumers at risk of privacy infringement at the hands of bad actors. As consumers increasingly store vast amounts of private, sensitive data on their smartphones, identity thieves, stalkers and foreign state actors increasingly pose a threat to consumers and their data, the organization said.

“Although our most high-profile advocacy and litigation in this area relates to the threat of warrantless searches of data stored on mobile devices, the US government is by no means the only threat to mobile privacy,” Soghoian said.

Google’s Android operating system is notorious for being a malware target, thanks to hackers and malware authors seeing it as a fast-growing mass market ripe for the exploitation. According to the latest malware report published by NQ Mobile, mobile malware increased by 163% in 2012 – 95% of it aimed at Andoid.

The ACLU maintains that “the majority of [Anddroid] devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched,” adding, most notably, that updates simply aren’t available to fix the issues.

That’s a debatable claim – and Soghoian even acknowledges that Google’s engineers regularly fix software flaws in the Android OS. But the responsibility to stave off malware attacks, he argues, lies not with consumers and their responsibility to update their devices, but rather with mobile operators.

“These fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners,” he said. “This is in sharp contrast to the norm on the desktop, where Mac and PCs both receive regular security updates directly from Apple and Microsoft. Apple also provides regular security updates to mobile devices, such as the iPad and iPhone. And it is standard practice for the companies that make almost all widely used software – such as operating systems, web browsers and third party applications – to issue regular updates to their software, including security fixes.”

Of course, accusing the carriers of being responsible for this state of affairs is akin to accusing a cable broadband provider of being liable for not making sure that those Microsoft updates make it to PC users. Wireless operators provide the connectivity, but the devices themselves and the software that runs on them are not typically the domain of the carrier.

Soghoian is correct, however, that Google is not alone in being responsible for Android security. Unlike Apple iOS, the Android OS is a semi-open operating system, with roots in Linux. Each device manufacturer adds its own “special sauce” to the OS in order to customize it for their specific devices. Hence, a Samsung Galaxy flaw will likely not be present in, say, a Motorola Droid device – meaning that Google can only do so much to issue appropriate patches.

Nonetheless, Sogohian takes the carriers to task. “As we stated in our complaint, if the mobile carriers are not going to provide important security updates, the FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will,” he said.

The FTC has not yet responded to the filing.

What’s hot on Infosecurity Magazine?