Regulators in the United States have kicked off an investigation into the practices of mobile carriers and tech companies in rolling out security updates to their products, seeking to know why it is taking too long for those security patches to reach compromised mobile devices.
The way things are with software updates, the majority of Android devices in particular receive patches and enhancements after quite a longer period than, say, iPhones do. In the event of a security compromise, those devices will get security fixes longer than it should take. As a result, there is a growing concern among mobile users that their personal data stored in smartphones and tablets are increasingly becoming less safe, especially that they are in the hands of the tech firms in question such as Google and Apple, among others.
Specifically, the FCC asked several companies including the major carriers AT&T, Verizon, T-Mobile, and Sprint to brief the regulator on how they review and roll out security updates to mobile phones they are offering. Meanwhile, the FTC also invited tech giants Google, Apple, Microsoft, and Samsung, among other mobile titans, to provide information on how they are checking and issuing security updates to their respective products.
The regulators are giving these companies a month and a half to address their requests, especially those companies that sell smartphones and offer mobile contracts in the United States. After the response period, the FTC and FCC will evaluate how those tech giants responded and share insights between one another on the best practices to address the security concerns of mobile users.
The request, however, does not constitute a formal launch of an inquiry, nor does it mean a rule is coming soon for mobile companies and carriers. The goal of the request is to assess what mobile carriers are currently doing to issue patches for vulnerabilities in a quick manner and what challenges they encounter along the way.
Part of the inquiry process covers questions about when original equipment manufacturers get alerts related to a software vulnerability and when security updates are rolled out. The problem with Google’s Android, in particular, is that there are many versions of the mobile operating system, and each is modified according to the taste of mobile carriers. That makes it hard for Google to issue updates to security holes as quickly as possible. The updates need to go through the mobile carriers before they reach the intended users.
Addressing this concern is increasingly important at a time when the threat landscape is growing.