Print
Category: News

Washington, DC - A new Federal Trade Commission report finds that the complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming. While noting that industry participants have taken steps to streamline the process, the report recommends that manufacturers consider taking additional steps to get more security updates to user devices faster. It also recommends that manufacturers consider telling users how long a device will receive security updates and when update support is ending.

The report is based primarily on information the FTC requested in May 2016 from eight mobile device manufacturers – Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc. – about how they issue security updates. It also builds on information that the Federal Communications Commission requested from wireless carriers about their security updates practices.

Security researchers and government agencies agree that it is important to install security updates that patch vulnerabilities in the device’s operating system. Many of these devices, however, remain without important security updates for long periods– either because no update is issued at all, because approving and deploying a patch is a lengthy process, or because users do not install available updates. The FTC report examines certain manufacturers’ security update practices and offers recommendations on how to improve the security update process.

“Consumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” said Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl. “Our report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure.”

A key finding of the report is that support periods, the time during which a device receives operating system updates, and update frequency vary widely, even among devices that cost the same, are made by the same company, or are serviced by the same carrier. A device may receive security updates for many years – or, in some instances, may not receive any updates at all.

Devices with robust support are available but can be hard to identify because manufacturers tend to make little information about support periods available before purchase.

The FTC report offers several recommendations on ways to improve the security update process:

The Commission vote approving the report was 2-0.