Security Experts:

Mobile Industry Slow to Push Android Updates to Users

The mobile industry needs to work together at pushing timely updates to Android users. The real question is motivation.

With more and more mobile malware being directed at Android-based phones, you’d think the carriers and manufacturers would respond quickly to security and software updates to the underlying operating systems. According to a new survey that doesn't appear to be the case.

Android Security Updates

We've already been down this road before with PCs. In the early 2000s, malware infecting desktops primarily took advantage of software flaws in Microsoft Windows and Office. In response, Microsoft did issue patches, but the random nature didn't always work – a patch issued late on Friday wasn't installed until sometime the next week. And awareness of the patches wasn't very high. Starting in 2004, Microsoft standardized the process with "Patch Tuesdays," the second Tuesday of every month, and I would venture to say that compliance is much higher today.

If the first step is creating a regular patch cycle, with mobile that's much harder to do. There are several more variables with Mobile. First, there's the underlying operating system (Android), then there's the unique chipsets and hardware of the handset, then finally there's the individual carrier's features and tweaks. The Android phones on the market may share the same name, but each are unique in significant ways that makes mobile patch distribution much more challenging.

Back in May 2011, Google formed the Android Update Alliance to address some of these concerns. Google partnered with the major US carriers, of course--AT&T, T-Mobile, Vodafone, Sprint, and Verizon. On the hardware side, Google partnered with HTC, LG, Samsung, Sony Ericsson, and Motorola. What these companies agreed to do was update their phones for at least 18 months after the hardware release. That is roughly the average time a mobile phone customer keeps their phone before purchasing a new one. Before this, the manufacturers and carriers didn't patch the operating systems. If anything the alliance should reduce the time it takes for any Android phone to get the latest version. Apparently, that has not happened.

Flash forward to September 2011. According to the site Androidandme.com, Google is producing updates, but it seems both the carriers and the handset manufacturers aren’t pushing these shiny new Android updates out to the end user. Android 2.3, for example, is only available on some—but not all--newer models of popular phones.

The manufacturer with the most Android 2.3 products on the market is HTC, followed by Samsung, then Sony Ericsson. If you add up the total number of phones offered, 32 of them offer Android 2.3, but 23 still run Android 2.2, and 6 still run Android 2.1. So the manufacturers are trying.

In terms of the carriers, here's where the ball gets dropped. The carriers with the most customers, Verizon and AT&T, aren't necessarily better at patching than the small guys. These two carriers still have a number of phones running Android 2.2. Smaller competitors like T-Mobile and Sprint are much better, with more of their phones running Android 2.3 than the big guys. But smaller carriers aren't necessarily the best: Boost, for example, still has phones running Android 1.5, and T-Mobile has one model that is still Android 1.6.

If anything, there doesn’t seem to be a coherent pattern among the updates. Newer phones, such as Verizon's 4g HTC Thunderbolt, are still running Android 2.2, while older phones, like the Verizon Motorola Droid X, are running Android 2.3. That doesn't make sense.

Perhaps these numbers will turn around, and the next survey from Androidandme.com will show some progress from both the manufacturers and the carriers. And perhaps customers themselves will begin asking about updates to these new smaller form-factor computers – a.k.a. their smart phones and tablets. After all if they're already in the habit of updating their computers regularly, why not expect the same from their mobile devices? But wishful thinking isn't enough.

Even if Google pushed the updates out, the carriers could still block the installation on the handsets. All the mobile parties—Google, the manufacturers, and the carriers-- need to work together at solving this problem. The real question is motivation.

Hopefully, we won't have to have a crippling Android virus first to learn the answer.

Related Content: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Robert Vamosi, CISSP, an award-winning journalist and analyst who has been covering digital security issues for more than a decade, is a senior analyst for Mocana, a device security start up. He is also the author of When Gadgets Betray Us and a contributing editor at PCWorld, a blogger at Forbes.com, and a former Senior Editor at CNET. He lives in Northern California.