Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Mobile Industry Slow to Push Android Updates to Users

The mobile industry needs to work together at pushing timely updates to Android users. The real question is motivation.

With more and more mobile malware being directed at Android-based phones, you’d think the carriers and manufacturers would respond quickly to security and software updates to the underlying operating systems. According to a new survey that doesn’t appear to be the case.

The mobile industry needs to work together at pushing timely updates to Android users. The real question is motivation.

With more and more mobile malware being directed at Android-based phones, you’d think the carriers and manufacturers would respond quickly to security and software updates to the underlying operating systems. According to a new survey that doesn’t appear to be the case.

Android Security Updates

We’ve already been down this road before with PCs. In the early 2000s, malware infecting desktops primarily took advantage of software flaws in Microsoft Windows and Office. In response, Microsoft did issue patches, but the random nature didn’t always work – a patch issued late on Friday wasn’t installed until sometime the next week. And awareness of the patches wasn’t very high. Starting in 2004, Microsoft standardized the process with “Patch Tuesdays,” the second Tuesday of every month, and I would venture to say that compliance is much higher today.

If the first step is creating a regular patch cycle, with mobile that’s much harder to do. There are several more variables with Mobile. First, there’s the underlying operating system (Android), then there’s the unique chipsets and hardware of the handset, then finally there’s the individual carrier’s features and tweaks. The Android phones on the market may share the same name, but each are unique in significant ways that makes mobile patch distribution much more challenging.

Back in May 2011, Google formed the Android Update Alliance to address some of these concerns. Google partnered with the major US carriers, of course–AT&T, T-Mobile, Vodafone, Sprint, and Verizon. On the hardware side, Google partnered with HTC, LG, Samsung, Sony Ericsson, and Motorola. What these companies agreed to do was update their phones for at least 18 months after the hardware release. That is roughly the average time a mobile phone customer keeps their phone before purchasing a new one. Before this, the manufacturers and carriers didn’t patch the operating systems. If anything the alliance should reduce the time it takes for any Android phone to get the latest version. Apparently, that has not happened.

Flash forward to September 2011. According to the site Androidandme.com, Google is producing updates, but it seems both the carriers and the handset manufacturers aren’t pushing these shiny new Android updates out to the end user. Android 2.3, for example, is only available on some—but not all–newer models of popular phones.

The manufacturer with the most Android 2.3 products on the market is HTC, followed by Samsung, then Sony Ericsson. If you add up the total number of phones offered, 32 of them offer Android 2.3, but 23 still run Android 2.2, and 6 still run Android 2.1. So the manufacturers are trying.

In terms of the carriers, here’s where the ball gets dropped. The carriers with the most customers, Verizon and AT&T, aren’t necessarily better at patching than the small guys. These two carriers still have a number of phones running Android 2.2. Smaller competitors like T-Mobile and Sprint are much better, with more of their phones running Android 2.3 than the big guys. But smaller carriers aren’t necessarily the best: Boost, for example, still has phones running Android 1.5, and T-Mobile has one model that is still Android 1.6.

If anything, there doesn’t seem to be a coherent pattern among the updates. Newer phones, such as Verizon’s 4g HTC Thunderbolt, are still running Android 2.2, while older phones, like the Verizon Motorola Droid X, are running Android 2.3. That doesn’t make sense.

Perhaps these numbers will turn around, and the next survey from Androidandme.com will show some progress from both the manufacturers and the carriers. And perhaps customers themselves will begin asking about updates to these new smaller form-factor computers – a.k.a. their smart phones and tablets. After all if they’re already in the habit of updating their computers regularly, why not expect the same from their mobile devices? But wishful thinking isn’t enough.

Even if Google pushed the updates out, the carriers could still block the installation on the handsets. All the mobile parties—Google, the manufacturers, and the carriers– need to work together at solving this problem. The real question is motivation.

Hopefully, we won’t have to have a crippling Android virus first to learn the answer.

Related Content: Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.