SAN JUAN, Puerto Rico — Activist Chris Soghoian, whom in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices.

The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. Today during a session at the Kaspersky Lab Security Analyst Summit, Soghoian made a call for legislators to get involved in calling AT&T, Verizon, TMobile and Sprint on the carpet for their practices, or cede control to Google for providing regular updates to devices.

Unlike with Apple, which wields considerable influence with the carriers because all of them want a share of the iPhone market, Soghoian said Google has relatively little power in its relationship. Google gives up the Android operating system for free and carriers and handset vendors have control over update distribution.

“With AndroidChris Soghoian, the situation is worse than a joke, it’s a crisis,” said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. “With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.”

Android malware skyrocketed over the last 12 months. Researchers at Kaspersky Lab said that 99 percent of mobile malware detected monthly was targeting Android; in May 2012, there 7,000 unique attacks detected for the platform. Android has the largest mobile device market share, yet users are vulnerable to a number of attacks, the most prevalent being SMS attacks that run up premium calling charges. Malicious applications that drop malware are also rampant on the Google Play marketplace, despite the introduction of the Google Bouncer malware scanner.

While the carriers and Google engage in a bit of finger-wagging at each other over who is to blame, consumers remain in the crosshairs of attackers because they are not getting the updates they are essentially promised with the purchase of a device. Soghoian showed some numbers backing up his premise; some LG Android devices were up to 16 months behind, while Samsung devices were up to 13 months in arrears. Also, according to the Google Android Developers Dashboard, 50 percent of devices are running the Gingerbread version of Android, which was released in 2010.

“You don’t need a zero-day to attack Android if consumers are running 13-month-old software,” Soghoian said.

Soghoian was clear too in pointing out that Google is quick to patch vulnerabilities and makes those patches available to its hardware partners. Those fixes, however, are not getting downstream to consumers, he said. The most egregious example he provided was an update that would block a stolen Gmail digital certificate compromised in the DigiNotar certificate authority breach. Soghoian said that in his opinion Google won’t heavily market its Google Nexus devices, which get regular security updates because Google controls those updates, in order to maintain some peace in its relationships with the carriers and hardware vendors.

Most concerning is the default Android Web browser, which unlike Chrome and Firefox desktop browsers that are on six-week update cycles, the Android browser is two years behind in updates. Soghoian said browser updates are available only when the manufacturers send complete updates; browser updates are not available in the Google Play store.

“Outside the geek space, consumers don’t know the problem exists,” Soghoian said. “They may realize they’re not getting feature updates, but they may think security updates are happening in the background, or they don’t realize security updates are important.”

Soghoian added that the carriers have been leveraging their influence for some time. He offered three examples where carriers would block features on devices that conflicted with the carriers’ business models, including Bluetooth, tethering and Near Field Communication.

“When faced with a choice of providing a full set of features users wanted, the carriers would cripple those services because they threatened the carriers’ business model,” Soghoian said.

Categories: Mobile Security

Comments (7)

  1. Anonymous
    2

    It would be nice for this to finally happen but the reality is that the cellphone companies see no value in providing updates to their customers especially when most customers are on a two year contract and will just upgrade their device anyways to the latest and greatest.

  2. First A. Lastname
    3

    “…the cellphone companies see no value in providing updates to their customers…”

    Contract or not, they will when one of those customers claims damage and has the resources to hire a hungry attorney.

  3. Anonymous
    4

    I recently inherited my son’s Sony Ericsson Xperia X10 and it still had Android 1.6 on it…I tried to update the system via the phone’s “software update” but it wouldn’t do it. I went to the AT&T store and they all looked at me like I was from another planet and were of no help whatsoever. I even went to the AT&T service center and they said they had no way to update the Sony Xperia i.e. Sony never provided them with the hardware to do this. The people working there had no business calling themselves repair technicians – we used to call them “screwdriver techs” or “pc board swappers” back in the day.

    But updating the Android OS took some Googling to find out how, I then contacted Sony and they pointed me to software that would help me update the phone. The software provided by Sony only runs on Windows and the latest version of OS X and only updated the phone to Android 2.1. So I’m unable to run software that requires 2.2 or greater.

    I find this sort of manipulation to be grossly unfair to the consumer and is merely a way to exploit the ignorance of the consumer to keep them buying new hardware.

    On the good side is the ability to “root” the Android and pretty much update it via the SDK USB bridge. But that’s beyond the means of most smartphone users.  

     

  4. Anonymous
    5

    Another “omg panic” article…

    Malware currently on google play? 0

    Updates to individual components like the browser? Always, without carrier approval.

     

    The update situation has improved for the high end (though seemingly delayed, but not reslly since most skins like Sense (Htc) provide features not presrnt in stock android.  You shouldnt compare the two.

     

     

  5. Praqseven
    6

    WE need start a petition. I don’t think I should pay 400 dollars for a device than next year come out with a new device and ignore the previous device and then lie and state that device is not cable for update than release a device that has less specs and give new os the company is asus. TF101 and there new 7 inch device with less specs. 

  6. noyfb
    7

    That’s why people need to file complaints against carriers with the FCC, like verizon not updating phones like the galaxy nexus, 3 updates behind for a nexus device, where they want you to buy a new phone because its os is updated.

    Also people need to stop buying subsidized phones to stop these practices. If everyone was not stuck in a contract and had they will to leave at anytime it gives the consumers more power.

Comments are closed.