back to article Android's security patch quagmire probed by US watchdogs

Mobile carriers and gadget makers will be investigated over how slow they push important software security patches to people. The probe will be carried out by US trade watchdog the FTC and America's internet mall cop the FCC. The two agencies will work together to scrutinize manufacturers of phones, tablets and other gear, …

  1. This post has been deleted by its author

    1. Tomato42
      Angel

      Re: sigh

      To fix this we really don't need much.

      The first thing is that software defects should not be excluded from warranty (that includes disclosed vulnerabilities).

      Then we just need a label that clearly, in standardised manner, informs the customer:

      1). how long is the warranty for all defects

      2). what is the manufacturer designed expected lifetime of the device (that means, at the minimum, that replacement parts, including software, will be available)

      3). what (if present) is the length of time software updates of the device will be provided

      allow for paid/free options on top of that, and then there's _some_ chance that the market rights itself up

      1. Headley_Grange Silver badge

        Re: sigh

        Tomato42 - I'd add to you list and have a British Standard lifetime (including slugging performance of old phones with updates) and repairability score for devices and hit companies with taxes based on the the quantity and the score.

        1. Tomato42

          Re: sigh

          EU law allows you to simply return the device after 2 years if it does not match advertised feature set or breaks down in normal use.

          Some things should really have longer terms, but the basic framework is in place.

  2. Ugotta B. Kiddingme

    I am (perhaps naively) hopeful...

    that this will have a positive impact. On the other hand, however, are perfectly valid reasons why "We're from the government and we're here to help" is the punchline to quite a few bad jokes.

    1. Tomato42

      Re: I am (perhaps naively) hopeful...

      I would say that your optimism isn't completely unfounded, Tom Wheeler was quite effective up till now

    2. Anonymous Coward
      Anonymous Coward

      Re: I am (perhaps naively) hopeful...

      A "probe" won't do anything. They would have to regulate it, and since they don't regulate software updates for anything else this would be a pretty difficult thing to institute.

      If you want to see changes you better hope that UK/EU consumer laws force it, the US won't.

  3. Anonymous Coward
    Anonymous Coward

    >or simply receive no patches at all because manufacturers simply don't care.

    Funny how that works when people insist on buying the cheapest no name Chinese crap. As for the major vendors well comparing their profit margins with Apple who do at least support their phone reasonably well for at least the first few years ought to tell them that when people buy their second smart phone they do remember the support. Also the companies with garbage support I have noticed then usually whine when everyone ignores their new wiz bang flagship.

    1. gollux

      Funny how you don't have to buy cheap Android equipment either to be caught in the patch quagmire. It's abysmally bad all around. The "business" models my company paid for were promoted for their performance and support and cost a little bit more, but at 18 months were basically unsupported when it came to OS upgrades. And the companies with garbage support can be some of the mainstream types that tout their excellence in all other fields, until it comes down to Android.

      1. Anonymous Coward
        Anonymous Coward

        It's certainly not abysmally bad all round. My Xperia gets timely updates. Running a recent release of android 6.01. is a 2 year old device.

        Android and apple are they different. Apple play tricks to appear like they offer better support.

        1/ they do all their prep beforehand PTCRB and such like, so it looks like it's announced then available. Android does its stuff in public.

        2/ apple hide old versions of iOS on old devices with missing features but still running hacked around hybrid cut and shut of old OS, witg new kernel and skin to give the illusion of latest iOS, its not...

    2. Headley_Grange Silver badge

      "cheapest no name Chinese crap"

      What? Like Samsung? My Galaxy Note 8, bought in April 14 is running Android 4.4.2. That's why I haven't turned it on for months and why I won't be coming out of the Apple garden any time soon. I certainly won't ever buy from Samsung again.

      1. Anonymous Coward
        Anonymous Coward

        Consumabales

        Ditto. I damaged my S3 and used it as an excuse to upgrade to the Nexus 6 which had just been released and the Nexus has had many system updates since then. Just last week though I had cause to resurrect the S3 and lo and behold, not a single update was waiting despite all of the vulns announced in the time it was off.

        On the flip side, they only way they will currently make money is by convincing you to buy a new device, not by supporting your old device. If you want (limited) lifetime support and upgrades you going to need to fork out more up front.

        Having said that though, the high end models do command premium prices so some form of aftercare shouldn't be too much to ask for.

        1. Triggerfish

          Re: Consumabales

          Yes after moving from a Samsung phone, I was at first wondering why my new phone kept updating itself so often, then I realised it was because it was supposed to and Samsung are terribly slack.

    3. Trixr

      Mine's an LG G3. Not one OTA. Not cheap and not crap.

      1. Anonymous Coward
        Anonymous Coward

        The G3 is currently updated to Android 6.0 Marshmallow with security fixes from March 2016 IIRC.

        These should appear as OTA updates, they certainly have for carrier G3 models in the UK.

    4. big_D

      Cheap non names? Like Samsung and LG you mean?

      Both my Galaxy S3 and my LG G2 stopped getting updates before the 2 years of the contract were up. In fact the G2 still has a couple of months left on contract, but it is so old that some apps (MS Word and Excel, for example) refuse to load as the OS is too old to be supported.

    5. Stuart Castle Silver badge

      "Funny how that works when people insist on buying the cheapest no name Chinese crap. "

      In my experience, buying from a known manufacturer (rather than a cheap no name make) is no guarantee. I've had an N95 on O2 that received no updates, despite Nokia actually throwing them out at a rate of knots, and an HTC Tytn that only recieved an update when HTC bypassed the carrier totally and released the update themselves.

      As I understand it, that is the problem with Android updating. The number of companies that have to approve the update before it's distributed to end users. As I understand it, the process is supposed to go as follows:

      Google (or other open source developer) develops a patch for Android. Google tests the patch.

      Device Manufacturers test the patch. They release it, or throw it back to Google if they find faults. They can create patches for their own software if needed. Assuming they release a patch, it then goes to the carriers for testing, Again, Carriers will either release the patch or block it. As you can see, there are at least three organisations that need to approve the patch before it's released to the public. Those companies are looking to make money, so won't necessarily want to patch older phones, wether the bug being patched is in Android or elsewhere.

      Apple, on the other hand, have a much simpler process. They don't have any device manufacturers to deal with, so that's one step gone. They also don't allow the carriers to add their own software, so while carriers do test new versions of iOS, they have almost no control over its release schedule.

      Don't get me wrong. Apple are not perfect. Any device more than 2 or 3 years old will rarely get updates, and I think that is something that may need to be looked at.

      1. Anonymous Coward
        Anonymous Coward

        Don't forget the FCC who also want to be involved....

        Ironically, they are also in on investigation

  4. Dadmin
    Thumb Down

    Samsung is the worst of the big manus

    Several three year old Galaxy Tabs, all of which got exactly ONE OS update. Never heard from Samsung again, this is going on two years since an actual OS update. TWO YEARS. Android is dead to me for anything but local lan-only usage. Just a complete waste of time with these Samsung idiots. Tons of new products, none of which will ever see any OS/firmware updates. Just stop calling the product "Galaxy" and call it what is; "Samsung Orphans"

    1. gollux

      Re: Samsung is the worst of the big manus

      Yeah, I crossed Samsung off my buy list a couple years ago. Flash but in the end, no go.

    2. Adam 1

      Re: Samsung is the worst of the big manus

      It depends on the manufacturer and network. My Nexus 5 (2014) running 6.01 got its May security patches this morning. Buying a device with vanilla android was my priority.

    3. Gotno iShit Wantno iShit

      Re: Samsung is the worst of the big manus

      I would have agreed with you a 10 days ago but last week I got notification of a patch being available for my S5 mini. The first since the initial flush when it was new 14 months ago. It was on 4.4.2 IIRC and now has 5.1.1. Do I thank Samsung or EE? I've no idea so I'm not going to disagree, I've just sent my jury out to reconsider.

  5. redpawn

    Want security buy a new one

    What a terrible business model. Venders should be sued out of existence for this, but you clicked a EULA relieving them of all liability. A little legislation voiding these clauses would work wonders to keep devices updated for say a minimum of five years. The costs of cheap droids would go up a little but safe usage time would also. Worth the extra cost.

    1. Triggerfish

      Re: Want security buy a new one

      I was under the understanding EULA don't mean shit against a countries actual laws.

  6. chasil

    At the very least...

    ...carriers who abandon phones within 5 years of introduction should be compelled to release any signing keys that they used to lock bootloaders.

    If Verizon wants to create a walled garden with locked bootloaders, then they have a responsibility to maintain it. Any devices that do not receive quarterly security patches should be forced open, allowing Cyanogenmod to become an option for security fixes.

  7. ma1010
    Black Helicopters

    Sounds like a GREAT idea!

    It really does. But likely this will degenerate into finger-pointing between Google and the phone manufacturers. Google will be absolutely safe, no matter what, because the FTC will never do anything to harm them in any way.

    If anyone thinks they will, see this article from El Reg last month. Google will just call a certain close friend in the White House, and the nasty FTC will go away and leave poor, abused Google alone.

    Don't hold your breath waiting for any patches.

    1. Big_Ted
      Linux

      Re: Sounds like a GREAT idea!

      Then again your post completely ignores the fact that Google release security updates that hit the Nexus devices fairly quickly and had the same to all those manufacturers out there who dont send out the fixes quickly.

      OK a new version of Android needs testing on the older kit to ensure it will work and not brick the older device but that should not take months and sometimes even lags behind the next version as well.

      Google should take control of as much as possible and require manufacturers to leave the updatres to security etc to Google and they can then add their own UI and apps on top. Maybe then we would get updates at least if not the latest android version in a timely fashion.

      1. Steve Davies 3 Silver badge

        Re: Sounds like a GREAT idea!

        just what I've been saying for years. since my one foray into Androd land with an HTC phone. Got one update that would never install. Kept complaining that there was not enough memory. This was ootb and no apps installed.

        Patching/updates is absolute rubbish when compared to Apple. Yes I know that apple has their walled garden but it sets a standard for other OS;s to match and hopefully succeed.

        Will Google do anything to improve matters? Well, IMHO pigs will fly sooner.

        More hot air coming out of DC.

      2. Mr Flibble

        Re: Sounds like a GREAT idea!

        Problem is how the device is updated – one partition each for vendor files (low-level libraries), recovery, radio, boot and system. You'd need two system partitions (Google & vendor OS) for Google themselves to be able to supply updates.

        I suspect that Google will need to suspend licences for the Google Apps bundle in order to kick vendors into compliance, with suspensions being triggered when currently-supported devices are more than (say) three months out of date regarding security fixes. It'd be nice if this were, within some reasonable amount of time, extended to all devices running versions of Android which get security updates.

        Regarding errors concerning a lack of storage space – older phone with separate partitions for user data (apps, app data) and user files (photographs, music, video etc.)? I've seen cases of that and… strongly encouraged upgrading to something running current Android and with plenty of space for updates for several years yet. Guessing a bit here, but 2GB total in /system and a minimum of 4GB total in /data (double that one if you're an app junkie, and I'm assuming use of SDHC for photographs etc.) should do for at least a few years, allowing for some growth in app sizes.

        1. energystar
          Childcatcher

          Re: Sounds like a GREAT idea!

          "Problem is how the device is updated – one partition each for vendor files (low-level libraries), recovery, radio, boot and system. You'd need two system partitions (Google & vendor OS) for Google themselves to be able to supply updates."

          Long term -and in privacy and Law concerns- Not only Memory and Storage... All of the 'Dragon' has to be 'partitioned' [more than twice], and their parts made to comply with Protocols not yet designed.

      3. RyokuMas
        Childcatcher

        Re: Sounds like a GREAT idea!

        Google should take control of as much as possible and require manufacturers to leave the updatres to security etc to Google

        You mean start acting even more like Microsoft?

        1. #define INFINITY -1

          Re: Sounds like a GREAT idea!

          The Microsoft that produced Windows XP and 7, yes.

  8. Nunyabiznes

    Core problem

    This is a systemic issue with the Android ecosystem (well Android is the most visible anyway due to sheer numbers) and just about everyone involved has a little guilt to share. Carriers, Google, FTC, FCC, manufacturers and consumers (not necessarily in that order) all have neglected to do their duty.

    As consumers we haven't voted with our wallets, the manufacturers have consistently orphaned products way too early, carriers have actively blocked consumers from updating their devices/failed to push updates, Google isn't using their quite considerable influence to get manufacturers and carriers to help, and the .gov hasn't used a big stick to get everyone's attention (up until now perhaps).

    *This is from a US perspective. YMMV.

  9. Tromos

    Nexus NOT immune to this.

    Would The Register kindly stop perpetuating the myth that all Nexus devices get updates. Anyone with an original Nexus 7 tablet was summarily abandoned ages ago.

    1. Fullmetal5

      Re: Nexus NOT immune to this.

      I wouldn't say it's been abandon ages ago.

      According to the Nexus 7 (2012 edition)'s Wikipedia page the device is upgradable to 5.1.1 Lollipop and CyanogenMod is still providing updates for it. (granted not for Marshmallow but since it is still getting the nightly builds it's possible for it to get Marshmallow)

      1. Mr Flibble

        Re: Nexus NOT immune to this.

        I'm fairly sure that whatever security fixes can be applied for older Nexus devices are being applied; though, as you've probably guessed, I don't know this for certain – I'm basing this on datestamps of factory images.

      2. Tromos

        Re: Nexus NOT immune to this.

        Possibly perceptions of what 'ages ago' means might vary, but I'm referring to the last update (indeed. it was to 5.1.1) being more than a year ago and no chance of any more.

        The fact that CyanogenMod is a possible solution does not excuse Google from shirking its responsibilities any more than it does Samsung and the rest, for whom the same applies.

        My main objection still stands, that El Reg implies that ALL Nexus devices are getting updates every time there is an article on Android upgrades. Inaccurate reporting - GET THE FACTS RIGHT.

      3. Adrian 4

        Re: Nexus NOT immune to this.

        But the last update bricked some of them and vastly reduced battery life on the rest.

        It's all very well having patches, but how about testing them thoroughly ?

  10. Anonymous Coward
    IT Angle

    FTC to investigate slowness of Android security patches.

    "The two agencies will work together to .. to find out why so many folks are not able to obtain security updates in a timely fashion."

    Rather than any delay in getting approval from the carriers, I suspect the problem is manufacturers can't be bothered upgrading to the latest Android. I suspect some intern or no one at all, is how the carriers and hardware vendors are handling security.

  11. Anonymous Coward
    Anonymous Coward

    Verizon and Sony Z3v Still Officially Running Android 4.3

    After 2 years Verizon had not patched my Z3V. I think it was still running 4.2 or something that old. They refused to issue a patch even after Sony repeatedly stated that the patch was sent to them. The sony phones from all other carriers were also updated.

    In the end there was a leak of the 2.1 firmware that was sent to Verizon and I downloaded it and patched my phone myself. This is a risky but so was using the phone with an OS with so many holes that were not being patched.

    I think I paid over $600 for the Z3v thinking it was just a Verizon version of the Z3. In the end it was just an enhance Z2 with loads of performance issues and stability problems. The 5.1 up date did solve most of the performance and stability problems but the camera is still junk. The hype about the camera was the main reason I bought this phone. It is the last Verizon phone I will ever buy.

    If this update issue continue the only phones I will buy in the future are Google Nexus devices.

    1. Triggerfish

      Re: Verizon and Sony Z3v Still Officially Running Android 4.3

      I have to say my Z3 updates pretty promptly (3 mobile in UK here). I think your problem is Verizon.

  12. JakeMS

    Just think..

    Just think, if DRM and anti-jailbreaking wasn't in place we could probably just use a custom firmware on any device (assuming relative drivers available for hardware) and fix security issues ourselves.

    Instead hardware vendors decide to lock their devices down, do everything they can to prevent "jail breaking" and for what? "To Stop Piracy"?

    Fact is, the more locked down a device is and the less control you have over the device will basically expose you to security risks the more locked down it is.

    After all, sooner or later the manufacture will stop issuing updates, heck sometimes they will never push a single update. It's at this point your device is a security risk.

    People have to realise this is intentional on the manufactures part, they sell more devices that way, want the latest security? New device! It's not about piracy, it's never been about piracy. It's about making more money.

    However, if drivers were open and there was no anti-jailbreak or DRM crap in place we could just use custom firmware and be free of these problems...

    But no... everyone insists on accepting DRM/Vendor Lock on devices and "not caring" about it and so it will remain a problem.

  13. fidodogbreath
    Unhappy

    The market's invisible hand (or at least, its finger)

    Manufacturers and carriers have ZERO financial incentive to update older devices. They know people will keep buying their cr@p regardless.

    Most consumers never even think about security; they want shiny metal and ease of use, and blithely assume that someone, somewhere is looking out for them.

    If you want OS updates, Nexus and iPhone are your only options. Sucks, but there you have it.

    1. Mikel

      Re: The market's invisible hand (or at least, its finger)

      It would be nice if consumers (even business consumers) valued security enough to make real security (including patches, but also architecture and design) critical to product success. Then the market could settle this properly. But they don't.

      If they did, there would be no Windows.

  14. Anonymous Coward
    Holmes

    FTC To Study Mobile Device Industry’s Security Update Practices

    :additional: ...

    According to this the FTC sent letters to a number of handset manufacturers, only some of which use Android. The above headline would erroneously lead one to the impression that the FTC & FTC were only investigating security on Android.

    "The eight companies receiving orders from the FTC are: Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc." For Release May 09 2016

    1. energystar
      Childcatcher

      Re: FTC To Study Mobile Device Industry’s Security Update Practices

      Executive orders request not just answers [or excuses], but actions. At the least a precise an updated Status Report. Please don't lay.

    2. Robert Helpmann??
      Alien

      Let the probing begin!

      FTC and FCC stand over the supine body of ISP, strapped to the Good Ship Stagefright's probing table.

      ISP: What..? What's going on?

      FTC: We wanted to calibrate the equipment.

      FCC: Yes, there seems to be a lot of variation between the models assigned to you and it is important to find out why.

      ISP: But what does that have to do with me?

      FTC: Well, it is you equipment, isn't it?

      ISP: It is, but not as such. You see... <PROBE> ARRGH!

      FCC: What do you think?

      FTC: It doesn't look so good for tablets and I'm not getting a reading for phones. Probe again!

      ISP: No! Wait! <PROBE> AHHHH!

      FTC: Still nothing. Give it a few more jolts and maybe something will show up.

      ISP: <PROBE> OHHHH! <PROBE> Please! No! No more! <PROBE> Don't touch me there!Only my girlfriend touches me there!<PROBE><PROBE> <PROBE><PROBE><PROBE>whimper....

      FCC: Sigh. Really, this could have all been avoided if you would have kept your house in order to begin with. Have you learned your lesson?

      ISP: sniff sniff sniffle *hic* yes.

      FCC: Good. What do you think?

      FTC: Dunno. Maybe a couple more just to be sure.

      <PROBE>

  15. annodomini2
    Coffee/keyboard

    Political Grandstanding

    "Hey look were doing something"

    Result: Lots of talk and headlines, no reaction.

  16. Bucky 2

    You've got to feel for the phone vendors, though. Every couple weeks, there's a new patch of one kind or another. If they have a couple dozen phone models, they might need to type "make" several dozen times.

    My God. Think of the carpal tunnel.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like