Mobile Security Updates: Understanding the Issues

Citation
Federal Trade Commission, Mobile Security Updates: Understanding the Issues (Feb. 2018) (full-text).

Overview
Security researchers and government agencies have consistently maintained that the best way to secure consumer information is to take reasonable steps to design secure products and maintain their security with updates that patch vulnerabilities in device software. Despite this consensus, security researchers and industry observers have reported that many mobile devices' operating systems (the software that powers the devices' basic functions) are not receiving the security patches they need to protect them from critical vulnerabilities. As a result, many mobile devices are vulnerable to a wide range of malware (malicious software) attacks, including spyware, phishing, and ransomware. Each of these malware variants can put consumers at risk of identity theft scams, fraudulent charges, or device compromise, which can cost consumers hundreds or thousands of dollars.

In May 2016, the FTC issued identical Orders to File Special Reports ("Orders") under section 6(b) of the Federal Trade Commission Act to eight device manufacturers to gather information about their security update procedures and practices. The respondents &mdash; Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung &mdash; comprise most of the U.S. mobile device market and represent some of the variety of the mobile ecosystem. Collectively, they use, or have used, four different operating systems, including the two dominant operating systems in the U.S. (Android and iOS). A few, such as Apple and Microsoft, sell relatively few models powered by their own operating system. By contrast, several, including HTC, LG, Motorola, and Samsung, have large device portfolios whose phones and tablets run device-specific customizations of the Android operating system.

This Report summarizes the information provided in response to the Commission's Orders, as well as responses to a parallel inquiry initiated by the [[FCC into mobile carriers' security updates practices. The data provided in response to these inquiries is not sufficiently representative to permit definitive conclusions about industry practices as a whole. Nevertheless, the companies' narrative responses and several detailed data sets provide remarkable insight into the security update practices that affect a large proportion of the devices on the U.S. market.