Mobile Device Patching Practices Under Scrutiny




The US Federal Communications Commission (FCC) has banded together with the Federal Trade Commission (FTC) to scrutinize the security update practices of mobile device manufacturers and Carriers. The FCC has sent letters to Carriers concerning their policies for reviewing and rolling out updates for devices. The FTC has ordered Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola and Samsung to provide data back to 2013 regarding how they decide which exploits should be patched.

The FCC is displeased with the fact that while service providers and manufacturers have created fixes, there are significant delays in the delivery of the patches to consumers’ devices and in many cases older smartphones and tablets never get the security updates.

I imagine there will be much finger pointing and blame-avoidance by almost all parties involved as staying on top of security takes not only money, but a firm commitment by the entire organization to ensure that consumers have the best mobile experience – and safety, not number of flashlight apps, is at the heart of that.

Ultimately it will come down to “Who knew what, when.” Taking a year to roll out a patch is totally unacceptable. When was the manufacturer notified of the problem, what priority did the manufacturer assign to the exploit regarding impact/seriousness, likelihood, scope, etc.. when did they forward a patch to the Carrier and when did the Carrier roll it out to consumers.

The reason I mention “blame-avoidance by almost all parties” is that BlackBerry already has a leg-up on the competition. Security has been baked into their DNA for years – but don’t take it from me. Financial news website LearnBonds wrote an article March of this year entitled, “BlackBerry Ltd is Better Than Android at Mobile Security“.

In the article they state-

BlackBerry is the best at Android security

Why such a bold statement?

As it does every month, Alphabet Inc — Google’s parent entity — sent out its latest security bulletin a little over a week ago. The document covers all of the latest safety and privacy issues facing the company’s mobile operating system. Beating every one to it, BlackBerry was the first to send out a patch that addressed all the vulnerabilities listed on the bulletin. What’s even more impressive is that this was all done within 24 hours of the bulletin’s release.

Proof of commitment to consumers-

The company released a statement around the same time claiming it was the “first OEM” to send out patches in line with Google’s public disclosure. Further, the event was not a first time occurrence. BlackBerry has actually been issuing patches within hours of Google’s monthly bulletin since the release of the Priv handset. It is clear that the company is determined to prove it truly can keep its devices safe regardless of whether they run its in-house OS or not.

Many handset makers running Android on their smartphones normally take anywhere between a few days to a few months to address Google’s advertised vulnerabilities. The Web giant started sending out month bulletins to inform users and manufacturers in August last year. This came after a number of Android-related security and privacy arose in relation to Stagefright.

The author closes with the following-

BlackBerry Ltd (NASDAQ:BBRY) has kept on top of these updates since it took on the Android OS.

Other mobile device vendors can take weeks, months or even years to deliver security patches,” the Ontario-based firm bragged in a blog post. BlackBerry’s steadfast commitment to timely security updates is just one of the many reasons why BlackBerry continues to be the undisputed leader in mobile privacy and security.”

It will be interesting to see how this all ends up – but I wouldn’t hold my breath, government agencies tend to move slowly, especially in an election year.




kayaker co-pilot Tucson, it's a dry heat!