BlackBerry promises monthly Android patches; can override carriers for critical hotfixes

BlackBerry has joined other Android phone makers by promising timely security fixes.

The smartphone maker said Wednesday it will join other device makers by rolling out security patches within about a month of their initial disclosure.

BlackBerry, now an Android phone maker following the debut of its first phone running the software, said in a blog post that it was "critical" to fix Android flaws in a timely fashion.

Google's policy to disclose monthly vulnerabilities in Android, which it develops, started earlier this year when it announced it would roll out monthly fixes to its own-brand Nexus devices. Later, Samsung and LG followed suit saying they would also step up and offer patches monthly.

Beleaguered phone maker HTC said it was an "unrealistic" target.

BlackBerry said that its Priv smartphone, bought through the company's store, will receive over-the-air updates when they are made available.

Devices bought through a cell network, notably AT&T in the US, will receive updates following a carrier's approval.

That, however, can be a problem for serious flaws, the company said. Sometimes Android users can't wait for a fix.

The company added that in critical cases, when an Android flaw is being actively exploited by attackers, it will issue a "hotfix" which bypasses the need of a carrier's approval.

"Because a hotfix is typically limited in scope, the balance between a longer testing and approval process and the risk from the critical flaw makes this approach an important addition to helping keep users safe and secure," said BlackBerry chief security officer David Kleidermacher.

In a follow-up phone call, Kleidermacher

said BlackBerry customers could receive a fix as quickly as 24 hours after the company is notified, depending on the complexity of the flaw.

"We will patch on BlackBerry directly, and we will ask our carrier partners to give us a rapid approval," he said.

"But there are cases where we will apply this over-the-air fix, without carrier approval, if we deem it necessary," he added.

He added that there "will come a time" when the company needs to act because a publicly released or zero-day vulnerability is too high risk. He also confirmed that this may also apply to privately reported vulnerabilities, outside of the monthly patch cycle.

Carriers have long argued they need to test Android updates, and have often been criticized for being one of the biggest barriers in the way for security updates, and one of the prime reasons why Android has become fragmented with many software versions.

This year alone, there have been multiple serious vulnerabilities in Android that have left hundreds of millions of users exposed to data theft, privacy invasions, and malware attacks.

BlackBerry Priv is available for pre-order on AT&T in the US at $699.