Apple, Google, others face questions over slow security fixes

The FTC and FCC both want to know "the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device."
Written by Zack Whittaker, Contributor

The inconsistency of Android updates is troubling to the agencies. (Image: CNET/CBS Interactive)

Two federal agencies want to know how and when smartphone makers patch security flaws, amid concerns that vulnerabilities are not patched soon enough.

The Federal Communications Commission and the Federal Trade Commission on Monday sent letters to leading mobile carriers and smartphone makers as part of a joint inquiry "to better understand, and ultimately to improve, the security of mobile devices."

The FTC wants eight phone makers to explain the "factors that they consider in deciding whether to patch a vulnerability on a particular mobile device," as well as, "the vulnerabilities that have affected those devices; and whether and when the company patched such vulnerabilities."

Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola, and Samsung received letters.

Meanwhile, the FCC wants cell carriers -- including AT&T, Sprint, and Verizon -- to explain their process for "reviewing and releasing security updates for mobile devices."

The investigation is thought to be in response to a complaint submitted by the American Civil Liberties Union from 2013, which accused cell carriers of stalling critical Android updates, exposing consumers to "significant cybersecurity-related risks."

Google, which develops the Android operating system, lets carriers decide when a device gets a particular update which have long argued their need to test updates to ensure network compatibility. By comparison, updates released by Apple do not rely on the approval from carriers.

But that inconsistency across the board is troubling to the agencies.

"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user's device," said the FCC in a statement.

The agency cited Stagefright, a major security flaw that affected almost every Android device ever shipped. Though Google issued a patch for the flaw, which could allow hackers to deliver malware to a device, it took weeks for other manufacturers to implement the fix.

Some devices are still vulnerable to the flaw, the FCC said.

Editorial standards