Unlike desktop computer systems, mobile phones usually do not receive that many updates in regards to new functionality, security and privacy. Many manufacturers are more interested in creating and releasing a new version of a phone than offering support for phones they have already produced, and carriers too do not want to spend resources on testing and deploying patches on their systems.
This practice led to many problems, and a serious one in this regard is that companies failed to deliver security updates for devices which meant that consumers - most of the time unaware - worked with insecure phones.
A recent settlement of HTC America could have serious impact on how device manufacturer and carriers create and deploy security patches, and in the end, it could very well reduce or even end Android fragmentation.
HTC is required to fix vulnerabilities in millions of devices, and the company is furthermore required to establish a comprehensive security program and undergo security assessments every year for the next 20 years.
The FTC used several examples to make its point. This included security issues in two logging applications - Carrier IQ and HTC Loggers - that run on HTC phones and programming flaws that would allow third-party apps to bypass Android's security model.
Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. The FTC alleged that malware placed on consumers’ devices without their permission could be used to record and transmit information entered into or stored on the device, including, for example, financial account numbers and related access codes or medical information such as text messages received from healthcare providers and calendar entries concerning doctor’s appointments. In addition, malicious applications could exploit the vulnerabilities on HTC devices to gain unauthorized access to a variety of other sensitive information, such as the user’s geolocation information and the contents of the user’s text messages.
While the case was made against HTC, other carriers and manufacturers are not off the hook either, as they may be facing similar settlements in the near future.
For Android, this could very well mean that many carriers and manufacturers limit the number of software customization implementations to go back to core Android systems that makes it easier to test and distribute patches that Google releases for the system.
For consumers, the settlement will most certainly mean better security and patches over a longer period of time. Gone will be the days when the next generation of a phone marks the end of updates for previously released phones. (via Threatpost)
If you like our content, and would like to help, please consider making a contribution: