Business Blog
Patchwork: Why do many mobile devices go without security updates?
Every business wants to forge an ongoing relationship with their customers. That principle takes on special significance for mobile device manufacturers when they need to issue security patches for the operating system software on their phones and tablets. Once devices are in consumers’ hands, are they getting the patches they need to protect against critical vulnerabilities? Are companies deploying those patches in a timely fashion and for a reasonable length of time? That’s the subject of a new FTC report, Mobile Security Updates: Understanding the Issues.
Why do so many devices go without critical patches? We can think of three reasons:
- The company never issued an update at all, perhaps because it can be time-consuming and expensive;
- The patch is delayed, because working with other companies to develop, test, and deploy patches can take a long time; and
- Consumers don’t install updates they find to be inconvenient.
But when weighed against the alternative – a device vulnerable to an onslaught of spyware, ransomware, and other injurious -wares – it’s something that needs to be done.
There’s another variable that confounds the picture: lots of variation, but not much information. Support periods – the time during which a device receives operating system updates – vary widely, even among comparable devices made by the same company or serviced by the same carrier. What if consumers want to factor in security support when figuring out whether to replace an old device or when comparison shopping for new devices? Good luck with that because it’s often hard for them to get much information about security support at all.
According to the Report, industry members have taken steps to streamline the patching process, but there’s more on the TO DO list to get security updates to users’ devices and to get them there faster. You’ll want to read the Report for the details, but here are some of the FTC’s recommendations to improve the process:
- Government, industry, and advocacy groups should work together to educate consumers about the importance of security updates. Consumers also need to understand that they play an essential role in the process.
- Industry members should – to use a few of our favorite phrases – start with security and stick with it. That includes encouraging a culture of security support. Consistent with the costs and benefits of doing so, companies also should embed security support considerations into product design and make sure that all devices – no matter their price or popularity – get security support for a period of time that is consistent with consumers’ reasonable expectations.
- Manufacturers should consider keeping better records about update decisions, support length, update frequency, and update acceptance so they can learn from experience.
- Companies should continue to streamline the security update process, with an eye toward making it easier for consumers. In particular, where feasible, issuing security-only updates – instead of bundling security patches with general software updates – may get easier-to-install patches to consumers faster.
- Manufacturers should consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.
Watch the Business Blog for more about this important topic.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.