Sign in with
Sign up | Sign in

Wireless Carriers Leave Millions of Android Phones Prone to Hackers

By - Source: BGR | B 20 comments

Android device owners unable to receive updates without participation of carrier.

Millions of Android smartphones are left vulnerable as wireless phone carriers and handset manufacturers refuse to launch existing software security fixes to devices within an adequate timeframe.

Chris Soghoian, Principal Technologist and Senior Policy Analyst with the American Civil Liberties Union, said that unlike the iPhone, which sees Apple having power over carriers and also controlling the release of software updates to its devices, Android users are unable to receive an update on their phone without the carrier’s involvement. "The phones have to contact a server run by the carrier in order to get an update."

The update schedule of bug fixes coming from wireless carriers or hardware makers can take up to a year or longer to come to fruition. "When Apple decides that it’s going to give a security update to consumers or a feature update, every consumer who plugs their phone into their computer gets the update whether or not their respective regional carrier likes it," Soghoian said at the Kaspersky Security Analyst Summit.

With Android, "you get updates when the carrier wants it and when the hardware manufacturer wants it, and usually that’s not very often." He added, "This is not an instance where I’m criticizing Google for not fixing the bugs. Google’s team will usually fix it very promptly and make it available to all of their hardware partners. The problem here is that fixes for critical security vulnerabilities are simply not getting downstream and reaching consumers."

"You don’t need [a zero-day exploit] to attack most Android devices if consumers are running 13-month old software," Soghoian continued. He said that carriers need to accept responsibility for the devices they’re selling or leave the control of updates to Google. However, he believes that won't happen unless the government intervenes and applies pressure.

During the third quarter of 2012, the amount of Android malware surged by a considerable amount, with each new exploit becoming more sophisticated.



 

Contact Us for News Tips, Corrections and Feedback

 

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 12 Hide
    InvalidError , February 8, 2013 1:50 AM
    If carriers get hit by a handful of class-action lawsuits for billing usage generated by malware that should have been prevented by OS upgrades carriers never rolled out and that end-users could not install themselves due to DMCA, with courts telling carriers refund and eat future usage costs until they fix their phones, things may start moving more quickly.

    If carriers refuse to update phones and refuse to let susbcribers update their own phones, carriers should be responsible for malware data usage since this effectively means carriers refuse to do the minimum effort required to reduce the likelihood of malware getting on their devices.
  • 12 Hide
    wildkitten , February 8, 2013 1:26 AM
    This has been one of the most frustrating things being an Android owner. The ridiculousness of the manufacturer having to submit build after build is outrageous. Verizon made Motorola submit at least 10 ICS builds for the Bionic before one ever got approved, and it wasn't because of how well the builds were but fights over bloatware and what could be frozen without root.

    This is one thing Apple does right with the iPhone. Google needs to push their weight around with carriers in support of their OEM's.
  • 12 Hide
    Anonymous , February 8, 2013 1:24 AM
    Yet, another reason to root your phone
Other Comments
    Display all 20 comments.
  • 12 Hide
    Anonymous , February 8, 2013 1:24 AM
    Yet, another reason to root your phone
  • 12 Hide
    wildkitten , February 8, 2013 1:26 AM
    This has been one of the most frustrating things being an Android owner. The ridiculousness of the manufacturer having to submit build after build is outrageous. Verizon made Motorola submit at least 10 ICS builds for the Bionic before one ever got approved, and it wasn't because of how well the builds were but fights over bloatware and what could be frozen without root.

    This is one thing Apple does right with the iPhone. Google needs to push their weight around with carriers in support of their OEM's.
  • -6 Hide
    wildkitten , February 8, 2013 1:28 AM
    MoesfuryYet, another reason to root your phone

    A person whouldnt have to risk bricking their phone, voiding their warranty, increasing the cost of service only to get timely upgrades.

    Rooting should be done by enthusiasts, not seen as something the average typical user should do.
  • 1 Hide
    sacre , February 8, 2013 1:38 AM
    All OS's have their downfalls. iPhone is safe, but not really customizable. Android is customizable, but not very safe. "Oh but you can this and that" well you shouldn't have too.
  • 12 Hide
    InvalidError , February 8, 2013 1:50 AM
    If carriers get hit by a handful of class-action lawsuits for billing usage generated by malware that should have been prevented by OS upgrades carriers never rolled out and that end-users could not install themselves due to DMCA, with courts telling carriers refund and eat future usage costs until they fix their phones, things may start moving more quickly.

    If carriers refuse to update phones and refuse to let susbcribers update their own phones, carriers should be responsible for malware data usage since this effectively means carriers refuse to do the minimum effort required to reduce the likelihood of malware getting on their devices.
  • 1 Hide
    shadowfamicom , February 8, 2013 1:53 AM
    sacreAll OS's have their downfalls. iPhone is safe, but not really customizable. Android is customizable, but not very safe. "Oh but you can this and that" well you shouldn't have too.


    That's why there needs to be a middle of the road OS, something that is more controlled then Android, but less controlled then iOS. Finding a way to standardize more internal hardware would help things rollout faster maybe? Or maybe make it so Samsung, Motorola, HTC, ect can all give you updates by plugging into your computer, bypassing the carrier crap they go through. I am sure this is against the contracts phone makers sign though.
    Anyone correct me if I am wrong :) 
  • 6 Hide
    Gundam288 , February 8, 2013 2:32 AM
    otacon72It will NEVER happen because of the ToS you agreed to when you signed up for your plan.

    A ToS doesn't always mean you are off the hook in court.
  • 1 Hide
    tului , February 8, 2013 2:41 AM
    Gundam288A ToS doesn't always mean you are off the hook in court.

    I agree. Our congress critters are also free to pass legislation making carriers liable. You know, it'd be nice if they did something actually useful.
  • 0 Hide
    dark_wizzie , February 8, 2013 2:45 AM
    Why don't carriers do the updates? It ups the experience and its beneficial to them...
  • 0 Hide
    InvalidError , February 8, 2013 3:49 AM
    otacon72It will NEVER happen because of the ToS you agreed to when you signed up for your plan.

    Companies put tons of crap in their contracts, ToS, etc. that does not hold water in court or gets abused in ways that courts may rule unconscionable - clauses that courts rule no sane person would accept unless they were forced to or otherwise had little to no other choice.

    IIRC, the arbitration clause many carriers put in their contracts to dissuade people from taking carriers to court got struck down a couple of times by judges saying such clauses are anti-constitutional and therefore void.
  • 1 Hide
    The_Trutherizer , February 8, 2013 5:55 AM
    After my experience with trying to get an OS upgrade for my Motorola Defy I honestly believe that many HW manufacturers want consumers to buy a new device rather than just giving them software updates. Well at the very least their priorities seem to be aligned that way. Personally I see it as a fail that my device couldn't install the latest OS 1.5 years after being released into the market and I would see more care being taken by the manufacturers to ensure that their products remain valid for at least a few years able to provide their customers with a viable user experience throughout. It's not like my Defy was a low end phone when it came out. It had some very decent hardware for the time.
  • -1 Hide
    siddallj , February 8, 2013 8:49 AM
    If you want the latest OS on Android, Root your phone.
    Install a custom ROM
    Cyanogen Mod 10.1 is Extremely good. Faster, longer battery life.
    Then add Comodo Antivirus, your covered.
    Latest OS, great security.
  • 0 Hide
    house70 , February 8, 2013 10:33 AM
    The openness of the OS is well worth the minimal security risk. I don't want a phone that tries to protect me from myself and thinks it knows better.
    To each his/her own.
    If you want to keep your secure settings, don't change the default developer options and don't install apps that require more privileges than they should. Rooting actually decreases your security a bit because it gives you access and control over the system partition and the OS files. It should only be done if you really know what you're doing.
    If your device works as intended with an older OS version, just keep it. Why force an update that will make it worse in case the hardware can't keep up with it? Apple is crippling their older devices by doing this, no need to join that trend.
    Finally, if you really have to do it, research a lot before jumping in.
  • -1 Hide
    house70 , February 8, 2013 10:38 AM
    If you want to read a really good editorial on this topic, read here:
    http://www.androidcentral.com/editorial-fragmentation-malware-and-clicks

    This guy has more sense than a lot of people posting articles on TH (including the OP).
  • 0 Hide
    toadhammer , February 8, 2013 12:41 PM
    dark_wizzieWhy don't carriers do the updates? It ups the experience and its beneficial to them...

    After launch, hardware makers don't want the cost of redoing their custom work (mating android to their hardware and drivers). Similar story for the carriers. Only nexus has vanilla android.
    It's all about the money. Spending money isn't beneficial to them if they don't think it will buy them something valuable.
  • 0 Hide
    st430 , February 8, 2013 12:58 PM
    may be the update should had gone through the android 'PLAY" (marketplace) instead.
  • 0 Hide
    Anonymous , February 8, 2013 2:29 PM
    What people understand is you have to ROOT your device to avoid this. I can get any update I want or any Google ROM out there without having to depend on the manufacturer. The main fault here is on Google for allowing the cellular companies to have main control of when the users can get the updates on the stock ROM. Apple proves to be the strongest company to have control over their devices. They do not allow custom operating systems on the iDevices, no cellular service branding (seeing AT&T or Verizon on the phone), and things of that nature. Google should provide service to where they install the STOCK ANDROID ROM and have main control through Google other than the cellular provider.
  • 0 Hide
    g00fysmiley , February 8, 2013 2:57 PM
    biohazrdfearWhat people understand is you have to ROOT your device to avoid this. I can get any update I want or any Google ROM out there without having to depend on the manufacturer. The main fault here is on Google for allowing the cellular companies to have main control of when the users can get the updates on the stock ROM. Apple proves to be the strongest company to have control over their devices. They do not allow custom operating systems on the iDevices, no cellular service branding (seeing AT&T or Verizon on the phone), and things of that nature. Google should provide service to where they install the STOCK ANDROID ROM and have main control through Google other than the cellular provider.


    agreed but i would add farther that phone makers like htc and samsung have little reason to update a phone either, my wife's rooted samsung should still eb on 2.3 but instead has 4.0, my buddy's htc evo could also run 4.0 but because he is not willign to root he will never get 4.0 or higher, his phone could easily run it but even htc never released the drivers for it because they want people to buy a new device
  • -1 Hide
    wildkitten , February 8, 2013 4:46 PM
    biohazrdfearWhat people understand is you have to ROOT your device to avoid this. I can get any update I want or any Google ROM out there without having to depend on the manufacturer. The main fault here is on Google for allowing the cellular companies to have main control of when the users can get the updates on the stock ROM. Apple proves to be the strongest company to have control over their devices. They do not allow custom operating systems on the iDevices, no cellular service branding (seeing AT&T or Verizon on the phone), and things of that nature. Google should provide service to where they install the STOCK ANDROID ROM and have main control through Google other than the cellular provider.

    Once again, rooting needs to stop being pushed as something typical. Rooting should only be done by those who know exactly what they are doing, are willing to brick their phones, are willing to accept the voiding of the warranty and accept possibly paying more for technical support as well as be willing to pay full price for a replacement phone if something goes wrong.

    In the case of installing a custom ROM, yes, that is all great for the tinkerer, but it is awful advice for someone who depends on their phone. There is also the issue that this takes you off the upgrade path. This may be fine for merely OS upgrades, however, it is not always upgrades that get pushed. If a carrier makes changes to their network that changes how the phone and the network interact, they have to push out an update for that, and if you have a custom ROM, you don't get it.

    I'm not saying there is something wrong with rooting in and of itself, but the problem comes in when people say to do it casually as if it's no different then turning your phone on and never talk about the potential risks and downsides. Read any responsible Android site and they point out the benefits AND the pitfalls of rooting as well as custom ROMs.
  • 0 Hide
    danwat1234 , February 10, 2013 3:45 AM
    So does this mean little security patches need to be approved by carriers? I know OS upgrades need carrier approval. What about 3rd party app updates, I assume those updates are available immediately after the software developer submits the patch.

    We need some details.