Carrier Approvals Make Monthly Security Updates 'Not Realistic,' Says HTC

By Lucian Armasu
published

In a Twitter exchange about why HTC is not committing to the same monthly security patch pact that Google, Samsung and LG have already made, HTC's USA President, Jason Mackenzie, said that such commitment is "not realistic." The reason he gave is that carrier approval processes usually take too long for this to work.

The first company to announce a monthly security update was Google, after the Stagefright vulnerabilities that affected about a billion users were made public. Soon after that, both LG and Samsung committed to monthly security patches as well, but it's not clear whether they were sure they can continue to deliver this month after month, or it was just something they were willing to give a try.

At the time, neither company said how long their devices will receive these monthly updates and which devices will continue to get them. Some of their high-end devices were patched, but that's because of the severity of the Stagefright vulnerabilities. Most of the major smartphone companies were rather quick to issue patches for their more popular and high-end models at the time. However, they all failed to provide updates to all affected devices -- even the ones released in the past two years.

Vulnerabilities such as the ones in Stagefright have shown us that Android needs a more robust security model than the one it has now, where essentially no upgrade is guaranteed for any device. Even the new monthly security patch system falls short, because while the monthly upgrades are somewhat guaranteed, the companies don't say which devices will receive them.

The carriers also don't seem to be doing anyone any favors by prolonging the updates even longer, to the point where a company such as HTC has to say that it's not possible to deliver new updates, no matter how critical, within 30 days, when that update has to first get a carrier's approval.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
7 Comments Comment from the forums
  • Solandri
    Why are the carriers even a part of this? If they rented the phone to you for less than the purchase price I could understand it. But they don't. They put you in a binding contract where you pay the full price of the phone. So it's your phone, not theirs. They have no right to install their software on your phone.
    Reply
  • targetdrone
    If Google is serious about Android security(which I don't think they are) the only option they have is to force Android Vanilla Bean on every device that wants to be apart of the Android Ecosystem. Giving carriers final say on a security update is ludicrous.

    Imagine if security updates for personal computers and servers were left to OEMs with the ISP having final say if it gets released or not. :O
    Reply
  • targetdrone
    16734288 said:
    Why are the carriers even a part of this? If they rented the phone to you for less than the purchase price I could understand it. But they don't. They put you in a binding contract where you pay the full price of the phone. So it's your phone, not theirs. They have no right to install their software on your phone.

    It's all because Google wanted a customizable open source firmware for mobile devices. This allowed carriers to make highly customized firmwares that could break if Google push it's vanilla update to these devices.
    Reply
  • jasonelmore
    That's like asking why a Network administrator has any say on what type of routers or end user machines go on his network. The approval process is there to protect the network from bad patches that could have backdoors or exploits, or use a lot of data for no reason.
    Reply
  • targetdrone
    That's like asking why a Network administrator has any say on what type of routers or end user machines go on his network. The approval process is there to protect the network from bad patches that could have backdoors or exploits, or use a lot of data for no reason.

    Funny how Verzion and Cox have no say in what NIC, wifi adapter, or linux distro I can use while connected to their cable and FIOS networks.
    Reply
  • quadrider21
    Carriers need to stop loading all their own bloatware onto the phones. (Let people download it from the App stores if the want it)
    We need more Android devices like the Nexus series so we don't have to wait for carriers to approve these security updates.

    Look what Apple is doing with their new iPhones, you can use them across multiple carriers.
    if you have a 6S or 6S Plus, I believe the Sprint, Verizon and T-Mobile iPhones all have their modems unlocked so you could take them from carrier to carrier.
    The AT&T 6S and 6S Plus has the modems in it for the other carriers, but is currently software locked to AT&T.

    This gives them the ability to push updates and patches out quickly, which they've already done with iOS 9.0.2 coming only a week or two after iOS 9.0 was released.
    Reply
  • humorific
    The problem isn't the carriers, or manufacturers either. Android itself is architecturally flawed, as well as iOS. Their design is monolithic. You can't patch it or update it piecewise. Each "update" is almost always an entire software reload. Desktop OSes, like Windows are modular. If a flaw is found in a browser control, Microsoft can just update that control, without having to recompile everything and forcing everyone to reload the entire OS. Manufacturers are unable to patch their old phones because they can't separate the parts that support the phone's unique features from the common code that is flawed, The OS won't let them! iOS isn't much better. However, Apple is a sole source and uses its dominant position to bully the carriers to adhere to their update process if they want to sell iPhones.
    Reply