Will Stagefright force all mobile makers to release monthly security updates?
Stagefright took the Android world rather by surprise. As well as catching the industry with its pants down, it highlights a problem of mobile security: it's just not taken seriously enough. In response to the Stagefright vulnerability, both Samsung and Google announced new monthly security update cycles.
Not to be outdone, LG has now followed suit, and it would be surprising if we didn’t see more manufacturers of Android handsets doing exactly the same in the coming weeks. But in announcing its own monthly security update schedule, LG has highlighted another stumbling block for mobile security. Carriers.
For many people, there is quite a delay between the release of a new version of Android, and its availability from their carrier. It could take months before updates are made available to customers, and some handsets are ignored completely. While it is undoubtedly good news that mobile manufacturers are interested in trying to stay on top of security issues, the wording of the announcement begs questioning.
In an email to Wired, LG said:
LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority.
The likes of LG may well start to produce security updates 12 times a year, but how long will it be before they filter down to customers? Carriers will want to run their own tests and checks on updates that are produced, and with the problem of Android market fragmentation, this is something that could take some time. Some handset producers have the luxury of people able to push updates directly to handsets without the need to involve a middleman, but this is certainly not the norm.
The likes of Motorola, HTC et al have yet to indicate whether they will start their own monthly security update releases, but it would be very surprising if this didn’t happen. But as well as the problem of the carrier middleman, there is also the issue of how long handsets are supported. While desktop operating systems are supported for upwards of a decade, the same cannot be said of mobile operating systems.
Despite the fact that there are so many different versions of Android in use -- a problem exacerbated by carrier customizations -- only the most recent tend to receive support. Stagefright affects up to 95 percent of Android handsets, and it's safe to assume that a very large proportion of handsets that are vulnerable stand no chance of being patched.
It's great that handset manufacturers are taking steps to try to improve security, but before we get too excited, we really need assurance from carriers that updates will be pushed out as quickly as possible.