In February 2018, the Federal Trade Commission (FTC) released a report that explores the complexities of the mobile ecosystem and makes recommendations for industry to improve the mobile security update process for consumers.

The report is part of the FTC’s effort to address concerns that mobile devices are not receiving the operating system patches they need to defend against attacks. It begins by highlighting that even though three-quarters of Americans own smartphones and increasingly rely on them to store and transfer sensitive information, many devices are not receiving the updates they need to protect against critical security vulnerabilities. As a result, many consumers’ devices are vulnerable to malicious software attacks like spyware, phishing, and ransomware, all of which put consumers at risk of identity theft, fraudulent charges, and similar financial or other risk. As characterized by former Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl, “[c]onsumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” but “significant differences in how the industry deploys security updates” must be addressed to “make it easier to ensure their devices are secure.”¹

Background and Findings

The Mobile Security Updates report is largely based on information the FTC obtained from eight device manufacturers that make up most of the mobile device market in the U.S.—Apple, Blackberry, Google, HTC America, LG, Microsoft, Motorola, and Samsung. Pursuant to its authority under Section 6(b) of the FTC Act, the commission issued identical Orders to File a Special Report to each company requesting the following information: (i) factors considered in deciding whether to patch a vulnerability on a particular mobile device; (ii) detailed data on the specific mobile devices offered for sale to consumers since August 2013; (iii) vulnerabilities that have affected those devices; and (iv) whether and when the company patched those vulnerabilities.

Based on the information it obtained from these device manufacturers, in addition to the data the Federal Communications Commission (FCC) gathered through its parallel inquiry into wireless carriers, the FTC set out its findings and recommendations for companies to consider in improving their mobile security update practices.

Part VI.A of the report identifies the FTC’s key findings based on common characteristics among industry participants. Specifically, the FTC found:

• the complexity of the mobile ecosystem renders the security update process complex and time-consuming;²
• industry participants have taken steps to streamline the security update process, but bottlenecks remain;³
• support periods and update schedules are highly variable, and formal support policies are rare;
• device manufacturers that develop and control their own operating systems tend to commit in advance to longer support periods for devices due to the lack of operating system customization, which drives down support costs (e.g., related to patch implementation and carrier testing);
• some device manufacturers state that they do not commit to firm update support periods or schedules because they cannot anticipate market conditions;⁴
• many device manufacturers do not maintain regular records about update support, but manufacturer-carrier communications reveal that when they do record, study, and share their data, they are able to gain important insights that lead to practice improvements; and
• manufacturers provide little, if any, express information to consumers about support periods, update frequency, and end of update support.

Recommendations

Based on these findings, Part VI.B of the report lays out the commission’s recommendations for industry to improve the mobile security update process for consumers: (i) educate consumers; (ii) start with security; (iii) learn from the past; (iv) adjust the security update process; and (v) embrace greater transparency.

Educate Consumers. First, the FTC recommends that government, industry, and advocacy groups work together to educate consumers about the importance of the operating system update process. According to the commission, the more consumers understand the importance of updates to the security of their devices and the sensitive information they store on them, the more likely they are to benefit from available updates.

Start with Security. The commission also encourages key industry players – including device manufacturers, operating system developers, and wireless carriers – to “start with security” by embedding security into design and support culture and decisions. Most importantly, the FTC recommends that industry take steps to ensure mobile devices receive operating system updates for a period of time that is consistent with consumers’ reasonable expectations. Although the FTC concedes that it is appropriate for manufacturers to weigh the costs and benefits of varying levels of update support for the devices in their portfolios, the FTC still places a premium on transparency, stating “if choices are transparent, consumers will likely benefit from the choices that such variety permits.”

Learn From the Past. The FTC recommends that industry “prepare for the future by learning from the past.” In other words, the commission makes clear that it wants companies involved in the mobile security update process to keep and consult records about support length, update frequency, customized patch development time, testing time, and uptake rate, and share this information with its partners so they can improve industry best practices.

Adjust the Security Update Process. Additionally, the FTC would like to see companies increase the speed and frequency of mobile security updates even if doing so isn’t necessarily in their best interest. The FTC identified three specific actions companies can undertake to streamline the security update process. First, companies should patch vulnerabilities in security-only updates when the benefits of more immediate action outweigh the convenience of a bundled security-functionality update. Second, companies that test updates or otherwise impose such testing requirements should ensure their processes and requirements are compatible with a commitment to timely security updates. Third, companies that deploy updates should explore ways to improve the rate at which consumers install security updates.

Embrace Greater Transparency. Finally, the commission recommends that device manufacturers give consumers “more and better” information about security update support. Specifically, the FTC would like device manufacturers to implement and disclose minimum guaranteed security support periods and update frequency for their devices. The commission also encourages manufacturers to consider giving device owners prompt, just-in-time notice when security support periods are about to end and when they have ended so that consumers can make informed decisions about replacing their devices or using them after the support period is over.

Conclusion

In sum, while the FTC recognizes and appreciates the complexity of the mobile device ecosystem, the commission makes clear in its report that industry can take certain measures to improve the mobile security update process for consumers. Most importantly, companies would do well to be transparent about their security update support periods, and take steps to ensure consumers understand the importance of security updates and the level of security support they’re getting when they buy a particular device.

¹ Press Release, FTC, “FTC Recommends Steps to Improve Mobile Device Security Update Practices,” February 28, 2018, https://www.ftc.gov/news-events/press-releases/2018/02/ftc-recommends-steps-improve-mobile-device-security-update.

² In its report, the FTC acknowledges that issuing mobile security updates is not a one size fits all process. Specifically, the FTC found that that because device manufacturers customize operating system software at the device level—either to introduce new features or per a carrier partner’s request—just one update may require dozens or hundreds of different device-level modifications and testing protocols, a process that can take years to complete.

³ Specifically, the FTC found that although industry has reduced testing times for some updates and is issuing updates more frequently for some devices, adoption of these changes is inconsistent and significant time gaps between discovery of vulnerabilities and patching still exist.

⁴ In identifying this issue, the FTC notes that although the market may be unpredictable, manufacturers may be able to learn from past update support practices related to device price and age to inform update support estimates.