The American Civil Liberties Union has called on wireless carriers to either take responsibility for Android security on the mobile devices they sell or let Google handle updates to protect the millions of people using the operating system.
Christopher Soghoian, principal technologist for the ACLU, also urged federal legislators to pressure carriers into reversing their dismal handling of Android security. Soghoian made his remarks on Monday at the Kaspersky Lab Security Analyst Summit in San Juan, Puerto Rico.
"If they want to control the software that runs on the device, then they need to take responsibility for the software that runs on the device," Soghoian told CSO Online. "If they don't want that responsibility, they need to give the control to someone else."
"Right now, we have the worst of both worlds," he said. "Where the carriers get the control and don't take the responsibility."
Wireless carriers did not respond to requests for comment.
Because of the carriers, millions of Android users are currently using older versions of the operating system with known vulnerabilities that can be exploited by cybercriminals, Soghoian argues. In many cases, Android users are running versions of the OS that is two generations old.
The lack of a consistent mechanism for pushing Android security updates to all users regularly has been a problem for years. Google provides a baseline implementation of the OS through the Android Open Source Project, and lets carriers and their hardware device partners add whatever features they wish.
As a result, thousands of versions of Android are in use, making it impossible under the current conditions to secure all of them through one update.
Lawrence Pingree, an analyst for Gartner, said, "It is very unlikely that Google has the resources required or the wherewithal to offer significant support for all the flavors of Android deployed in the world and since the OS is open-source, it likely has no obligation to do so."
The ACLU has chosen to raise the issue at a time when recent cyberattacks from China have made front-page news. Last week, The New York Times and The Wall Street Journal reported that Chinese hackers broke into their computer systems.
Also, Twitter reported that "extremely sophisticated" hackers stole the user names and passwords for a quarter million users.
With so many high-profile security breaches, Washington lawmakers are more likely to become receptive to putting in place regulations for mobile phone security, Soghoian said.
"The position that the wireless carriers are in right now, to be honest, is indefensible," he said. "The only reason they've been able to get away with this as long as they have is because the average consumer, and many policymakers, just didn't know that this was happening."
Sign up for CIO Asia eNewsletters.