Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Android phones at growing risk of ‘smishing’ fraud

Craig Timberg | Feb. 7, 2013
Google’s record of updating software on its own line of phones and tablets, called Nexus and produced in conjunction with other manufacturers, is better than when phone makers simply adopt the Android system, which Google makes and distributes for free.

The latest version of Android — the one with the "smishing" fix — is used by just 1.2 per cent of the more than 500 million Android devices worldwide, according to data compiled by Google. The company says it also released a security patch that could repair the flaw in earlier versions of Android, but neither Google nor the wireless carriers could say how many current phones received the patch.

Ars Technica, a news site covering the technology industry, analysed the update schedules for dozens of the most popular Android smartphones in December and found that most had received only two updates since consumers bought them, sometimes years earlier.

Update cycle

Apple's iPhone, the leading competitor to Android smartphones, gets operating system updates several times a year. A similar update schedule is common to desktop and laptop operating systems and other software, with updates happening automatically — often with users not even knowing it.

What's different about the Android line of smartphones is that there are dozens of devices made by various manufacturers, such as Samsung, LG and HTC, that tailor the software and its updates to their own specifications. Then US wireless carriers, such as Verizon Wireless, AT&T and Sprint, make their own changes and test each update before sending it to consumers over their wireless networks.

The overall process typically takes months and happens far less frequently than recommended by security experts, who call the diffusion of responsibility among several companies "fragmentation." Blame, too, is spread widely, though often focuses on the carriers as the most important choke point.

"Supporting five releases of phones is a cost they absolutely don't want to incur," said Dmitri Alperovitch, chief technology officer for CrowdStrike, a security company.

Wireless carriers say they seek to release updates promptly, but they acknowledge that the process generally takes months.

"When more than one company is involved in delivering the final product, as is the case with the Android environment, any improvements in the security update process must include all entities involved," said Ed Amoroso, chief security officer for AT&T.

"We all have a collective interest for a fast and consumer friendly update process and we intend to coordinate with other providers to see if we can engineer a better solution than the one we have now."

Verizon Wireless, the largest wireless carrier, and Samsung, the largest Android device maker, both declined to answer detailed questions and said they deliver updates as quickly as possible. Sprint declined numerous interview requests, referring queries to Google.

But security experts say Google by itself has little power to get faster updates to phones. It founded the Android Update Alliance in 2011, along with carriers and device makers, but the initiative has produced little so far.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.