Android users upset that they don't get timely security updates from their device makers now have help. Last Friday (May 6), the Federal Trade Commission (FTC) ordered eight major smartphone manufacturers — including Google, HTC, LG, Motorola and Samsung — to provide information on how security updates are issued to end users.
At the same time, the Federal Communications Commission (FCC) launched a parallel inquiry asking major cellular carriers — an FCC spokesman told Bloomberg News the carriers were AT&T, Verizon, Sprint, T-Mobile, TracFone and U.S. Cellular — about how manufacturer security patches are distributed to end users. The FCC, in a public statement, said both agencies' goal was "to better understand, and ultimately to improve, the security of mobile devices."
In its statement, the FCC referred to the "Stagefright" vulnerability that the agency said "may affect almost 1 billion Android devices globally," due in part to the fact that many Android devices get security updates late, or never. Google provided a fix for Stagefright almost immediately after the flaw's discovery in July 2015, but the patch initially reached only users of Google's own Nexus phones.
Owners of Android devices made by other companies got the Stagefright fix later, and many older devices will probably never get it, as carriers often stop patching a handset once it's more than 18 months old. That's doubly dangerous for anyone running Android 4.0 Ice Cream Sandwich or earlier, as those devices are most vulnerable to Stagefright. (The flaw is mitigated in Android 4.1 Jelly Bean through 5.0 Lollipop, and fully patched in Android 5.1 Lollipop or later.)
In its own press release, the FTC said it ordered device-makers to provide "the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device" as well a list of the devices that have received updates since August 2013. The agency demanded to know which vulnerabilities have affected each device, and whether those security flaws have been fixed.
In addition to the five handset makers mentioned earlier, the FTC also demanded information from Microsoft, BlackBerry and Apple, each of which makes sure devices running its own mobile operating system get updates in a timely manner.
Android phone makers and cellular carriers do need extra time to fine-tune Google's patches for specific hardware and carrier environments, but the delays of several months, or sometimes more than a year, experienced by many users create insecure and untenable situations.
If you want an Android phone that actually receives timely updates, your best buy is to pick one of Google's own Nexus devices. Close behind those are devices running the CyanogenMod or Cyanogen variants of Android. Otherwise, check each handset maker's track record for pushing out updates, as well as the documentation each maker provides.
For example, Samsung has accelerated its patching process, and there's now a Samsung website dedicated to security notifications. But only the last two years of Samsung devices will get the patches, depending on carrier cooperation. Older devices may leave you holding your breath until you're blue in the face while waiting to receive updates.