FTC’s Report on Mobile-Device-Security-Update Practices — Summary and Recommendations

Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues.[1]   As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks.  Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”).  Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. 

In its Report, the FTC notes twin requirements of reasonable security in the mobile online ecosystem: secure product design and timely and effective software patching.  Focusing on the second requirement, the Report analyzes responses from eight mobile-device manufacturers (including Blackberry) to the FTC’s May 6, 2016 Orders to File Special Reports on the subject matter.   The eight manufacturers together had majority market share of mobile devices.  The Report documents the key findings from those submissions and provides recommendations to the industry on software security patching.

The Report’s conclusion is that, although industry participants have made progress in the complex and time-consuming security-update process, there remain significant areas for improvement.  Unable to anticipate market conditions, device manufacturers appear to approach the security-update process on an ad hoc basis, taking into account a variety of different criteria in pushing out patches, including the age, popularity, and price of a particular device; support costs; the level of involvement of key partners in the process (e.g., mobile carriers and operating-system developers); prioritizing based on the severity of vulnerability; and timing of the manufacturer’s next regularly scheduled update, if any.  This decision process results in highly variable and uncertain support periods and update schedules, not only across different devices from one manufacturer, but also across the same device depending on the carrier.  The FTC further concludes that manufacturers generally do not maintain regular records about updates and, consequently, do not analyze past experience in order to increase efficiencies in this area. Finally, many manufacturers are not educating consumers about update support, leaving consumers uncertain about what actions to take and the importance of applying updates.

Based on these findings, the Report identifies five areas for improvement by industry participants across the mobile security ecosystem –

(1) Educate consumers about the importance of security updates and the critical role consumers play in ensuring security;

(2)  Continue the effort to build security into product design and updating processes, including creating written patching protocols to reduce the ad hoc nature of current decision-making;

(3) Collect and share information on update support to develop a historic and comprehensive view of trends and issues;

(4) Streamline the security-update process, including bundling or unbundling, as appropriate, security updates from functional updates, testing and deployment; and

(5) Specifically for mobile-device manufacturers, provide consumers with more and better information about update support, including clearly communicating guaranteed support periods, expected update frequencies, and end-of-support schedules.

The Report concludes with steps that can be taken to assist in meeting consumers’ security expectations and to mitigate potential security gaps. Accordingly, mobile-device manufacturers might consider the following as they develop written patching protocols:

(1) Consider patching critical vulnerabilities through security-only updates.  Bundled updates usually take longer to develop and test, delaying deployment.  Bundled updates also tend to have fewer and slower uptakes because some consumers avoid unwanted or unfamiliar functionality updates, and because consumers on limited data plans may be reluctant to download a large bundled patch on mobile networks.

(2) Consider patching critical vulnerabilities on older or cheaper device models; alternatively, consider notifying customers when devices are no longer supported.  Similarly, because consumers often purchase refurbished or older devices, consumers should be informed upon purchase as to whether a particular device is supported. The Report also notes that many consumers expect to use their mobile devices until the devices stop working or become obsolete.  Absent clear information on end-of-support, consumers may assume that critical vulnerabilities will be patched during the duration of a device’s usability.

(3) Because consumers may have different security expectations depending on the price of a device, manufacturers should clearly describe patching and updating policies across product lines.

(4)  Finally, mobile carriers should watch out for disparities in update frequency or timeliness relative to other carriers, especially for identical devices.  The same patch from a manufacturer deployed much later by one carrier than another, for example, may confuse consumers regarding the protections available to them.

[1] The FTC actively engaged in mobile security in 2013, including hosting a public forum on Mobile Security: Potential Threats and Solutions and publishing a staff report titled Mobile Privacy Disclosures: Building Trust Through Transparency.