ACLU files complaint with U.S. FTC: Mobile carriers fail to provide security for Android phones

“The America Civil Liberties Union filed a complaint with the Federal Trade Commission today asking the agency to investigate the four major mobile carriers’ security practices in regards to smartphones,” Dara Kerr reports for CNET. “The civil liberties group claims that AT&T, Verizon, T-Mobile, and Sprint are not doing enough to protect users’ private and personal data — specifically on Android devices”

“The gist of the complaint is that these carriers aren’t providing users with timely security updates, which the ACLU says is akin to “deceptive and unfair business practice,'” Kerr reports. “‘The major wireless carriers have sold millions of Android smartphones to consumers,’ the ACLU wrote in its complaint. ‘The vast majority of these devices rarely receive software security updates.'”

Kerr reports, “‘Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous,’ the ACLU wrote. ‘As the FTC has acknowledged, security vulnerabilities on consumers’ mobile devices may be used ‘to record and transmit information entered into or stored on the device … to target spear-phishing campaigns, physically track or stalk individuals, and perpetrate fraud, resulting in costly bills to the consumer… [and to misuse] sensitive device functionality such as the device’s audio recording feature… to capture private details of an individual’s life.'”

Kerr reports, “Android devices are notorious for attracting malware and some of it is quite sophisticated. Some types of malware can embed themselves on smartphones and steal information from users, while others act as spyware and take over components of the device. Last October, the FBI warned users to be aware of such mobile malware because it is especially lured to Android’s operating system.”

Read more in the full article here.

MacDailyNews Take: Android. “Open” in all the wrong ways. iPhone knockoffs come with a hefty price; too hefty a price for discriminating smartphone users.

Android is very fragmented. Many Android OEMs… install proprietary user interfaces to differentiate themselves from the commodity Android experience. The user is left to figure it all out… In addition to Google’s own app marketplace, Amazon, Verizon, and Vodafone have all announced that they are creating their own app stores for Android. So, there will be at least four app stores on Android, which customers must search among to find the app they want and developers will need to work with to distribute their apps and get paid.

This is going to be a mess for both users and developers.

What’s best for the customer? Fragmented versus integrated? We think Android is very, very fragmented and becoming more fragmented by the day. And, as you know, Apple strives for the integrated model so the user isn’t forced to be the systems integrator. We see tremendous value in having Apple, rather than our users, be the systems integrator.

We think this is a huge strength of our approach compared to Google’s. When selling to users who want their devices to just work, we believe integrated will trump fragmented every time. And we also think our developers can be more innovative if they can target a singular platform, rather than a hundred variants. They can put their time into innovative new features, rather than testing on hundreds of different handsets. So we are very committed to the integrated approach, no matter how many times Google tries to characterize it as “closed,” and we are confident that it’ll triumph over Google’s fragmented approach, no matter how many times Google tries to characterize it as “open.”Apple CEO Steve Jobs, October 18, 2010

[Thanks to MacDailyNews Reader “Markus Winter” for the heads up.]

Related articles:
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
FBI’s Android security warning means Apple’s iPhone beats Android for BYOD enterprise – October 16, 2012
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010

18 Comments

  1. Steve Jobs – a visionary, prophet and genius saw it very clearly and called it with knowledge and authority.

    Now, imagine that was the standard which all pseudo tech writers and analists were held to….

    1. If you mean to say that no responsible person should ever use an Android device, I think I agree. I wish people would stop asking me “I’m getting an iPad. Which is better, the Galaxy or Nexus?”

  2. So if this comes to fruition, and the carriers are held liable for this (frivolous in my mind) legal action, they will cease selling items deemed “dangerous”. It’s a matter of business. That means what? iPhones and what’s left of windows phones. Blackberries, if they’re still around. Cue Louis Armstrong’s “What a Wonderful World”…

  3. I’m no fan of android by any means. i’m a 100% proud apple fan boy, but i think the ACLU has targeted the wrong folks. since when is it the carriers job to impose security? do people sue best buy when their windows device gets a virus? the carriers are just the messengers. it seems to me that the ACLU SHOULD be targetting the company that writes the android code. you know, the folks who are actually responsible for the security holes in the first place!! this is ridiculous and all it will do is drive carrier prices up for all of us since now everyone will have to pay for the litigation bills from the carriers. i pray this doesn’t go to court and that the ACLU gets biatch slapped by the judge for being stupid!

    1. You make a valid point with the BB analogy. However, the American Civil Liberties Union doesn’t hold much sway in Korea and Red China. Target the telcos to get at Moto and Gaggle without the costly proposition of going up against them directly.

      1. How are the carriers preventing Samsung, Motorola, HTC, etc. from having a security update posted on their website and an email sent to their users?

        The reality is that none of the Android handset makers has any incentive to provide security or OS updates – they want you to buy a new phone, not update your old one and keep using it. They’re not in the software biz, they’re in the hardware sales (turnover is my friend) biz.

        I doubt the carriers could do much about this even if they wanted to, because each handset maker tweaks Android to fit its devices, and thus no one security update could possibly be effective for all handsets.

        Thus the effects of Android fragmentation.

  4. With all due respect for anyone calling out Android, I have to ask the ACLU if any of these carriers promised phone buyers that the OS would be updated. I’ve never listened to an Android sales pitch so don’t know. If not, then Android buyers need to live with their bad decision and replace their mistake with an iPhone at the end of the contract.

    1. I think it’s expected by the public that an OS developer will issue security updates for its device, whether PC or mobile. That is the norm in today’s computer age.

      1. Uhhh… No. It’s expected by the Public that the item they are purchasing is operational, good quality and useful- otherwise they wouldn’t buy it. Everything else is Caveat Emptor.
        Counselor?

  5. “Kerr reports, “‘Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous,’ the ACLU wrote.”

    OK, I feel a little dirty to even question this (and I’m certainly not defending Android, yech!), but seems the ACLU’s statements are nothing more than hyperbole. If failure to update something to address an issue caused by someone else is “defective”, then hasn’t Windows been defective for decades. Where has the ACLU been for the past 30 years on that issue. I could probably come up with dozens more examples across our society that fit that definition of “defective”.

    1. I think the issue is that the security updates exist, but the carriers don’t push them through in a timely fashion. If the security update is out there, but the consumer has no way of installing it, then there’s a problem and it neither the developer’s fault or the consumer’s, just the middle man (the carrier).

  6. I think many people are missing the point. The carriers have been INTENTIONALLY holding back the release of updates in an attempt to drive sales of new devices.

    So, Google addresses a security issue, and creates a new build. The device manufactures take it and then they muck with it however they do. Their update is now ready. The update that contains security fixes (and/or new features) is released, and then the carriers decide when it is actually released out into the world on consumers’ devices.

    Just as many devices out there right now have a later build ready to go (for example, Verizon has had 4.2.2 ready to go for quite a while now for the Samsung Galaxy S3), but in an attempt to drive users to purchase new devices that come with 4.2.2 are holding back the release. So, if you have a Samsung Galaxy S3 on Verizon, you are currently still stuck on 4.1.2, but if you walk into Verizon later this month and purchase a Galaxy S4, you will get 4.2.2. Verizon has stated that they will release 4.2.2 “sometime after May 15th (and the carriers have been notorious about not delivering updates when they claim they will)”, but they have had it for a while now, ready to go. They are holding it to try to drive sales (and early contract renewals)

    In some cases, carriers have sat on updates provided to them for 13 months.

    I’m certainly no Android fan, but this practice is horrible.

    I’m glad Apple refused to play this game and demanded that they control the updates. This is one of the reasons ATT was initially the only carrier for the iPhone.

  7. Android security, a true story and why I switched to iOS.
    In the last 6 months, my contract ended with Bell. And on a tight budget I decided to try Mobilicity. They want you to pay the phone out right. I mistakenly chose the S2, yet with a sweet 12.50 a month unlimited in calls and out going text etc.; monthly agreement – a really nice offer. Budgeting wise in deed. I had to activate the agreement with my credit info. and for 5 months i have been enjoying the carrier and the phone just fine. Yeah, envious of a iPhone of course but settled for the short run. Now, A month ago, I needed to check my credit balance. I used the Android device. Entered my info. And in less then 30 seconds the banking institution calls me back. Sir, we are sorry to inform you that your card has been used over seas in Asia. Actually, 10 attempts and 3 successful transactions for Cash advances that I had never approved of. Interestingly I never had provided the cell phone number to my bank. Only a few people knew my number. And on top of this, my card was a brand new number too. I totally blame this on Android and the carrier. I have heard there is a key-logging feature to help both the carrier and Google; supposedly to improve the OS. It’s the only thing I can think of. And since the security does suck on Android I can not afford credit fraud to happen again – So I will hold Both the Operating System and the Carrier responsible on my iPhone with Rogers.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.