In a desk and laptop environment it is standard practice to update software. Every other few days some software product announces it needs updating or starts updating itself, depending on settings to mend flaws and/or offer new features. Anyone using these devices is familiar with these procedures.
On a mobile device this is much different. Although I can only speak for the Android variety, I can say from personal experience that I have never been offered a software update in any form from either the hard or software side nor the operator. Some apps, e.g. Whatsapp sends updates regularly, do, but most do not or very irregularly.
ECP workshop on mobile security 2011
In the fall of 2011 I co-organised and moderated a seminar for ecp, the Dutch platform for the information society, on mobile security. It was pointed out in this session that there are many levels of responsibility in the mobile chain and the following question was put to the audience: where lies the responsibility for security and updates? This proved extremely hard to determine as there were many shared responsibilities and little incentive to pick them up exclusively. Quite possibly no one in the chain had the power to take that responsibility exclusively. Fingers were pointed in several directions, including the EU as national level public oversight would certainly not work in a multi national supply chain.
Where since 2011 mobile devices became ever stronger mini-computers and hold ever more personal data and banking details, on the security front things remained quiet. Which in a way is disconcerting. Why? Just some examples. It will probably not be long before banks will force its customers towards mobile banking. Insurance companies actively run commercials to contact them through apps, “app your damage”. Our personal data is gathered through apps by the second. (Let me remind you of De Correspondent’s research on topic of late 2013 https://decorrespondent.nl/1034/Dit-gebeurt-er-allemaal-onder-de-motorkap-van-je-smartphone/50352698-785491ea .) Social media and tv like functions moved to mobile.
The use of mobile has changed; security has not
Most people run at least parts of their public and private life through their mobile devices. This calls for a different level of security, a security that is not offered at present by the different players in the mobile chain. Yes, the end user is in part responsible for his own security, but can not force providers, the phone industry and software companies to update their operating systems regularly nor tell them to build in privacy by design. Voting with his feet is hardly an option as not participating is to socially exiling oneself or even impossible when an option becomes mandatory in the future.
Who can have influence? Governments could play a more active role it was suggested in 2011, but we can conclude that that has not happened in the past five years. The news that Google will step up its efforts (see e.g.: http://www.bloomberg.com/news/articles/2016-05-25/google-steps-up-pressure-on-partners-tardy-in-updating-android) to have companies that use its operating system Android to update it regularly. It remains to be seen whether Google has the leverage to “enforce” its stand as Google has a dependency on these companies as well. The step is a welcome one though and one that shows owner- and leadership of the security problem.
The more users Android has, at least 1.5 billion, the more attractive it is to hackers, fraudsters, cyber criminals and spies, to work with. This can not be stopped as such, but be made less successful by updating the software regularly and thus stop the bugs from being exploited.
Undoubtedly updating will serve Google, in a few ways, but it will serve its clientèle as well. The initiative could probably use some support from industries that will benefit from a more secure mobile environment. Support from the public side may assist here as well.
Next up is?
This news is a welcome step. Now for all those other pieces of software on mobile devices, not to speak of wifi connections. Who is responsible for making them as secure as possible? Another difficult question that begs an answer, so end users, companies and society as a whole can be more secure when going online through a mobile device. There’s no turning back, but things deserve to get better. Fast.
Wout de Natris De Natris Consult