In its recent report (Mobile Security Updates: Understanding the Issues), the FTC expressed concerns with the process for keeping mobile devices updated and secure. Of particular concern for the FTC were inconsistencies in the length of time that support is offered for mobile devices, the frequency of updates and the perceived lapse of time between identifying a vulnerability and effectively installing a patch on consumers’ devices. Further, the FTC was worried that information about device support and update frequency is not always clear to consumers, and is not always maintained by manufacturers.
To address these concerns the FTC recommended that those in the mobile device industry commit to supporting devices for as long as consumers would expect such support. Customer expectations could be managed through policies and contracts. The FTC also recommended pushing out regularly scheduled updates and, of particular concern, asked device manufacturers to (a) prioritize security-only updates for high-risk vulnerabilities, and (b) ensure that testing and deployment efforts keep pace with update schedules. The FTC called for keeping records showing the actions taken and decisions made throughout the update process. Finally, the FTC called on members of the industry to work with government and advocacy groups to ensure that consumers understand the importance of security updates – in particular, the critical role consumers play in the update process.
Putting it Into Practice: For those in the mobile device industry, this report gives guidance on steps the FTC expects with respect to how to keep devices updated and secured after they are in the hands of customers.