In-brief: A consumer group in The Netherlands is suing smart phone giant Samsung over its lax management of the security of its devices – part of the larger fragmentation of the Android ecosystem.
Much has been written about the slow moving train wreck that is the Android ecosystem. Here at The Security Ledger, we’ve written about it from a number of different angles. The main themes are always the same, however. Namely: that Google’s decision to open source Android without retaining any central control over software updates has spawned a vast, but fragmented population of devices with little or no active management.
From a business perspective, Google’s strategic decision to leave device management to their downstream customers (aka handset makers) has worked. From the perspective of security, it hasn’t. Rather, history has shown that handset makers and their customers (often telecommunications firms) have little incentive to push out operating system updates for populations of millions of Android devices that customers may carry only for months at a time. Instead, the purchase of a new device – what is referred to as “forklift upgrades” in the business sphere – has become the preferred tool for getting users on the latest version of Android. Google appears to be OK with this state of affairs, as well, claiming time and again that fragmentation isn’t an important issue.
In the absence of any concerted effort to change that state of affairs, Consumentenbond, a consumers group in The Netherlands is trying a new approach: taking handset maker Samsung to court to try to force the company’s hand on security updates for its phones and tablets. From the Consumentenbond web site (translated from Dutch):
Consumers are not sufficiently informed on the purchase of a Samsung Android device about how long they will receive software updates. The Consumers’ Association claims that Samsung (in) this matter does not provide clear and unambiguous information to customers. Samsung also does not provide sufficient information on critical security holes in its Android phones like Stage Fright.”
The combination of a common, but loosely managed, open source operating system can make Android vulnerabilities particularly potent. A vulnerability in a core Android component in 2013 was estimated to affect some 900 million devices.
In response to the lawsuit, Samsung issued a statement to the web site sammobile.com saying that security is a “top priority” for the company.
“At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. That is why we have made a number of commitments in recent months to better inform consumers about the status of security issues, and the measures we are taking to address those issues. Data security is a top priority and we work hard every day to ensure that the devices we sell and the information contained on those devices are is safeguarded.”