Washington, DC - Every business wants to forge an ongoing relationship with their customers. That principle takes on special significance for mobile device manufacturers when they need to issue security patches for the operating system software on their phones and tablets. Once devices are in consumers’ hands, are they getting the patches they need to protect against critical vulnerabilities? Are companies deploying those patches in a timely fashion and for a reasonable length of time?

That’s the subject of a new FTC report, Mobile Security Updates: Understanding the Issues.

Why do so many devices go without critical patches? We can think of three reasons:

1. The company never issued an update at all, perhaps because it can be time-consuming and expensive;
2. The patch is delayed, because working with other companies to develop, test, and deploy patches can take a long time; and
3. Consumers don’t install updates they find to be inconvenient.

But when weighed against the alternative – a device vulnerable to an onslaught of spyware, ransomware, and other injurious -wares – it’s something that needs to be done.

There’s another variable that confounds the picture: lots of variation, but not much information. Support periods – the time during which a device receives operating system updates – vary widely, even among comparable devices made by the same company or serviced by the same carrier. What if consumers want to factor in security support when figuring out whether to replace an old device or when comparison shopping for new devices? Good luck with that because it’s often hard for them to get much information about security support at all.

According to the Report, industry members have taken steps to streamline the patching process, but there’s more on the TO DO list to get security updates to users’ devices and to get them there faster. You’ll want to read the Report for the details, but here are some of the FTC’s recommendations to improve the process:

• Government, industry, and advocacy groups should work together to educate consumers about the importance of security updates. Consumers also need to understand that they play an essential role in the process.
• Industry members should – to use a few of our favorite phrases – start with security and stick with it. That includes encouraging a culture of security support. Consistent with the costs and benefits of doing so, companies also should embed security support considerations into product design and make sure that all devices – no matter their price or popularity – get security support for a period of time that is consistent with consumers’ reasonable expectations.
• Manufacturers should consider keeping better records about update decisions, support length, update frequency, and update acceptance so they can learn from experience.
• Companies should continue to streamline the security update process, with an eye toward making it easier for consumers. In particular, where feasible, issuing security-only updates – instead of bundling security patches with general software updates – may get easier-to-install patches to consumers faster.
• Manufacturers should consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.