The Federal Trade Commission published a report (PDF, 134 pages) last month recommending improvements to the security update process on a range of mobile devices.

Information the FTC requested from eight mobile device manufacturers – Apple, Blackberry, Google, HTC, Microsoft, LG, Motorola and Samsung – was examined in conjunction with information the FTC requested from wireless carriers about their security updates practices.

The report notes “complex and time-consuming” update processes, with “highly variable” support periods and update schedules, and scant public information provided by manufacturers about support in general. Further, manufacturers with more products and/or greater differentiation between products tend to offer less overall support for each. Support is commonly focused on newer devices, and often it is premium or popular models which benefit for the longest time.

This means that:

Many devices remain without important security updates for long periods– either because no update is issued at all, because approving and deploying a patch is a lengthy process, or because users do not install available updates … Support periods, the time during which a device receives operating system updates, and update frequency vary widely, even among devices that cost the same, are made by the same company, or are serviced by the same carrier. A device may receive security updates for many years – or, in some instances, may not receive any updates at all.

A general lack of consumer interest in these varying levels of support means that such information is rarely advertised to prospective customers.

The FTC report offers several recommendations:

  • Government, industry and advocacy groups should work together to educate consumers about their role in the update process and the significance of updates.
  • Industry should build security into support culture and further embed security support considerations into product design, consistent with the costs and benefits of doing so. To that end, industry should ensure that devices receive security updates for a period of time consistent with consumers’ expectations.
  • Manufacturers should consider keeping better records about update decisions, support length, update frequency, and update acceptance so that they can learn from their past practices.
  • Companies should continue streamlining the security update process. In particular, manufacturers should consider issuing security-only updates instead of bundling security patches with general software updates.
  • Manufacturers should consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.