Mobile security updates are a mess. The FCC and FTC want to know why.

Dear mobile device manufacturers and carriers: the US government has a lot of questions for you about how you’re protecting consumers from security vulnerabilities.

Earlier this week, the Federal Communications Commission (FCC) sent letters to mobile carriers seeking answers to questions about how they provide security updates to their customers.

At the same time, the Federal Trade Commission (FTC) is investigating the security update processes of eight mobile device manufacturers, including biggies Google, Apple, Samsung and HTC.

The FTC ordered the companies to respond to an exhaustively detailed questionnaire.

The FCC and FTC investigations into the issue of mobile security updates come nearly 10 months after a critical vulnerability in Android known as the Stagefright bug left 95% of Android devices – potentially 1 billion users – vulnerable to malicious media files.

The FCC’s statement on the inquiry noted that an “growing number of vulnerabilities” in mobile operating systems threaten the security and privacy of business and personal communications.

Yet the way mobile device manufacturers, OS providers and mobile carriers have responded to vulnerabilities can leave users unprotected “for long periods of time or even indefinitely,” the FCC said:

Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices – and that older devices may never be patched.

As Google announced in its second annual Android security report, released last month, about 30% of Android devices are running older versions of the OS that Google no longer supports with security updates.

Google began issuing monthly Android security updates, in August 2015, but only Google-manufactured Nexus devices get updates directly from Google.

Android is an open source OS, which allows carriers and mobile device OEMs to create their own custom versions of Android, and the vast majority of Android devices get security updates from the carriers, who may take months to push the updates out.

Apple’s security update process for iOS is tightly controlled by Apple, not the carriers, but its process for updating iDevices isn’t exactly transparent.

Other non-Android mobile device manufacturers, such as Microsoft and BlackBerry, have their own processes for issuing security updates.

How the mobile device makers decide which vulnerabilities to patch, and when, is precisely the kind of information the FTC is seeking in its order.

The FTC told the companies that it needs to explain which device models it supports with security updates, which models are no longer supported, how it determines which models receive the updates, and whether and how it communicates that information to consumers.

The FTC also demanded to know how the mobile device companies have responded to “each vulnerability that … could result in unauthorized code execution or compromise the confidentiality of consumer data.”

For each specific device model identified in response to Specification 5(A), please identify each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data. Describe in detail the Company’s response to the vulnerability…

The mobile device makers have 45 days to respond to the FTC.