By delaying or even blocking security updates for mobile devices, mobile carriers put their users, their business, and the country’s critical infrastructure at unnecessary risk. Mobile security problems plague the entire software stack — the baseband, the kernel, the application frameworks, and the applications — and carriers continue to resist shipping regular and frequent updates.
For a specific example, consider the compromise of a Comodo certificate authority. The only “solution” for the problem of Comodo’s compromised CA is to update the browser and ship the new browser to every client computer. Without that update, browsers remain vulnerable to the hacker. While personal computer users might plausibly update their computers, mobile users have little or no control over the security status of their devices. There is unlikely to be any update they can get any time soon. Mobile devices will remain vulnerable to the fraudulent certificates for many months (or years) to come.
In fact, Ars Technica reported last week that Windows Phone 7 on AT&T is all but guaranteed to be months out of date at any given time — if it ever gets updates at all. Android and iPhone suffer from delayed updates as well.
Mobile carriers are chiefly to blame for this problem. Although Apple, Google, and Microsoft should develop security fixes faster, they are fundamentally limited by carrier intransigence.
Carriers should stop blocking frequent updates for mobile devices, and should work with subscribers and with platform vendors to ship security updates on an internet timescale.