FTC To Smartphone Makers: Fix Security Or End Up Like HTC

Mobile device manufacturers should pay close attention to a recent settlement between the Federal Trade Commission and HTC, which the Commission claimed had failed to protect customer's privacy and personal data. Rather than affecting only HTC, the agreement is a warning that the commission is finally prepared to hold device makers responsible for securing their products.

How It Started

HTC drew the attention of the FTC by deploying customized software in 22.5 million Android devices that allowed third-party applications to bypass a security mechanism requiring user permission before installation. The HTC software was meant to gather data only to help the manufacturer troubleshoot problems, but its implementation showed HTC was clueless when it came to security.

In investigating HTC's sloppy work, the FTC found a number of poor security practices. For example, HTC had no effective program for assessing the security of products before shipping them to consumers. In addition, engineering staff was not properly trained in security and privacy and there was no testing for security flaws. Also, there was no process for receiving and addressing vulnerabilities found by third-party researchers and academics.

The FTC's findings were listed in a complaint that HTC settled by agreeing to a "comprehensive security program" that includes patching vulnerabilities that could be exploited by hackers and spammers. The agreement is a big deal, because taken together with the original complaint, the FTC has outlined for all device manufacturers what it considers best practices for security.

"To settle the case - the FTC’s first against a device manufacturer - HTC has agreed to a far-reaching settlement that imposes a first-of-its-kind remedy: patching vulnerabilities on millions of mobile devices," FTC senior attorney Lesley Fair wrote in the commission's Bureau of Consumer Protection blog.

Dismal Android Security

Makers of Android smartphones and tablets have created a huge security problem by shipping devices with older versions of the operating system and then failing to quickly update the software with the latest security fixes from Google. This has left millions of customers with devices that contain known vulnerabilities that cybercriminals are working feverishly to exploit.

"It's reasonable to assume that the next thing the FTC will look at is the unpatched vulnerabilities in Android itself that Google has fixed, but where the fixes haven't reached end users either because of the handset vendors or the wireless carriers," Christopher Soghoian, principal technologist for the American Civil Liberties Union, said. "This is probably the most interesting FTC case to come out in the last couple of years."

The rise in Android malware is substantially faster than any other Internet-delivered malicious app, according to Cisco's recent 2013 Annual Security Report. At the same time, cybercriminals are developing better software tools for breaking into Android devices.

In October 2012, the FBI warned that cybercriminals had built a mobile version of FinFisher, commercial spyware sold to law enforcement and governments, to steal personal data from Android phones. Also last year, the first Android botnet was discovered on the Internet, according to Cisco. A botnet is a network of compromised devices used to distribute malware and spam.

The FTC Isn't Alone

The FTC won't be alone in demanding better consumer protection from device manufacturers. Rep. Ed Markey (D-Mass.), co-chair of the bi-partisan Congressional Privacy Caucus, plans to reintroduce this year "The Mobile Device Privacy Act," which would require companies to get the permission of consumers before using any monitoring software on mobile devices.

“With this important settlement, the FTC has sent a strong signal to the mobile marketplace that consumers’ sensitive information must be safeguarded,” Markey said.

With so much government attention on mobile device security, it's clear that manufacturers can no longer treat data protection and consumer privacy as an afterthought. Both will soon have to become a top priority.

Image courtesy of Shutterstock.