More Android security needed, says ACLU

The American Civil Liberties Union (ACLU) is lashing out at major U.S. wireless carriers, claiming they have not done enough to patch dangerous vulnerabilities in Android operating software. AT&T, Sprint, Verizon and T-Mobile were all named in the suit filed Tuesday, which calls for action from the U.S. Federal Trade Commission.

According to the ACLU, the carriers offer Android phones but rarely roll out security updates, a practice that leaves customers at risk of hacking attacks. It contravenes Federal Trade Commission provisions disallowing deceptive and unfair business practices, says the filing, noting customers should have the right to terminate contracts for phones that are no longer eligible to receive security updates.

“All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices,” wrote analyst Christopher Soghoian, in the document.

“The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, email, instant messages, and online banking credentials.”