The Federal Trade Commission has put mobile device manufacturers on notice that they could be held responsible for securing products to protect consumers against cybercriminals.
The FTC's position is reflected in a recent settlement reached with smartphone and tablet maker HTC. The commission had charged the company with failing to protect customers' personal data and privacy in software it designed and customized for millions of mobile devices.
The original complaint laid out a number of security failings on the part HTC that left customers at risk. Because FTC complaints often outline the commission's view of industry best practices, the case against HTC is seen as a warning to other mobile device makers.
"Every other company should be looking at this document for what they should be doing," Christopher Soghoian, principal technologist for the American Civil Liberties Union, said on Monday.
In particular, the complaint could be seen as a warning to manufacturers who fail to update the Android operating system in a timely manner, a problem that has worried security experts for years.
The agreement, announced on Friday between HTC and the FTC, stemmed from a commission complaint over two logging applications. The commission found that the manufacturer's implementation of HTC Loggers and Carrier IQ contained flaws that would allow third-party applications to bypass an Android security mechanism that requires user permission before installation.
Loggers, a troubleshooting tool, and Carrier IQ, diagnostics software, are in a total of 22.5 million Android devices from HTC. Carrier IQ is also in 330,000 Windows phones.
"Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010," HTC said in an emailed statement. "We're working to rollout the remaining software updates now and recommend customers download them once available."
An FTC spokesman said the agreement went beyond just the two customized apps, requiring HTC to fix all reported vulnerabilities.
"Among other things, the order's comprehensive security program requirement obligates HTC to have a process for addressing security vulnerability reports," FTC spokesman Jay Mayfield said in an email. "As our chief technologist notes in a recent blog post, it is important that companies provide security updates in a timely manner."
In the blog post, FTC chief technologist Steve Bellovin said manufacturers should provide security updates and customers should install them.
"Patching isn't easy, but even in a world of zero-days, it's still important," Bellovin said, referring to attacks in which hackers target flaws that have not been patched by the software developer. "Vendors and consumers need to take it very seriously and understand how it will happen."
The "comprehensive security program" outlined in the HTC settlement would make security part of the device development process. In addition, HTC would be responsible for securing data on the device, whether it's collected by HTC or created and stored by the user.
Sign up for Computerworld eNewsletters.