The American Civil Liberties Union has called on wireless carriers to either take responsibility for Android security on the mobile devices they sell or let Google handle updates to protect the millions of people using the operating system.
Christopher Soghoian, principal technologist for the ACLU, also urged federal legislators to pressure carriers into reversing their dismal handling of Android security. Soghoian made his remarks on Monday at the Kaspersky Lab Security Analyst Summit in San Juan, Puerto Rico.
"If they want to control the software that runs on the device, then they need to take responsibility for the software that runs on the device," Soghoian told CSO Online. "If they don't want that responsibility, they need to give the control to someone else."
"Right now, we have the worst of both worlds," he said. "Where the carriers get the control and don't take the responsibility."
Wireless carriers did not respond to requests for comment.
Because of the carriers, millions of Android users are currently using older versions of the operating system with known vulnerabilities that can be exploited by cybercriminals, Soghoian argues. In many cases, Android users are running versions of the OS that is two generations old.
The lack of a consistent mechanism for pushing Android security updates to all users regularly has been a problem for years. Google provides a baseline implementation of the OS through the Android Open Source Project, and lets carriers and their hardware device partners add whatever features they wish.
As a result, thousands of versions of Android are in use, making it impossible under the current conditions to secure all of them through one update.
Lawrence Pingree, an analyst for Gartner, said, "It is very unlikely that Google has the resources required or the wherewithal to offer significant support for all the flavors of Android deployed in the world and since the OS is open-source, it likely has no obligation to do so."
The ACLU has chosen to raise the issue at a time when recent cyberattacks from China have made front-page news. Last week, The New York Times and The Wall Street Journal reported that Chinese hackers broke into their computer systems.
Also, Twitter reported that "extremely sophisticated" hackers stole the user names and passwords for a quarter million users.
[Also see: Android vs iOS vs BlackBerry: Which is the most secure?]
With so many high-profile security breaches, Washington lawmakers are more likely to become receptive to putting in place regulations for mobile phone security, Soghoian said.
"The position that the wireless carriers are in right now, to be honest, is indefensible," he said. "The only reason they've been able to get away with this as long as they have is because the average consumer, and many policymakers, just didn't know that this was happening."
Coming up with a practical solution will be difficult, experts say. With Android, Google provides carriers with a business model much different than that of rival Apple, which controls all the software on the iPhone and iPad.
With Android, carriers and manufacturers work together to compete for customers based on the features built into the devices. "A key benefit of Android and their handset base is the ability of the carrier to provide a product to their market rather than receive the Apple experience where you get what you get," said Glenn Chisholm, chief security officer for Cylance.
Theoretically, Google could revise its agreements with carriers to require that security updates get pushed out within a specified time. However, Google has shown no interest in taking such steps.
"Honestly, based on current practice, I cannot find a good solution," said Xuxian Jiang, assistant professor for computer science at North Carolina State University.
Meanwhile, the number of Android malware is growing substantially faster than any other Web-delivered malicious app, according to Cisco's recent 2013 Annual Security Report.
In addition, cybercriminals appear to be building better tools for attacking the OS. The first documented Android botnet was discovered in the wild in 2012, Cisco said.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.