The FTC announced Monday that it has asked cellphone makers to report on their security-patch practices. This is just the FTC's latest reminder to tech companies that it expects them to take continuing responsibility for the security of their products long after their products have shipped. In just the past few months, the FTC has also taken action against Oracle for failing to ensure that Java was properly patched on users' computers, and against Asus for failing to ensure security updates on its wireless routers.
In order to gain a better understanding of security in the mobile ecosystem, the Federal Trade Commission has issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices. ... Among the information recipients must provide under the orders are: • the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device; • detailed data on the specific mobile devices they have offered for sale to consumers since August 2013; • the vulnerabilities that have affected those devices; and • whether and when the company patched such vulnerabilities.