A variety of wireless carriers and smartphone and tablet makers, including Apple, are reportedly being asked by U.S. regulators to explain how they review and push out security updates to their customers.
The issue is being examined by both the Federal Communications Commission and the Federal Trade Commission, Bloomberg said. The FCC has sent out letters to AT&T, Verizon, T-Mobile, Sprint, U.S. Cellular, and TracFone Wireless. The FTC, meanwhile, has issued orders to Apple, Google, BlackBerry, HTC, LG, Microsoft, Motorola, and Samsung.
At stake are the potential vulnerabilities left open by delaying a fix. While Google regularly updates Android, for instance, companies like HTC and Samsung often use custom skins and apps that can postpone those changes coming to their own devices -- if they arrive at all, in the case of older hardware. Carriers can sometimes impose their own delays on when updates reach customers.
As an example the FCC made specific reference to Android's "Stagefright" vulnerability, which it said could be affecting up to a billion devices. Google has worked to patched the problem but many devices may still be at risk because of slow third-party support.
Both Apple and Google issue point releases to fix critical bugs and vulnerabilities, but will also sometimes hold off on less serious problems until code can be wrapped into a planned update.
The FTC said that the information it wants includes the factors used in deciding whether to patch a hole, details on devices sold since August 2013, and which vulnerabilities have impacted those products, as well as whether they've been solved.