Jeff Forristal has been busy the last few years discovering and reporting Android vulnerabilities. Forristal, CTO of mobile security vendor Bluebox Security, revealed the Android Master Key vulnerability at the Black Hack 2013 conference and the FakeID vulnerability in 2014.
The big challenge, is around the length of time a vendor will support a given device and how that maps to user ownership of the device. With carrier-subsidized smartphones, a user could get a phone from a carrier and be locked into a two-year contract.
However, most vendors typically only have a two-year support lifecycle for devices in terms of software patches. As such, Forristal noted that if the user buys a phone model that has already been out in the market for a year and a half, that phone might only have six months left of its lifespan for software patch updates.
“It’s a really interesting dynamic of how carrier subsidies can lock consumers into a device, that may be hitting its end of life for patches before the contract is over,” Forristal said. –