BlackBerry has joined other Android phone makers that are promising timely security fixes to their customers. On Wednesday, the Canadian smartphone maker said it will roll out security patches within about a month of the disclosure of problems.
BlackBerry to issue security patches
In a blog post, BlackBerry said the patches are “critical” for fixing Android flaws in a timely fashion. Google started disclosing monthly vulnerabilities in Android earlier this year when it announced plans to come up with monthly fixes to Nexus devices. Later, Samsung and LG also came forward to offer monthly patches to their devices. However, HTC sees it as an “unrealistic” target.
BlackBerry said that all Priv devices bought through its store will be eligible for over-the-air updates as and when they are made available. Devices bought through networks such as AT&T in the U.S. will require approval from the carrier before the updates will be pushed out. The company said it could be lead to serious flaws as at times Android users are not willing to wait for a fix.
Critical cases to be dealt with through a “hotfix”
However, in critical cases when attackers actively exploit an Android flaw, BlackBerry will issue a “hotfix” capable of bypassing the need for a carrier’s approval.
BlackBerry chief security Officer David Kleidmacher said, “Because a hotfix is typically limited in scope, the balance between a longer testing and approval process and the risk from the critical flaw makes this approach an important addition to helping keep users safe and secure.” Kleidmacher said the company will issue a fix within 24 hours of the receipt of the notification, but it all depends on how complex the flaw is.
Kleidmacher said the patch will be applied directly on BlackBerry, and it will request its carrier partners give rapid approval. But if the company finds it necessary, then it will the apply over-the-air fix without seeking approval from the carrier, says a report from ZDNet. Kleidmacher added that a time will come when it will become mandatory for the company to act quickly because the risk associated with publicly released or zero-day vulnerability is too high. The fix will also be applicable to the vulnerabilities that are privately reported outside of the monthly patch cycle.
Carriers have often being criticized for delaying or blocking security updates, and this is one of the main reason we have so many Android software versions, says the report.