The US authorities are to investigate the security of mobile devices, and in particular the way in which software updates are distributed.

The Federal Communications Commission and the Federal Trade Commission are looking to “better understand, and ultimately to improve” practices. To this end, letters have been sent to operators asking about procedures for reviewing and releasing updates, and to eight device makers about how patches are issued to address vulnerabilities.

“There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including ‘Stagefright’ in the Android operating system, which may affect almost one billion Android devices globally”, a statement said.

Consumers, it warned, may be left unprotected for long periods of time – or perhaps indefinitely – by poor update processes.

It has widely been detailed that Android vendors in particular have different approaches to security updates, reflecting a number of factors including the level of customisation on top of stock Android.

Operators also have their own requirements for device updates in terms of testing, which adds further complexity to the process.

Data from Google shows that only 7.5 devices visiting its Play store run the latest version of the OS, with an additional 35.6 per cent running the previous release – meaning 56.9 per cent use a platform released before 2014.

While obviously platform updates are not the same as security patches, it does show the diversity of platforms still in use, and the slowed uptake of newer – and hopefully more secure – versions.

In comparison, Apple’s tighter control of the iPhone and its iOS platform means this is generally perceived as being faster on the update.

The questions sent to operators address issues such as “issues or hurdles” related to updates; whether devices they sell have any specific customisation or software that could need patching; whether operators know the security status of devices; and the potential security impact for networks.

Also up for discussion are differing practices between platforms, and a number of specifics related to Stagefright.

Letters sent give a deadline of 45 days for responses.