Android Security Symposium 2017

AT&T efforts to improve the distribution of Android security updates

About the speaker

Patrick McCanna

AT&T, Redmond, WA, USA
Patrick has been responsible for mobile security at AT&T since 2004. Patrick started his employment by establishing security operations teams dedicated to mobility networks & services. He currently supports the Mobile Endpoint Security Team, where he leads efforts to ensure the security of AT&T's portfolio of mobile devices. He is a board member on AT&T's bug bounty. Patrick leads AT&T's sponsorship of r00tz Asylum—a nonprofit dedicated to teaching kids around the world how to love being white-hat hackers. Patrick has a B.S. in Computer Science with a Mathematics minor from Linfield College.


PC's get patches every month. Apple has been very efficient in creating and distributing security patches. The AOSP source is updated regularly. Why was there such a delay in distributing security patches in Android? Shouldn't it be easy to distribute the AOSP source changes as updates to launched devices?

Starting in 2015, AT&T changed it's procedures to enable a rapid distribution of security updates. These changes allowed OEMs to rapidly distribute security updates after the Stagefright discovery. In this talk, we'll discuss what was delaying security updates in the past & the changes that allowed for rapid distribution of security updates during that urgent event. We'll also discuss AT&T's recent 2G sunset and features necessary for the future of secure mobile communication.

Android has provided us with security lessons that are applicable beyond the mobile industry. Industrial IoT, Connected home, Car & city solutions all can benefit in this discussion on the challenge of distributing open source software security updates to proprietary hardware.