Google plans to remove the need for monthly security updates and make Android safer through increasingly comprehensive best-practices guidelines and work being done to ease the burden on device manufacturers. To that end, the company recently took to its Android Developers Blog to offer insight into those changes along two central themes. The tech giant is working to make updating as painless as possible for manufacturers and to focus on a clearer modularity. That starts with an offering to let smartphone makers utilize Google’s firmware over-the-air (FOTA) servers for free. However, modular updates may be more important to its final goal. Project Treble is provided as an example of that – as a newer architecture that separates framework from Hardware Abstraction Layers – and the same approach should allow separate security updates at the framework level.
Beyond that, the concept can carry over to user-mode applications, with those receiving updates separately and more easily than the operating system itself. Another recent example is Google’s GMS Express program, under which the company is working with manufacturers to deliver component-specific updates for reference designs. Those are both pre-tested and pre-integrated to minimize the work required with regard to patching vulnerabilities. Those and future changes to the system architecture should make it possible for much smaller updates to be shipped with a slightly higher frequency, fixing bugs as they arise but without the need for a full software update. However, for the time being, Google is Advising OEMs that monthly security patches would be preferred but that a minimum 90-day timeframe should be followed for its best practices to be met. That’s the ‘common vulnerability disclosure window’ and should be enough time for manufacturers to implement patches before any security issues are publicly disclosed. To reduce the chances of those being exploited, Android OEMs should be viewing the 90-day timeline as a minimum requirement. That same timeframe should also be applied to the enterprise side of things and is part of requirements for Google’s Android Enterprise Recommended device program and list.
Some devices, such as Android One smartphones and Google’s own Pixel devices already meet the monthly update quota either by requirement or by default. However, it is up to manufacturers to supply updates after that. Reports from earlier this year suggested some OEMs weren’t providing regular updates and others were skipping them but were updating patch version numbers anyway. Google is addressing that problem indirectly by automating low-level firmware stack testing for manufacturers to take some burden off in terms of attaining security patch level compliance. For directly, to the benefit of end users, the company is also scanning device images for patterns that indicate something is amiss during the build approval process.