New details about how Google’s Android manufacturer agreements handle requirements for security updates have now leaked out, setting a two-year minimum on the updates according to contractual documents obtained via an unnamed source by The Verge. That applies to any OEM that’s launched an Android smartphone or tablet after the end of January of this year, as long as the device in question has been activated by more than 100,000 customers. The minimum number of security updates for the first year is four, while the next year isn’t specified. The rules also become somewhat more stringent, as of January 31 of next year. All qualifying handsets or tablets at that point need to have all security holes, bugs, or vulnerabilities that have been identified by Google fixed within 90 days and Android devices need to be launched meeting those same criteria.
Background: Security has become a matter of increasing concern for Android, following years of fragmentation and culminating in reports suggesting that most OEMs have not been providing regular patches. Perhaps more alarming, those same reports also detailed how some manufacturers would not only not provide updates but would update the patch level shown on devices without actually applying the appropriate updates. For example, a user might navigate to their settings application’s “about” section and see that the current Android security patch was listed as “October 1, 2018” when in reality no patches had been implemented at all. Conversely, the manufacturer that made their respective device might more honestly be displaying the appropriate patch designation but may not have updated the device in the past several months.
Google has taken steps to combat that issue, including relatively recent announcements outlining how it plans to phase out the need for monthly updates through partnerships with companies responsible for creating device components. In that case, the company wants to implement a system where those manufacturers can update their own flaws and bugs completely separately from the overall updates. Since that is often where a substantial number of vulnerabilities exist and the process would bypass both device manufacturers and carriers, that should make the devices much more secure. At the same time, it would disallow OEMs from being dishonest about the entirety of updates and could eventually remove them from the process almost entirely.
Impact: Bearing that in mind, Google has not always been so transparent as to how it is going about changing things to correct the problems. As noted by the source, the search giant did include discussion about improving its policies for security updates through its contractual agreements with OEMs at I/O 2018 but it wasn’t clear about what those changes would be. Instead, the company simply said that it was changing things around to ensure that OEMs are delivering updates more regularly. The newly leaked documentation of that clarifies things quite a bit and seems to indicate that the issues with security are being taken very seriously. The new policy doesn’t appear to force updates as often as many might like since it doesn’t force compliance with every single update as it launches. But it will ensure that users can get more than a year’s worth of use out of most newer devices without needing to worry that they’re still vulnerable to issues that were discovered more than a few months earlier.