Google is Demanding Two Years of Security Updates for Popular Android Devices

BY Evan Selleck

Published 24 Oct 2018

While Android fragmentation is still a thing, even for security updates, Google is trying to calm things down and create a level playing field for manufacturers.

The goal is to make it easier, and required, for those manufacturers to provide security updates for their devices, even if they are starting to age. The Verge is reporting on Wednesday that Google has changed its Android contract for OEMs, with the focus being on making sure that popular devices are properly updated to the latest security patches. According to the documentation the publication was able to acquire, Google is now dictating two years of security updates for popular smartphones and tablets running Android.

For a device to be considered popular it has to have been activated by more than 100,000 users. That goes for phones and tablets. Once it reaches that milestone, Google is requiring that standard security updates are delivered “at least four” times within the first calendar year of the device’s launch. After that initial year, Google is still demanding that manufacturers deliver security updates to those devices, but there doesn’t appear to be a specified number of releases during that stretch of time.

According to the new contract, this change is in effect for devices activated after January 31, 2018. Beginning on January 31, 2019, the devices that are ruled as required for these security models must receive those updates in the designated timeframe.

“Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.”

The report does note that while this appears to be a global contract for manufacturers, based on “the contract and Google’s public comments”, the specific contract the publication was able to read only relates to Android devices distributed in the European Union with Google’s apps installed on them.

Google’s demands are great for Android customers, as it means that device manufacturers can no longer skip on the security updates for whatever reasons they’ve decided on. Google using its leverage to not approve of future devices if manufacturers don’t follow the new rules is a nice touch.

[via The Verge]