Google has been offering Android as a mobile operating system for close to a decade. The company acquired it in 2005, unveiled it to the public in 2007 and then in 2008 we saw the first commercially available Android smartphone. There are some rules and limitations that Google has in place for a company to be allowed to use the main configuration of Android (which they have faced legal action about in the past), but for the most part they're giving companies free reign with certain aspects. One aspect that has been up to the OEM is the Linux kernel version but this is changing with Android Oreo.

As long as the OEM was able to pass the certification tests that Google lays out, then they didn't care what kernel version was used in a new device. This generally wasn't an issue as most OEMs would use the same version of the kernel for that generation that other OEMs were using, as it is tied heavily to what the hardware drivers support. However, some had been falling through the cracks and this started to cause security issues. This is something that Google has been taking seriously lately so it makes sense that they would want to start mandating this.

When we take a look at kernel.org, we can see that version 3.18 of the Linux kernel is EOL. Starting this year with smartphones which ship with Android Oreo, Google is requiring that all SoCs productized in 2017 must launch with kernel 4.4 or newer. Not only is this version of the Linux kernel more secure, but it also means the companies won't need to put as many resources to keep it secure going forward. While being on a newer kernel version does not guarantee that all vulnerabilities will have been found, it does go a long way towards reducing the number of vulnerabilities, and reducing the effort that needs to be put in to backport security fixes.

Google is also requiring new devices launched with Android Oreo to be configured to support Project Treble right from the start, which will hopefully make it easier to upgrade Linux kernel versions in the future, and reduce the efforts that will need to be put into backporting security patches. Currently existing devices that are upgraded to Android Oreo are only required to run kernel version 3.18 or newer, and will not have to be upgraded to support Project Treble.


Source: Google