Google is mandating major OEMs offer 2 years of Android security updates
We keep everything on your smartphones, and it’s gotten to the point that for many, they replace a laptop. That’s both good and bad – phones are obviously smaller and more convenient while gracing us with some of the exact same capabilities as a laptop. However, their ubiquity means that they are often a target for cybercriminals, with a number of vulnerabilities making their way into the limelight in recent years. This led to Google creating the monthly security bulletin which features patches against the latest security exploits, along with launching the Android Enterprise Recommended program. The Verge has now obtained a contract from Google given to OEMs which states a minimum amount of Android security updates an OEM must offer.
The contract specifically states that an OEM must provide “at least four security updates” within one year of the phone’s launch, with specific terms laid out for the security year of its lifespan as well. We’ve actually already heard that Google would start requiring OEMs to provide security patches, as at Google I/O 2018 Google’s head of Android platform security David Kleidermacher stated that the company is working with OEMs to ensure that devices get updates. Google previously hasn’t forced companies to update their smartphones with the latest security patches, though admittedly most major companies (such as Essential and OnePlus) would be considered to already abide by this contract.
The contract applies to any device launched after the 31st of January that has had more than 100,000 activations. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting from January 31st 2019, Google says that all security mandatory models will require these security updates. How far along the movement is is unknown, and it could possibly fall apart at any time should larger OEMs disagree. It’s unclear which OEMs have signed this new contract. It’s possible that, should a larger OEM with incredible sway disagree with some of the terms, the contract may be rewritten.
The security bulletins are released monthly, with device OEMs receiving them a month prior to release. Quite a lot of OEMs have been caught in the past lying about their security patches as well, which certainly doesn’t help matters. The Verge has confirmed that these terms exist in Google’s European Union licensing agreement, however, cannot confirm if it is their global licensing agreement. This is one of many agreements that an OEM must sign, such as GMS partner program and the Android partner program. Android partners get faster updates, which is how some companies got early access to Android P.
Source: The Verge