Android is the world’s most popular smartphone operating system. It’s good, it works well but keeps falling short of on one thing; updates. Android’s fragmentation means security updates sledom, if ever, trickle down to the users’ smartphones. Google is aware of this issue and has tried remedying the situation using initiatives like Android One. In the Android One program, OEMs make the hardware and Google then takes care of the software aspect with pure, stock, unalderated Android. Google also takes care of the monthly security updates and at least two new versions of Android for devices on the program.
In Google I/O 2018 back in May, the company pledged to work with manufacturers of Android phones to ensure more regular security patches. It’s now come to light that Google is mandating at least two years of security updates on Android phones, and enforcing this by writing it directly into OEM contracts. Confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.
Fragmented security has long been a problem on Android, where phone manufacturers will sometimes ignore products as they age or their use count dwindles. Consumers have rarely had certainty that their device would get timely updates, leading to flaws that remain open well beyond when they were identified.
The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.
While this is obviously a step in the right direction, it still isn’t a complete fix to the problem. See, Google releases security patches monthly. In the confidential contract documents, Google is letting OEMs push out an update at least once every 90 days. Updating four times a year would still leave some users vulnerable for up to 90 days.