Google requires 2 years of Android security updates for popular devices
26.10.18 securityaffairs Android Vulnerebility
The media outlet The Verge obtained a copy of a contract between Google and OEMs that obliges them to two years of security updates for popular phones.
Google continues the battle for securing devices of its users, this time making mandatory for device makers two years of Android security updates.
One of the main problems with patch management is related to the distribution of security patches issued by Google for Android OS.
Device manufacturers often delay the installation of these security patches exposing device owners to cyber attacks. Google is committed to solving this issue, during the Google I/O Developer Conference May 18 announced it its plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly.
A Google spokesperson declared that the 90-day requirement is “a minimum security hygiene requirement” and that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”
The media outlet The Verge obtained a copy of the agreement between the tech giant and OEMs, the contract obliges Android device makers to regularly install updates for any popular phone or tablet for at least two years. For the second year, OEMs have to continue to provide security updates but the contract did not mention the exact number of updates.
In case OEMs violate the contract, they will lose their Google certification for upcoming Android devices, they must roll out at least four security updates within one year of the phone’s launch.
“A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch.” states The Verge.
“Security updates are mandated within the second year as well, though without a specified minimum number of releases.”
Android OEMs will be obliged to regularly provide security updates for popular devices that have been launched after January 31st, 18 and that have more than 100,000 active users.
Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days.
In other words, the minimum requirement of the contract is a security patch update every quarter.
The contract obtained by The Verge could have a massive impact for both OEMs and end-users, the overall level of security for Android device will increase in a significant way.
“But because manufacturers rely on Google for its suite of apps, the company can also make outright demands for updates in its contract. This contractual commitment to patching devices goes much further and guarantees in many cases that devices will remain up to date.” concludes The Verge.
” As Android splits following the EU ruling, the contract also raises questions about how non-Google phones will receive security updates without the same contractual pressures.”