Early this year, it was revealed that Google will require Android manufacturers to issue timely security updates. While it was not clear when such a provision would come into effect and how Google plans to enforce on its OEM partners at that time, a new leaked document throws light into all of those questions.
According to a confidential contract document obtained by The Verge, Google now requires Android device manufacturers to regularly install updates on any popular phone or tablet for at least two years. The contract states that these OEM partners must provide “at least four security updates” within a year of the smartphone’s launch. The security updates are mandated by Google in the second year of the smartphone as well but there is no specified minimum number of updates.
Google releases a new security update for its Pixel smartphones every month and makes it available for its OEM partners, who service their own devices few weeks later. However, carriers and manufacturers have struggled to get their devices onto newest security release on a timely manner. Some of the popular Android smartphones in the market end up being a month or two behind in terms of security update.
The contract document reveals that these terms are for any device launched after January 31, 2018 and have been activated by more than 1,00,000 users. As of July 31, 2018, these patching requirements have been applied to 75 percent of a manufacturer’s “security mandatory models.” Starting January 31, 2019, Google plans to expand that to require all security mandatory devices to receive these updates.
While Google itself releases 12 security patch during the year, it does not require its OEM partners to supply every update. At the same time, by mandating four updates in a year, it is trying to ensure that OEMs cannot go without updating their devices for long. At the end of every month, these smartphone makers must offer protection against all vulnerabilities identified over 90 days ago. This is irrespective of the number of updates that have issued during the month.
Watch: Google Pixel 3 XL Hands-On
The contract document also reveals that Google can pull ranks by refusing approval and effectively blocking the sale of a device, if a company fails to adhere to these terms. A Google spokesperson describes the 90-day bug fixes “a minimum security hygiene requirement” and added that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”
With the new enforcement, Google is trying to make its Android operating system, more secure and resilient against known vulnerabilities. These terms were also recently disclosed by the company in its new licensing agreement for Android phones and tablets sold in the European Union. Technically, Google wants its OEM partners to update their popular devices at least once every three month during the first year but it needs to be seen where all of its partners comply to these terms.