Security updates aren’t a given, even in 2018, and while Google and many smartphone manufacturers have tried to improve the situation recently, there’s still room to get better.
Google appears to be clamping down, especially when it comes to popular smartphones and tablets. According to documentation obtained by The Verge, Google has new Android contracts for device manufacturers which dictates that popular devices must get security updates for at least two years. Google’s rules state that manufacturers must provide “at least four security updates” within a popular device’s first year on the market.
Google still demands that security updates are provided for those devices within the second year, but according to the report the company is not demanding a specific minimum number of releases as it is in the first year.
As far as what qualifies as a popular device, it must be activated by more than 100,000 users. The new terms cover devices that launched after January 31, 2018. Based on the report, as of July 31, the patching requirements were “applied to 75 percent of a manufacturer’s ‘security mandatory models.’” Looking ahead, as of January 31, 2019, Google will require “all security mandatory devices receive these updates”.
These device manufacturers must follow the new mandate, which should mean more devices, even the aging ones, are updated on a more regular basis. Google’s new rules dictate that by the end of any given month, covered devices must be protected from all identified vulnerabilities 90 days after their discovery.
What happens if the manufacturers don’t follow through? The report indicates that Google could withhold future approval of devices coming down the pipe. That could mean those devices don’t launch at all, so the manufacturers have a clear reason to keep their older devices updated on the security side of things.
It’s worth noting that the documentation is tied to Android distribution in the European Union, both for smartphones and tablets that bundle Google’s apps. It is not confirmed at this time that these same rules apply for Google’s global ruleset. However, the “contract and Google’s public comments indicate that the terms are likely the same or substantially similar in all regions”, so this appears to be a global effort to make sure devices are updated on a regular basis.
This is good news for Android users, especially those that pay attention to the security updates on their phone (which should be everyone). Hopefully it is a global effort, and we see the changes across the board soon enough.