Google I/O was a massive event, with many things announced across the three days. One of the interesting nuggets tucked away in a developer talk was that Google is going to start requiring OEMs to deliver regular security patches.

The announcement was made during the ‘What’s new in Android Security’ and picked up by Mishaal Rahman from XDA-Developers.

We’ve also worked on building security patching into our OEM agreements. Now this will really … lead to a massive increase in the number of devices and users receiving regular security patches.David Kleidermacher, Google’s head of Android platform security

Google hasn’t previously required OEMs to deliver security patches to their devices, even after starting to deliver monthly Android security patches in the wake of the Stagefright vulnerability back in 2015. Stagefright was the first of a number of vulnerabilities which affected Android and made more people aware of the need to run the latest version of Android.

While Google hasn’t announced how often they will need to deliver security patches to devices, it’s at least promising that they’re seeing the need to build the requirement into their OEM agreements.

Source: XDA-Developers.
    Inline Feedbacks
    View all comments

    I wonder if this is helped by the existence of Project Treble? Surely the same functional separation that makes it easier to upgrade the OS should apply at least equally to security patches? Which would therefore enable Google to be more demanding of OEMs than they have been before when they knew there was (or may be) a lot of work to implement the security patches into the OEM skins.


    Let’s hope it is at least 4 minimum per year with a maximum of 3 months between a release for the first 2 years after release. This could then be relaxed to 3 / 4 in the 3rd year and 2 for the 4th. I would think in general after that time the device will be out of date so no updates will be required but could still happen. This would be for mid – premium models and could be more relaxed for entry-level devices but still would have to be at least 2 a year especially if another major… Read more »

    Allan Thomas

    I’ll believe it when I see it!


    Not before time .