Android updates are a sticking point for many people, with many stops along the way from the release from Google interrupting (rightly or wrongly) the flow of updates to your phone. It appears that Google’s intention to mandate regular updates has come to fruition according to a new report.

The Verge obtained a confidential contract agreement between Google and device manufacturers, which shows that OEMs are required from 31st July this year to ensure that security patches and OS upgrades for poplar devices are maintained for at least 2 years.

This isn’t the first we’ve heard of this arrangement being built into manufacturer agreements, with David Kleidermacher, Google’s head of Android platform security saying after Google I/O that they had begun to mandate this. It’s only now we’re getting more details on what is involved.

The contract sets out the requirement for what constitutes a ‘popular’ device, stipulating that any device with over 100,000 activations falls into the category. The contract stipulates that as of July 31st, 75% of a company’s Android devices falling into this category must be provided with consistent security updates for at least two years. From January 31st 2019, 100% of devices in this category must receive security updates for the two year period.

There’s a minimum effort that vendors need apply to meet this agreement. Google mandates only that “at least” four updates be supplied in the first year after a device’s release, while the second year gets murky with a requirement for updates, but no minimum amount specified.

Google has specified in the contract that manufacturers must to offer protection against all vulnerabilities identified over 90 days ago, regardless of how many updates they have done previously – which may force the hand of some manufacturers.

The agreement allows Google to penalise manufacturers who do not comply with the new terms of the agreement, by refusing approval of and effectively blocking the sale of a device.

In a statement to The Verge, a Google spokesperson pointed out the statements made by the company earlier this year, which stated that the 90-day bug fixes “a minimum security hygiene requirement” and saying that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”

The spokesperson also pointed to Google’s Android One program, which provides monthly security updates for three years to supported phones. It is important to point out that the hygiene statement referred to best practices, and most phones aren’t covered by Android One’s terms.

Android software updates have been fraught with inconsistency for many years, and Google has tried many different approaches to ensure the safety of devices and thus users for years. We’ve seen the carrot approach, so perhaps the stick is now being applied, but how manufacturers react to the terms is something we’ll have to see over time.

Source: The Verge.
Via: Engadget.
Inline Feedbacks
View all comments

Even without Android One, isn’t the theory that Project Treble will make all of this much easier anyway? Although as there’s been no widespread news on Treble or any examination of its effects it is a little hard to say.

David Anderton

It’s a start but it’s still pretty crap. You can buy a laptop for $500 and get updates for a decade. Why should a $1500 phone only receive updates for 2 years.

Also the 2 years should start from when the OEM stops selling the phone, not when it is released.


The lithium battery will be rather useless after three years.

David Anderton

Depends on how you’ve treated the battery, but even if you’ve thrashed it after the years you sound still be getting at least 60% of the original capacity. Also there are still phones with replaceable batteries.

Jeff Dean

All sounds good in theory until your ISP/Phone service provider steps into the ring, and then the updating schedule flys right out the window.


I absolutely agree – it was frustrating to see LG release monthly Android Security Updates for my G5, while none were being passed on by Telstra. That was a big factor in me moving to a SIM-only plan and buying my Huawei Mate 10 Pro outright. To their credit, Huawei are releasing monthly Security Updates, so I’m only ever 1 month behind Google. It will be interesting to see how long the Security Updates keep coming – I’m guessing the tap will probably turn off at 24 months from release…


I’ve had Telstra block updates from devices I bought outright from the Play Store, it’s pretty annoying. I assume you have moved away from Telstra or they are simply not blocking the updates for that model?


Good to see google making updates for at least a minimum period..
Wouldn’t it be nice to see 3 years of software and 4 years of security updates ?
But i suppose we need to crawl before we walk 😀.


What will Samsung do? It hardly ever provides OS updates. Now it appears Google will hit them with a stick.


Funnily enough I was just thinking that I had received a lot more than usual from Samsung this year on my S8+. Pretty much second monthly. I’m on Vodafone.


Sammy are actually very good with security updates, even my old s7 is still getting them every couple of months. They would have to get the most improved award, that’s for sure


Yeah , Sammy does not seem any where near as bad as people make it out to be. I also seem to be doing alright with my S8+ with security updates , and do get the occasional performance and stability up date as well , and the phone is running well. In fact I would say Sammy had actually lifted his game with the updates. Even my old 2014 note 4 got a 490 meg update a bit earlier this year. My LG G5 on the other hand, I don’t think it even made it to two years of updates… Read more »


HTC on the other hand… HTC 10, released April 2016 (about 2 1/2 years old now since its release), Android version 8.0.0 (software number 3.20.710.2), security patch level: 1 December 2017 – HTC gave up on the device less than 2 years after they’ve released it.

Last HTC I buy ever.

Sujay Vilash

They are not as bad as OPPO. I have not had a single security patch for my R15 Pro. Makes me regret buying that particular brand.