Android updates are a sticking point for many people, with many stops along the way from the release from Google interrupting (rightly or wrongly) the flow of updates to your phone. It appears that Google’s intention to mandate regular updates has come to fruition according to a new report.
The Verge obtained a confidential contract agreement between Google and device manufacturers, which shows that OEMs are required from 31st July this year to ensure that security patches and OS upgrades for poplar devices are maintained for at least 2 years.
This isn’t the first we’ve heard of this arrangement being built into manufacturer agreements, with David Kleidermacher, Google’s head of Android platform security saying after Google I/O that they had begun to mandate this. It’s only now we’re getting more details on what is involved.
The contract sets out the requirement for what constitutes a ‘popular’ device, stipulating that any device with over 100,000 activations falls into the category. The contract stipulates that as of July 31st, 75% of a company’s Android devices falling into this category must be provided with consistent security updates for at least two years. From January 31st 2019, 100% of devices in this category must receive security updates for the two year period.
There’s a minimum effort that vendors need apply to meet this agreement. Google mandates only that “at least” four updates be supplied in the first year after a device’s release, while the second year gets murky with a requirement for updates, but no minimum amount specified.
Google has specified in the contract that manufacturers must to offer protection against all vulnerabilities identified over 90 days ago, regardless of how many updates they have done previously – which may force the hand of some manufacturers.
The agreement allows Google to penalise manufacturers who do not comply with the new terms of the agreement, by refusing approval of and effectively blocking the sale of a device.
In a statement to The Verge, a Google spokesperson pointed out the statements made by the company earlier this year, which stated that the 90-day bug fixes “a minimum security hygiene requirement” and saying that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”
The spokesperson also pointed to Google’s Android One program, which provides monthly security updates for three years to supported phones. It is important to point out that the hygiene statement referred to best practices, and most phones aren’t covered by Android One’s terms.
Android software updates have been fraught with inconsistency for many years, and Google has tried many different approaches to ensure the safety of devices and thus users for years. We’ve seen the carrot approach, so perhaps the stick is now being applied, but how manufacturers react to the terms is something we’ll have to see over time.