Google is reportedly mandating two years of security updates in a revised Android device manufacturer contract.
The lack of consistent, regular Android updates has long been a pain point for users. While some devices and manufacturers have proved more reliable — Google’s Pixel line, Essential and OnePlus to name a few — now all regularly push out updates.
In an age of increasing need for digital security, a lack of consistent security patches is a significant gap that needs filling. Google’s Android team already pushes out monthly security updates for the operating system.
Now, the company is reportedly making other manufacturers do the same.
According to a contract obtained by The Verge, Android manufacturers will be required to provide updates for popular phones for at least two years.
Furthermore, the contract stipulates device makers must release a minimum of four security updates within the first year of a device’s launch. The agreement also mandates security updates in the second year, but there isn’t a minimum number of releases required.
Additionally, the contract terms apply to any device launched after January 31st, 2018 that has been activated by more than 100,000 users. On July 31st, Google implemented the requirements on 75 percent of a manufacturer’s “security mandatory models.”
Finally, on January 31st, 2019, all security mandatory devices will be subject to the conditions.
Patches for flaws older than 90 days must come every month
On top of all this, Google now mandates manufacturers to patch security flaws identified by the search giant within a specific timeframe. At the end of every month, manufacturers must protect devices against all vulnerabilities recognized more than 90 days ago.
Additionally, when a manufacturer launches a device, it must have all flaws older than 90 days patched.
Google could withhold approval of future phones, potentially preventing their release, if manufacturers fail to keep devices updated.
The Verge also confirmed that the stipulations are part of the new licensing agreement Google drafted for the E.U. However, it was unable to verify if the requirements appeared in the company’s global licensing terms. Likely the conditions are similar, considering how Google is pushing the importance of updates.
For example, Google rebuilt the update structure in Oreo to make updates simpler and faster to build. Additionally, the company uses its Enterprise Recommended program to highlight secure phones for large buyers, rewarding companies that keep phones up to date.
Hopefully, these new measures lead to a more secure Android as manufacturers keep devices updated. Unfortunately, this could have a negative impact too, especially if manufacturers rush the release of updates in order to meet deadlines.
Source: The Verge