Google Finally Gets Serious About Android Security Updates

Posted on October 24, 2018 by Mehedi Hassan in Google, Android with 16 Comments

It’s no secret Android phone makers are really bad at keeping their users updated. Not only do they fail to deliver major feature updates, they even miss out on security updates, partly because of carriers and a bunch of other weird things.

Well, Google is finally trying to fix some of the issues. The company is now making it mandatory for Android phone makers to deliver security updates for “popular devices” for at least 2 years.

A contract obtained by The Verge has revealed that Google is now requiring Android phone makers to deliver at least four security updates within the first year of a device’s launch, followed by more in the second year — although it’s not clear whether the amount of security updates required in the second year is the same or less than the initial year.

The contract apparently claims any device with more than 100,00 users will be required to follow the contract, delivering the security updates regularly. Moreover, new devices must launch with the latest bug fixes and security patches, according to the new contract, which covers any device launched after January 31st, 2018. Failing to oblige will probably prevent a phone maker to get Google’s approval for its upcoming phones.

Although it’s not clear whether the contract applies to Android devices globally, what we do know is that its part of the new tactics Google is employing in the European Union after the company was slapped with a $5 billion antitrust fine. 

The new contract will definitely make sure Android users are more secure than before. Since there really wasn’t any specific requirement for Android phone makers to keep their devices updated with all the latest security patches, they often neglect some of their products, especially the low-end devices. The new contract will hopefully tackle all of that, at least that’s the plan.

Tagged with , ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (16)

16 responses to “Google Finally Gets Serious About Android Security Updates”

  1. Thomas Parkison

    Too little, too late Google. This should have been standard practice from the very beginning.

  2. locust infested orchard inc

    Adoogle serious about security ? No, get the hell outta 'ere. Go on, pull the other one, and make my day.

    Adoogle is rightly feeling the heat from the EU ruling in July, and it's beginning to s*** itself badly.

  3. FalseAgent

    Pitiful. Imagine the outrage from everyone if Ubuntu or Windows only provided security updates for 2 years. Imagine the shitshow if OEMs were in control of PC updates. Yet, we put up with an asinine standard for our phones which are arguably far more important.

    Android may have succeeded in marketshare, but this is one area where they have failed.

  4. dcdevito

    This isn't news...they announced this at Google I/O a few years ago.

    • Polycrastinator

      In reply to dcdevito:

      No, I remember the Google announcement, but I believe it was for general updates, not specifically security updates, and the period was only 18 months then. It's a good thing that Google has broken security patches out of the rest of their update mechanism, it should at least make this a little easier to implement.

  5. red.radar

    They can provide it but doesn’t mean the carriers approve it. I can somehow see this still not solving the issue.

    Granted I am being a touch of a cynic

  6. jrickel96

    Meanwhile the iPhone 5s is still getting updates. Only reason earlier devices aren't is due to 32-bit architecture.

    The iPhone 5s is five years old.

    People talk about how expensive iPhones are, but what is better - an iPhone XS for $1,000 that has at least a five year support cycle or a $700 Samsung Galaxy S9 that has two years of support at best - and I don't see how Google can enforce this or get carriers to not block some updates. $350 per year versus $200 per year. And one of them will also hold its value much better for trade-in or sale than the other.

    • Winner

      In reply to jrickel96:

      That depends upon how long you keep your phone.

      • nbplopes

        In reply to Winner:

        True. But whoever complains about iPhones prices and than change smartphone every year or two, should instead focus on fixing their expensive habits.

        What is disconrcerring is that people with lilttle money, are left with really bad support in terms of security and privacy.

        Indeed, the core flaw of TC argument on fundamental rights from the point of view of Humanity, it’s that his product strategy pushes Privacy and Securiry rights to the highest payer. In other words, it’s subject to profits ... average price rise ...

        wall street.


    • Chris_Kez

      In reply to jrickel96:

      Yep. A two year old iPhone 7 is still going for $300 and will probably see four or five major OS updates in its lifetime. A Pixel from the same year is now worth about $200 and it will see two major OS updates (i.e. it is done with OS updates after this fall). Both of these phones were $650 at launch (32GB models). Pretty clear which one was the better value.

      I would recommend any regular consumer with mid-tier money (say $300-$500)-- who isn't an Android enthusiast or Samsung loyalist-- to spend that money on a refurbished or pre-owned iPhone.

  7. dontbe evil

    lol, google and security cannot be in the same sentence

  8. Polycrastinator

    Interesting that this only applies to security updates, and there's no requirement for bigger software updates. In some ways, I bet that lets manufacturers off the hook, but at least it will keep handsets more secure.

  9. Boris Zakharin

    Pretty Sure Motorola is already meeting these requirements with updates every 2-3 months being 1-3 months late. I'm currently on the August update. And I think that's pretty bad considering some of the security vulnerabilities out there.