Google to Make Two Years of Security Updates Mandatory for OEMs
We keep a lot of sensitive data on our smartphones, which is why it is essential that they are secure. Google is engaged in a never-ending game of cat and mouse with people looking to bypass their security measures. A lot of vulnerabilities making their way into the limelight in recent years prompting Google to create the monthly security bulletin which features patches against the latest security exploits.
However, only a small chunk of devices receive timely security updates as several OEMs are unable to/don't roll out the patches for their hardware. Fragmented security has long been a problem on Android, where phone manufacturers will sometimes ignore products as they age or their use count dwindles. In a move that may finally help address the problem, Google has laid down new rules for OEMs which states a minimum amount of Android security updates they must offer.
The new contract is already in effect for some OEMs
The Verge managed to get a peek at the new contract, which states that an OEM must provide “at least four security updates” within one year of the phone’s launch, with specific terms laid out for the security year of its lifespan as well. At Google, I/O 2018 Google’s head of Android platform security David Kleidermacher stated that the company is working with OEMs to ensure that devices get updates. Until now, Google didn't force companies to update their smartphones with the latest security patches and expected OEMs to follow suit on their own.
The contract applies to any device launched after the 31st of January (about 100,000 activations). Starting from January 31st 2019, Google says that all models will require regular security updates. It’s unclear which OEMs have signed this new contract. If an OEM with a large market share disagrees with some of the terms, the contract may be rewritten.
Device OEMs receive the security patches a month before release but it is common to see devices unpatched for several months on end. To make matters worse, some OEMs have been caught in the past lying about their security. The consequences for violating the agreement are unknown at this point, but it is reasonable to assume that repeat offenders such as Oppo and Vivo might lose their Android license after a point.
Source: XDA developers