Google to require Android device‑makers to roll out OS security patches regularly

The move is intended to help address the mobile platform’s perennial problem – that many manufacturers of Android-powered devices are slow to get software updates out the door

The move is intended to help address the mobile platform’s perennial problem – that many manufacturers of Android-powered devices are slow to get software updates out the door

Google has announced, albeit without going into much detail, that it will require the manufacturers of Android devices to push out regular security-focused updates.

The announcement came from the head of Android security at Google, David Kleidermacher, during his talk at the recent Google I/O Developer Conference in Mountain View, California.

The firm has been pushing towards heightened security within the Android ecosystem, including by making devices easier to patch. Speaking at the annual Google event, Kleidermacher himself noted that “at Google, we have a pretty steady track record for years now of every single month delivering those patches to the market, and we want to make sure that all Android OEMs are delivering patches regularly to their devices as well, not just Google’s devices”.

And he continued: “We’ve also worked on building security patching into our OEM agreements. Now this will really lead to a massive increase in the number of devices and users receiving regular security patches. We’re really excited about that”.

Since Google has not shed more light on the terms of the agreements, there’s no telling at this point if they will apply only to new and/or flagship devices or whether older devices will also stand to benefit from the new policy.

Slow and not sure

The mobile platform, which will turn 10 this September, has struggled to ensure that the platform’s users receive latest updates quickly enough. Many devices, not only old ones, are often left in the lurch without an easy update path.

As noted in ESET’s 2017 trends paper called Security Held Ransom, “the way in which security patches are deployed continues to leave some Android users unprotected, creating a large window between the time at which the vulnerability is known and the time when OEMs and telephone network operators deploy the security patch for the different versions of the operating system, if they ever choose to do so.”

To help counter that problem, Google unveiled Project Treble last year, which is “re-architecting Android to make it easier, faster and less costly for manufacturers to update devices to a new version of Android”.

In February of this year, SecurityLab released the results of research that provides some insights into the performance of smartphone manufacturers when shipping security updates to customers. Meanwhile, a number of device-makers were called out last month for apparently misleading their customers about the status of security patches on their devices. In other words, users labored under the impression that their devices were running the latest updates even if this wasn’t always the case.

To be sure, even having all patches installed is not a surefire way of staying safe. Being prudent when installing apps, especially – but not only – from outside Google Play, together with watching out for permissions that apps request, and having reputable security software in place will go a long way towards helping harden a user’s defenses.

Oreo, the latest version of Google’s mobile OS that was launched in August of last year, runs on fewer than 6 percent of devices. Android P is due later this year.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center