Fragmentation is a real problem in the Android world, and devices don’t get updated with the latest security patches regularly. This seems to be changing soon, at least for “popular” devices. Internal documents obtained by The Verge show that Google has mandated that OEMs provide at least 2 years of security updates for certain devices.
Under the terms of Google’s new contract with Android partners, it is mandated that they must provide “at least four security updates” within one year of the phone’s launch. For the second year, security updates are mandated as well, but there are no mentions about the minimum number of releases that must take place.
What classifies as a “popular device?”
A popular device, as per this new contract, is any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.
What this essentially means is that the upstream patches will have to be merged with the device tree, tested and pushed to the devices within a specific timeframe.
According to The Verge, by the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. For the second year, this would imply that even without an annual update minimum, this rolling window will ensure that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.
With these new terms in place, your devices will at least be more secure, if they are among the “popular” devices. Most flagships will probably come under this category from now onwards.
Source: The Verge
