In Google I/O 2018 back in May, the company pledged to work with manufacturers of Android phones to ensure more regular security patches. It’s now come to light that Google is mandating at least two years of security updates on Android phones, and enforcing this by writing it directly into OEM contracts. Confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google. Fragmented security has long been a problem on Android, where phone manufacturers will sometimes ignore products as they age or their use count dwindles. Consumers have rarely had certainty that their device would get timely updates, leading to flaws that remain open well beyond when they were identified. The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates. While this is obviously a step in the right direction, it still isn’t a complete fix to the problem. See, Google releases security patches monthly. In the confidential contract documents, Google is letting OEMs push out an update at least once every 90 days. Updating four times a year would still leave some users vulnerable for up to 90 days.
