Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.
A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.
David Kleidermacher, Google’s head of Android security, referred to these terms earlier this year during a talk at Google I/O. Kleidermacher said that Google had added a provision into its agreements with partners to roll out “regular” security updates. But it wasn’t clear which devices those would apply to, how often those updates would come, or for how long.
The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.
Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.
The terms appear in Google’s new licensing agreement for Android phones and tablets to be distributed in the European Union while bundling the company’s apps, including the all-important Play Store. While The Verge cannot confirm that the requirement appears in Google’s global licensing terms, the contract and Google’s public comments indicate that the terms are likely the same or substantially similar in all regions.
A Google spokesperson pointed to company statements from earlier this year calling 90-day bug fixes “a minimum security hygiene requirement” and saying that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.” They also pointed to Google’s Android One program, which delivers monthly security updates for three years to supported phones. However, the hygiene statement referred to best practices, and most phones aren’t covered by Android One’s terms.
Fragmented security has long been a problem on Android, where phone manufacturers will sometimes ignore products as they age or their use count dwindles. Consumers have rarely had certainty that their device would get timely updates, leading to flaws that remain open well beyond when they were identified.
Google has had to nudge carriers and manufacturers to fix the problem in recent years. Recent versions of Android have made it easier to see how recently your phone was updated and the last full version, Android Oreo, restructured the system in a way that made overall OS updates easier and faster to build. Google has also used the Enterprise Recommended program to encourage large buyers to pick safer phones and reward manufacturers that keep phones up to date.
But because manufacturers rely on Google for its suite of apps, the company can also make outright demands for updates in its contract. This contractual commitment to patching devices goes much further and guarantees in many cases that devices will remain up to date. While consumers will have no way of knowing for certain whether a device they buy is covered by this agreement, it’s likely that phones or tablets sold internationally and at major retailers would hit the 100,000 sales mark that forces the regular coverage. As Android splits following the EU ruling, the contract also raises questions about how non-Google phones will receive security updates without the same contractual pressures.