Google mandates two years of security updates for popular phones in new Android contract

Illustration by Alex Castro / The Verge

Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.

A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.

David Kleidermacher, Google’s head of Android security, referred to these terms earlier this year during a talk at Google I/O. Kleidermacher said that Google had added a provision into its agreements with partners to roll out “regular” security updates. But it wasn’t clear which devices those would apply to, how often those updates would come, or for how long.

The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.

Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.

The terms appear in Google’s new licensing agreement for Android phones and tablets to be distributed in the European Union while bundling the company’s apps, including the all-important Play Store. While The Verge cannot confirm that the requirement appears in Google’s global licensing terms, the contract and Google’s public comments indicate that the terms are likely the same or substantially similar in all regions.

A Google spokesperson pointed to company statements from earlier this year calling 90-day bug fixes “a minimum security hygiene requirement” and saying that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.” They also pointed to Google’s Android One program, which delivers monthly security updates for three years to supported phones. However, the hygiene statement referred to best practices, and most phones aren’t covered by Android One’s terms.

Fragmented security has long been a problem on Android, where phone manufacturers will sometimes ignore products as they age or their use count dwindles. Consumers have rarely had certainty that their device would get timely updates, leading to flaws that remain open well beyond when they were identified.

Google has had to nudge carriers and manufacturers to fix the problem in recent years. Recent versions of Android have made it easier to see how recently your phone was updated and the last full version, Android Oreo, restructured the system in a way that made overall OS updates easier and faster to build. Google has also used the Enterprise Recommended program to encourage large buyers to pick safer phones and reward manufacturers that keep phones up to date.

But because manufacturers rely on Google for its suite of apps, the company can also make outright demands for updates in its contract. This contractual commitment to patching devices goes much further and guarantees in many cases that devices will remain up to date. While consumers will have no way of knowing for certain whether a device they buy is covered by this agreement, it’s likely that phones or tablets sold internationally and at major retailers would hit the 100,000 sales mark that forces the regular coverage. As Android splits following the EU ruling, the contract also raises questions about how non-Google phones will receive security updates without the same contractual pressures.

Comments

Two years is too less. With the current level of maturity of the devices, medium and high end phones should last for five years at the least. There should be guaranteed OS and security updates for this period. Phone vendors may charge more for the phones upfront. There is no point generating so much e-waste.

A two-year mandate is not bad at all. With a budget phone, just buy another one when it gets slow in two or three years.

A two year mandate is not enough at all. That you need to replace your phone every two to three years "because it gets slow" is an awful mindset. Bear in mind that phones bought some time after release will be out of security support in a matter of months. Also this applies to flagships as well.

No other mobile or desktop OS other than Android is expected to have such a large user base out of security support. This should be simply unacceptable

That’s horribly wasteful. We should be moving towards efficiency, not less.

I say at least 3, 5 is pushing it a bit. But 3 for sure.

Not with apple tho

Its a mandate.
Samsung phones currently provide 3 years of security updates.

So long as they stopped lying about providing them.

5 years? Hahah good luck. 3 is good, 4 maybe for high end flagships

5 for the iPhone 5s and those are OS updates.

Actually, six, from iOS 7 to 12. It was released in fall 2013 and will probably be out of support when iOS 13 launches next year

5 Updates – 6 OS versions.
Also – you can’t really claim those are OS updates when a bulk of the features are not provided.

BUT its still a good thing that they provide the updates.

Yup, iOS 13 is also planned to be the big update (everyone says that but fr this time) so it makes sense to drop the 5s from the lineup.

Yeah 5 years is a totally reasonable minimum. Apple currently supports 7 generations of iPhones.

Apple also made all those phones and designed all their software.

But sure, that’s the same as trying to support thousands of different devices running hundreds of modified versions of the OS.

Get over it

Counter argument: Apple has to write the software and integrate it with the hardware. Android OEMs just have to do the latter.

Apple also has to make the chips for the phones, the camera for the phones, and the whole phone itself. Even the panels which came from Samsung last year were modified by Apple still to make it even better. There is literally no reason for Android OEM’s who take a shell and pack it with 3rd party parts to be unable to issue software updates. Especially if they have the time to fill it with bloatware, garbage skins, and new layouts.

Huh? Yeah, I understand WHY the update situation on Android is so laughably broken, but that doesn’t make it any better, does it?

apple degrades all phones after the next generation of phone comes out.
NOT only that iphone X camera never got an upgrade when the new camera for ipmax is ony purely software update.
ip max camera isnt any good anyway i have now several tests against it in the last 10days. the owners regreated not getting a pixel and i only have the pixel 2
save ur money

apple degrades all phones after the next generation of phone comes out.


Huh? They most definitely do not. Where do you get this nonsense from?

NOT only that iphone X camera never got an upgrade when the new camera for ipmax is ony purely software update. This is an incredibly ignorant comment. The iPhone Xs camera improvements are only possible because of the A12 chip. That’s why previous iPhones don’t get those improvements. It is a hardware issue, not software. Do some research so you don’t look so uninformed. The Xs and Xs Max camera is amazing, undeniably in the top 2-3 smart phone cameras.

Actually Core ML runs 9x faster on the a12 chip than the a11 chip in the X. This very same thing being the one thing that enables HDR+ and other "sOftwArE" changes that the Xs has over the X.

Five years would be nice, but phones no longer come with easily replaceable batteries. I highly doubt that many people take theirs to a repair shop to get a new one swapped in. My Moto X Pure ran great for the three years I had it, but the battery just went down in it. Just replaced it with a Nokia 7.1 this weekend.

Considering the price of great Android One mid-range phones now, I think three years is fine, and then upgrade. I could see four years for flagship prices, but I doubt the batteries are any more enduring.

Batteries aren’t user serviceable but they’re still serviceable. We need to start encouraging people to maintain existing devices instead of just tossing it for a new one.

The fun thing is "Who pays for this?" and this has been the sticking point for a decade. Carriers? Google? The device manufacturer?

They all have this justification why they are not responsible for updates.

View All Comments
Back to top ↑