Android Security Updates are Now Mandatory

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
According to a contract obtained by The Verge, Google is forcing Android device makers to issue security patches for at least 2 years after their products hit the market. "At least four security updates" must be provided within a year of the phone's launch, while requirements for subsequent years are less clear. This contract still doesn't force manufacturers to update devices to new versions of Android.

The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates. Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.
 
My $200 chromebook gets updates for 5 years. My $300 android phone only ended up with updates for about 1 year. The mind boggles...
I think a lot has to do with each device on each carrier almost being it's own unique fork/build of Android, where the base OS will be stock Android and then they bake it with their customizations.

I am beginning to suspect Google plans on solving this long-term by Android going away and future handsets running ChromeOS.
 
I think a lot has to do with each device on each carrier almost being it's own unique fork/build of Android, where the base OS will be stock Android and then they bake it with their customizations.

I am beginning to suspect Google plans on solving this long-term by Android going away and future handsets running ChromeOS.
I only buy unlocked phones....nothing carrier specific. Same problem.
 
Considering the iPhone 5S still gets security updates and is on the latest version of iOS, this is very much needed requirement. For reference that phone was released in 2013.

Non-name brand Android phones have had a bad habit of only providing updates while the phone is still on the store shelves. Even some of the brand names typically have not supported them for too much longer after. Glad their is a requirement now.
 
The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users

Well, I guess we're going to see a lot more device variations, since Google isn't letting people make more than 100,000 of any model number anymore :)

The proof is in the pudding here though, if you don't follow the requirements, the punishment is Google might not allow you to release new devices.
 
My Pixel XL is still getting updates 2 years later.
Well it is directly from Google. Still I believe Google only supporting their phones for 2 years OS updates and 3 for security. I that my 2 xl gets monthly updates. With the Samsung phones you lucky to get a update 6 months after every main OS update.
 
It's unfortunate that the security updates can't just be broadcast from Google directly to Android devices, but I realize there's technical complexity with that.

Theres no true technical complexity there. People shit on Apples walled garden of an OS and store, but when it comes time for an update phones 5 years old get it right then and there directly from Apple. If Google wanted to flex some muscle I don't doubt they could also get carriers on board with updates coming straight from them. Thats the "technical complexity" the different service carriers are often quite shitty about ever delivering updates. Imagine if you bought an AIB GPU and always had to wait on their specific drivers instead of just getting them directly from AMD and Nvidia.
 
People shit on Apples walled garden of an OS and store, but when it comes time for an update phones 5 years old get it right then and there directly from Apple.
I don't know if the anti-Apple sentiments really hold water anymore since Google does almost the same stuff, and Microsoft has tried (bit failed). There's a lot to respect about Apple: MacOS still respects users unlike Windows 10 that craps all over them, iOS collects data but nowhere near the level of Android, and iOS updates are the gold standard since they reach back so far to older devices.

I was once pretty anti-Apple but am starting to lose patience with Google's slow, creeping brazenness about dialing data collection to 11. When I see them testing the waters with stuff like Chrome auto-signin, that's a red line.

I've loved Android since 2011 but my next device may be Apple, especially if Tim Cook starts delivering on his privacy rhetoric.
 
Last edited:
Well it is directly from Google. Still I believe Google only supporting their phones for 2 years OS updates and 3 for security. I that my 2 xl gets monthly updates. With the Samsung phones you lucky to get a update 6 months after every main OS update.
Google says 2 years for OS updates, but in practice I don't think they've failed to support any device for less than 3 years on OS updates, and even longer on security.
 
Google says 2 years for OS updates, but in practice I don't think they've failed to support any device for less than 3 years on OS updates, and even longer on security.
Yeah my mom has a nexus 5x and got a 9.0 last month or so.
 
Last edited:
My Moto X Pure is on android 7, and updates/security patches ended way before android 8 ever came out.

Not really happy with that.
 
Unlocked Essential phone, it receives updates nearly the same day they are released.
 
I have a Nokia 7 Plus which is an Android One phone. It has stock Android with only minor tweaks from Nokia. As far as I know, you don't lose your warranty even if you root it.
It is already on Android 9 and receives all security patches (monthly), about a week after Google releases them.

The Android One program requires that security updates need to be supported at least 3 years after the release of the participating device. I think its reasonable and better than what I have experienced with Samsung devices. The number of participating manufacturers and devices keep growing, although Nokia enrolled most. They are desperate to get a market share and can't afford to make mistakes; which should be good for customers.
 
My Pixel XL is still getting updates 2 years later.
It's because it's a Google device, if you have a Samsung device... good luck.
My Moto gets updates every 2 months.
Motorola is about the only OEM that gives a damn about their users. The rest like Samsung, HTC, and LG couldn't give a damn about you just as long as you keep buying a new device.
Considering the iPhone 5S still gets security updates and is on the latest version of iOS, this is very much needed requirement. For reference that phone was released in 2013.
The lack of proper security patches in the Android world is the primary reason why I went to the iPhone and I've never looked back. Most iOS devices get a good five years of updates which is amazing when compared to that of Android.
Imagine if you bought an AIB GPU and always had to wait on their specific drivers instead of just getting them directly from AMD and Nvidia.
I actually had that happen with an nVidia GPU in a notebook a number of years ago. HP did something to the nVidia GPU that made the stock nVidia drivers useless without MODing them with a hacked INF file.
 
I just took back a flagship android phone from one of my reps, and I couldn't believe the amount of adware and other nuisance programs that had been installed on the device. He hadn't done a single update in the 9 months I had issued him the phone (he's older - 50+). This needs to be more of a forced situation if you want your operating system to maintain security. Making updates availalble and actually getting them onto users phones are 2 separate discussions. While you would think a manufacturer would want the user to have the best experience possible, in reality once they've sold you the phone, they just want to get another phone sale out of you. I can't tell you the countless people I talk to that have a 1 year old phone that say it's getting slow and need to replace it. We're talking $700+ phones that should in essence are fast as fork for emails, websurfing, streaming video ect, that they have neglected. It's a business, I get it, but most people wash their clothes regularly, why can't they clean up their phones? /sad face.
 
Considering the iPhone 5S still gets security updates and is on the latest version of iOS, this is very much needed requirement. For reference that phone was released in 2013.

All true, along with another point: That 5S isn't just getting bug fixes, but also performance improvements. My iPhone 6 is running so well that I've once again deferred upgrading.

The prospect of spending a thousand dollars on a device that will be running abandonware in 2 years is just crazy to me. We wouldn't accept this on anything else.
 
I'm guessing this might force more Android device manufacturers to reconsider how they go about customizing their OS.

Since the overhead to patch and maintain each carrier version would fall on them if they don't keep it close to stock, we might start seeing these "custom" versions as just additional standalone apps (Carrier Apps, Launcher, Mail, Messages, Phone, etc.). The big players can afford to absorb the maintenance costs. One could hope that's how it plays out, the more devices using close-to-stock, the merrier.
 
The flexibility of the Linux environment should make it so the manufacturer customizations should really not block universal Android updating. People customize Linux distributions all the time, and yet they get consistent updates for many years.

Manufacturer customizations should never have meant Google can't update every Android phone out there.

The drivers don't necessarily need to change to roll out security updates. Same thing for GUI and other customizations.

While I love my android phone, it's frustrating that Google still hasn't figured this out.

It's better than it was before. At least many apps get updated now, unlike before, but the whole system should not have a limited lifespan. They're throwing away core functionality to Linux distros that many other distros have already long since figured out...
 
It's because it's a Google device, if you have a Samsung device... good luck.

Motorola is about the only OEM that gives a damn about their users. The rest like Samsung, HTC, and LG couldn't give a damn about you just as long as you keep buying a new device.

*Cough* Essential Phone *Cough* It had Android 9 nearly the same day as the Pixel phones.
 
I'm guessing this might force more Android device manufacturers to reconsider how they go about customizing their OS.

Since the overhead to patch and maintain each carrier version would fall on them if they don't keep it close to stock, we might start seeing these "custom" versions as just additional standalone apps (Carrier Apps, Launcher, Mail, Messages, Phone, etc.). The big players can afford to absorb the maintenance costs. One could hope that's how it plays out, the more devices using close-to-stock, the merrier.

Not really, nothing will change, despite what others may want. The phones are like this because Google let them do whatever they wanted with their OS, no strings attached.
 
*Cough* Essential Phone *Cough* It had Android 9 nearly the same day as the Pixel phones.
I *love* the concept of the Essential Phone. Particularly as an alternative to a Pixel.
Hopefully they make it
They don't even need to make a 'flagship' device. If they made a Nexus5X equivalent under their open-source Android model, I'd be all over it.
 
The company behind the Essential phone is on life support.

Which means absolutely nothing. In fact, I will be receiving Android 10 well the most of the rest of you guys will be on 8, if you are lucky. Therefore, you are at best incorrect.
 
I've got a Galaxy Note 2014 Edition(ironically came out Nov. 2013 to compete with the Apple of the time). One of the first Octa-cores. They stopped the OS build updates 2 or 3 gens ago. Otherwise still getting many others. Still use it for basic media/internet stuff. Thing has been a tank.

I'm glad to see some initiative from the top. Android still has a lot of potential. I've looked at some of the Shark OS's but just can't afford anything like that.

BloodyIron , so far this is the closest I've really gotten to Linux. When I had my first Linux classes I had already done some poking around my tablet and immediately noticed the similarities. Of course it's one of the many great grandkids of unix>linux but fun to see it keep growing.
 
I don't know if the anti-Apple sentiments really hold water anymore since Google does almost the same stuff, and Microsoft has tried (bit failed). There's a lot to respect about Apple: MacOS still respects users unlike Windows 10 that craps all over them, iOS collects data but nowhere near the level of Android, and iOS updates are the gold standard since they reach back so far to older devices.

I was once pretty anti-Apple but am starting to lose patience with Google's slow, creeping brazenness about dialing data collection to 11. When I see them testing the waters with stuff like Chrome auto-signin, that's a red line.

I've loved Android since 2011 but my next device may be Apple, especially if Tim Cook starts delivering on his privacy rhetoric.
He better be, Apple is pounding on my door with all the stuff they don't do unlike Microsoft and Google trying to win my hardware contracts for 2020. I am just waiting for F.O.I.P.P.A conformation on the Apple Classroom platform, if they can pull that off and deliver on their price promises for an education market based iPad I will be ordering them by the literal Tonne.
 
One thing I love about Linux, is how fast it develops. Sweet bajezus the last two-three years alone gaming on Linux has skyrocketed.

It's gone from, it takes a good bit of effort to get League of Legends playable, but you can do it. To, new games will probably play on Linux if they don't have stupid DRM/Anti-Cheat (like PUBG/Fortnite).

I've got a Galaxy Note 2014 Edition(ironically came out Nov. 2013 to compete with the Apple of the time). One of the first Octa-cores. They stopped the OS build updates 2 or 3 gens ago. Otherwise still getting many others. Still use it for basic media/internet stuff. Thing has been a tank.

I'm glad to see some initiative from the top. Android still has a lot of potential. I've looked at some of the Shark OS's but just can't afford anything like that.

BloodyIron , so far this is the closest I've really gotten to Linux. When I had my first Linux classes I had already done some poking around my tablet and immediately noticed the similarities. Of course it's one of the many great grandkids of unix>linux but fun to see it keep growing.
 
This is a step in the right direction, but at least 4 in a year following the launch is nowhere near far enough.

Firstly, that's only one security update every three months. That's nowhere near sufficient. Then, what happens after the first year?

I would like to see a requirement for biweekly security updates for at least 4 years following the last volume shipment before discontinuation.



My Pixel XL is still getting updates 2 years later.


Yep, so is my 5" first gen Pixel. Google has committed to providing regular security updates until October 2019.

IMHO, this is a bit inadequate considering how long phones last these days. They should provide security updates until the devices are functionally obsolete.

Hopefully once Google ends support for the first gen Pixels, some 3rd party ROM like LineageOS will continue the work.

I use LineageOS on my old LG G-Pad X 8.0 I bought to use as a cheap GPS device. It has newer security patches than my Pixel does.

LineageOS are really good about keeping up with the security patches. There are some seriously old devices on the LineageOS Compatibility list that still get security patches, usually even faster than Googles own devices do.
 
I think a lot has to do with each device on each carrier almost being it's own unique fork/build of Android, where the base OS will be stock Android and then they bake it with their customizations.

I am beginning to suspect Google plans on solving this long-term by Android going away and future handsets running ChromeOS.

The problem is that on a phone where efficiency for battery life is so important these highly specific builds are part of the solution. To me the argument is similar to what console people argue that by having a highly customized and bare to metal code you get an efficiency gain that can make up for lack of performance. But in the case of phones its heavily focused on battery life. I also don't really know how chrome OS would change any of that or why there would be any motivation for handset makers to use it when all their code is developed for android. I always thought it would be the opposite one day I see google killing chrome OS and just doing all things on android.
 
Pixels getting updates frequently doesn't surprise me in the least, after all, it's Google's brand, so I would actually expect frequent updates as they are made available to Android. Same thing goes for Apple.

The problem is the other 3rd parties that makes Android phones. My Asus ZF3D only got Android 8 a few months ago, although it is 2 years since I got the phone, heard stories of companies stop updating their phones 6 months after release.

It just sucks that Apple is still too walled in, and Pixel phones are next to impossible to get where I am.
 
My Moto X Pure is on android 7, and updates/security patches ended way before android 8 ever came out.

Not really happy with that.

weird i'm on android 7 with my G5plus and i just got the august security patch a couple weeks ago (usually 2 month delay for each official patch release). my phones unlocked though so i get mine straight from motorola instead of verizon which stops updating phones after 1 year.
 
weird i'm on android 7 with my G5plus and i just got the august security patch a couple weeks ago (usually 2 month delay for each official patch release). my phones unlocked though so i get mine straight from motorola instead of verizon which stops updating phones after 1 year.

Wrong. I've got a 2016 Samsung phone and it still gets updates.
 
weird i'm on android 7 with my G5plus and i just got the august security patch a couple weeks ago (usually 2 month delay for each official patch release). my phones unlocked though so i get mine straight from motorola instead of verizon which stops updating phones after 1 year.
Mine is unlocked too. I haven't received updates for 6+ months, maybe more?
 
The problem is that on a phone where efficiency for battery life is so important these highly specific builds are part of the solution. To me the argument is similar to what console people argue that by having a highly customized and bare to metal code you get an efficiency gain that can make up for lack of performance. But in the case of phones its heavily focused on battery life. I also don't really know how chrome OS would change any of that or why there would be any motivation for handset makers to use it when all their code is developed for android. I always thought it would be the opposite one day I see google killing chrome OS and just doing all things on android.

I think that can be solved through drivers and power profiles and instead using a unifoed binary build controlled directly by Google, pushing updates directly to handsets.

The customization of the Android OS for each device is it's biggest problem and needs to go away.

IMHO the problem is that the idiot marketeers at all of the handset makers want to differentiate their product based on useless software features rather than just competing based on who can makethe best hardware.

This needs to stop.

They need to adapt the desktop OS model where the binary builds are identical from device to device and the wireless carrier and hardware maker have absolutely no say in the software running on the device at all, other than providing drivers and maybe choosing to include some preinstalled apps.

Once this hurdle is overcome Android will become far superior to where it is today.
 
Back
Top