Android Security Updates are Now Mandatory

Discussion in 'HardForum Tech News' started by AlphaAtlas, Oct 25, 2018.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    According to a contract obtained by The Verge, Google is forcing Android device makers to issue security patches for at least 2 years after their products hit the market. "At least four security updates" must be provided within a year of the phone's launch, while requirements for subsequent years are less clear. This contract still doesn't force manufacturers to update devices to new versions of Android.

    The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates. Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.
     
  2. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,954
    Joined:
    Mar 31, 2001
    My $200 chromebook gets updates for 5 years. My $300 android phone only ended up with updates for about 1 year. The mind boggles...
     
  3. DPI

    DPI Nitpick Police

    Messages:
    10,956
    Joined:
    Apr 20, 2013
    It's unfortunate that the security updates can't just be broadcast from Google directly to Android devices, but I realize there's technical complexity with that.
     
  4. Sikkyu

    Sikkyu I Question Reality

    Messages:
    2,882
    Joined:
    Jan 21, 2010
    My Pixel XL is still getting updates 2 years later.
     
    auntjemima likes this.
  5. DPI

    DPI Nitpick Police

    Messages:
    10,956
    Joined:
    Apr 20, 2013
    I think a lot has to do with each device on each carrier almost being it's own unique fork/build of Android, where the base OS will be stock Android and then they bake it with their customizations.

    I am beginning to suspect Google plans on solving this long-term by Android going away and future handsets running ChromeOS.
     
  6. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,954
    Joined:
    Mar 31, 2001
    I only buy unlocked phones....nothing carrier specific. Same problem.
     
  7. xmadror

    xmadror Gawd

    Messages:
    654
    Joined:
    Feb 13, 2012
    That's a step in the right direction but really it should be for 1-2 years AFTER the phone is no longer available for sale.
     
  8. Jovian

    Jovian Limp Gawd

    Messages:
    363
    Joined:
    Jun 8, 2004
    Considering the iPhone 5S still gets security updates and is on the latest version of iOS, this is very much needed requirement. For reference that phone was released in 2013.

    Non-name brand Android phones have had a bad habit of only providing updates while the phone is still on the store shelves. Even some of the brand names typically have not supported them for too much longer after. Glad their is a requirement now.
     
  9. toast0

    toast0 Gawd

    Messages:
    909
    Joined:
    Jan 26, 2010
    Well, I guess we're going to see a lot more device variations, since Google isn't letting people make more than 100,000 of any model number anymore :)

    The proof is in the pudding here though, if you don't follow the requirements, the punishment is Google might not allow you to release new devices.
     
  10. vegeta535

    vegeta535 2[H]4U

    Messages:
    2,942
    Joined:
    Jul 19, 2013
    Well it is directly from Google. Still I believe Google only supporting their phones for 2 years OS updates and 3 for security. I that my 2 xl gets monthly updates. With the Samsung phones you lucky to get a update 6 months after every main OS update.
     
  11. My Moto gets updates every 2 months.
     
  12. Nolan7689

    Nolan7689 [H]ard|Gawd

    Messages:
    1,301
    Joined:
    Jun 5, 2015
    Theres no true technical complexity there. People shit on Apples walled garden of an OS and store, but when it comes time for an update phones 5 years old get it right then and there directly from Apple. If Google wanted to flex some muscle I don't doubt they could also get carriers on board with updates coming straight from them. Thats the "technical complexity" the different service carriers are often quite shitty about ever delivering updates. Imagine if you bought an AIB GPU and always had to wait on their specific drivers instead of just getting them directly from AMD and Nvidia.
     
  13. DPI

    DPI Nitpick Police

    Messages:
    10,956
    Joined:
    Apr 20, 2013
    I don't know if the anti-Apple sentiments really hold water anymore since Google does almost the same stuff, and Microsoft has tried (bit failed). There's a lot to respect about Apple: MacOS still respects users unlike Windows 10 that craps all over them, iOS collects data but nowhere near the level of Android, and iOS updates are the gold standard since they reach back so far to older devices.

    I was once pretty anti-Apple but am starting to lose patience with Google's slow, creeping brazenness about dialing data collection to 11. When I see them testing the waters with stuff like Chrome auto-signin, that's a red line.

    I've loved Android since 2011 but my next device may be Apple, especially if Tim Cook starts delivering on his privacy rhetoric.
     
    Last edited: Oct 25, 2018
    AlphaAtlas, Lakados and MrE like this.
  14. pfc_m_drake

    pfc_m_drake [H]ard|Gawd

    Messages:
    1,225
    Joined:
    Jan 7, 2004
    Google says 2 years for OS updates, but in practice I don't think they've failed to support any device for less than 3 years on OS updates, and even longer on security.
     
    vegeta535 likes this.
  15. vegeta535

    vegeta535 2[H]4U

    Messages:
    2,942
    Joined:
    Jul 19, 2013
    Yeah my mom has a nexus 5x and got a 9.0 last month or so.
     
    Last edited: Oct 25, 2018
  16. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,954
    Joined:
    Mar 31, 2001
    My Moto X Pure is on android 7, and updates/security patches ended way before android 8 ever came out.

    Not really happy with that.
     
    Fresch likes this.
  17. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    10,323
    Joined:
    Oct 4, 2007
    Unlocked Essential phone, it receives updates nearly the same day they are released.
     
    TurboGLH likes this.
  18. mufcfan

    mufcfan Limp Gawd

    Messages:
    245
    Joined:
    Feb 23, 2005
    I have a Nokia 7 Plus which is an Android One phone. It has stock Android with only minor tweaks from Nokia. As far as I know, you don't lose your warranty even if you root it.
    It is already on Android 9 and receives all security patches (monthly), about a week after Google releases them.

    The Android One program requires that security updates need to be supported at least 3 years after the release of the participating device. I think its reasonable and better than what I have experienced with Samsung devices. The number of participating manufacturers and devices keep growing, although Nokia enrolled most. They are desperate to get a market share and can't afford to make mistakes; which should be good for customers.
     
  19. trparky

    trparky Gawd

    Messages:
    975
    Joined:
    Jul 23, 2009
    It's because it's a Google device, if you have a Samsung device... good luck.
    Motorola is about the only OEM that gives a damn about their users. The rest like Samsung, HTC, and LG couldn't give a damn about you just as long as you keep buying a new device.
    The lack of proper security patches in the Android world is the primary reason why I went to the iPhone and I've never looked back. Most iOS devices get a good five years of updates which is amazing when compared to that of Android.
    I actually had that happen with an nVidia GPU in a notebook a number of years ago. HP did something to the nVidia GPU that made the stock nVidia drivers useless without MODing them with a hacked INF file.
     
    Nolan7689 likes this.
  20. oldmanbal

    oldmanbal [H]ard|Gawd

    Messages:
    2,039
    Joined:
    Aug 27, 2010
    I just took back a flagship android phone from one of my reps, and I couldn't believe the amount of adware and other nuisance programs that had been installed on the device. He hadn't done a single update in the 9 months I had issued him the phone (he's older - 50+). This needs to be more of a forced situation if you want your operating system to maintain security. Making updates availalble and actually getting them onto users phones are 2 separate discussions. While you would think a manufacturer would want the user to have the best experience possible, in reality once they've sold you the phone, they just want to get another phone sale out of you. I can't tell you the countless people I talk to that have a 1 year old phone that say it's getting slow and need to replace it. We're talking $700+ phones that should in essence are fast as fork for emails, websurfing, streaming video ect, that they have neglected. It's a business, I get it, but most people wash their clothes regularly, why can't they clean up their phones? /sad face.
     
  21. InorganicMatter

    InorganicMatter [H]ardForum Junkie

    Messages:
    15,279
    Joined:
    Oct 19, 2004
    All true, along with another point: That 5S isn't just getting bug fixes, but also performance improvements. My iPhone 6 is running so well that I've once again deferred upgrading.

    The prospect of spending a thousand dollars on a device that will be running abandonware in 2 years is just crazy to me. We wouldn't accept this on anything else.
     
  22. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,677
    Joined:
    Dec 15, 2003
    I'm guessing this might force more Android device manufacturers to reconsider how they go about customizing their OS.

    Since the overhead to patch and maintain each carrier version would fall on them if they don't keep it close to stock, we might start seeing these "custom" versions as just additional standalone apps (Carrier Apps, Launcher, Mail, Messages, Phone, etc.). The big players can afford to absorb the maintenance costs. One could hope that's how it plays out, the more devices using close-to-stock, the merrier.
     
  23. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,443
    Joined:
    Jul 11, 2005
    The flexibility of the Linux environment should make it so the manufacturer customizations should really not block universal Android updating. People customize Linux distributions all the time, and yet they get consistent updates for many years.

    Manufacturer customizations should never have meant Google can't update every Android phone out there.

    The drivers don't necessarily need to change to roll out security updates. Same thing for GUI and other customizations.

    While I love my android phone, it's frustrating that Google still hasn't figured this out.

    It's better than it was before. At least many apps get updated now, unlike before, but the whole system should not have a limited lifespan. They're throwing away core functionality to Linux distros that many other distros have already long since figured out...
     
  24. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    10,323
    Joined:
    Oct 4, 2007
    *Cough* Essential Phone *Cough* It had Android 9 nearly the same day as the Pixel phones.
     
  25. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    10,323
    Joined:
    Oct 4, 2007
    Not really, nothing will change, despite what others may want. The phones are like this because Google let them do whatever they wanted with their OS, no strings attached.
     
  26. trparky

    trparky Gawd

    Messages:
    975
    Joined:
    Jul 23, 2009
    The company behind the Essential phone is on life support.
     
  27. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,954
    Joined:
    Mar 31, 2001
    So you are saying they are essentially dead? :ROFLMAO:
     
  28. pfc_m_drake

    pfc_m_drake [H]ard|Gawd

    Messages:
    1,225
    Joined:
    Jan 7, 2004
    I *love* the concept of the Essential Phone. Particularly as an alternative to a Pixel.
    Hopefully they make it
    They don't even need to make a 'flagship' device. If they made a Nexus5X equivalent under their open-source Android model, I'd be all over it.
     
  29. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    10,323
    Joined:
    Oct 4, 2007
    Which means absolutely nothing. In fact, I will be receiving Android 10 well the most of the rest of you guys will be on 8, if you are lucky. Therefore, you are at best incorrect.
     
  30. lostin3d

    lostin3d [H]ard|Gawd

    Messages:
    1,995
    Joined:
    Oct 13, 2016
    I've got a Galaxy Note 2014 Edition(ironically came out Nov. 2013 to compete with the Apple of the time). One of the first Octa-cores. They stopped the OS build updates 2 or 3 gens ago. Otherwise still getting many others. Still use it for basic media/internet stuff. Thing has been a tank.

    I'm glad to see some initiative from the top. Android still has a lot of potential. I've looked at some of the Shark OS's but just can't afford anything like that.

    BloodyIron , so far this is the closest I've really gotten to Linux. When I had my first Linux classes I had already done some poking around my tablet and immediately noticed the similarities. Of course it's one of the many great grandkids of unix>linux but fun to see it keep growing.
     
  31. Lakados

    Lakados [H]ard|Gawd

    Messages:
    1,473
    Joined:
    Feb 3, 2014
    He better be, Apple is pounding on my door with all the stuff they don't do unlike Microsoft and Google trying to win my hardware contracts for 2020. I am just waiting for F.O.I.P.P.A conformation on the Apple Classroom platform, if they can pull that off and deliver on their price promises for an education market based iPad I will be ordering them by the literal Tonne.
     
  32. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    3,443
    Joined:
    Jul 11, 2005
    One thing I love about Linux, is how fast it develops. Sweet bajezus the last two-three years alone gaming on Linux has skyrocketed.

    It's gone from, it takes a good bit of effort to get League of Legends playable, but you can do it. To, new games will probably play on Linux if they don't have stupid DRM/Anti-Cheat (like PUBG/Fortnite).

     
    lostin3d likes this.
  33. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000
    This is a step in the right direction, but at least 4 in a year following the launch is nowhere near far enough.

    Firstly, that's only one security update every three months. That's nowhere near sufficient. Then, what happens after the first year?

    I would like to see a requirement for biweekly security updates for at least 4 years following the last volume shipment before discontinuation.




    Yep, so is my 5" first gen Pixel. Google has committed to providing regular security updates until October 2019.

    IMHO, this is a bit inadequate considering how long phones last these days. They should provide security updates until the devices are functionally obsolete.

    Hopefully once Google ends support for the first gen Pixels, some 3rd party ROM like LineageOS will continue the work.

    I use LineageOS on my old LG G-Pad X 8.0 I bought to use as a cheap GPS device. It has newer security patches than my Pixel does.

    LineageOS are really good about keeping up with the security patches. There are some seriously old devices on the LineageOS Compatibility list that still get security patches, usually even faster than Googles own devices do.
     
    lostin3d and Sikkyu like this.
  34. rudy

    rudy [H]ardForum Junkie

    Messages:
    8,577
    Joined:
    Apr 4, 2004
    The problem is that on a phone where efficiency for battery life is so important these highly specific builds are part of the solution. To me the argument is similar to what console people argue that by having a highly customized and bare to metal code you get an efficiency gain that can make up for lack of performance. But in the case of phones its heavily focused on battery life. I also don't really know how chrome OS would change any of that or why there would be any motivation for handset makers to use it when all their code is developed for android. I always thought it would be the opposite one day I see google killing chrome OS and just doing all things on android.
     
  35. chenw

    chenw 2[H]4U

    Messages:
    3,977
    Joined:
    Oct 26, 2014
    Pixels getting updates frequently doesn't surprise me in the least, after all, it's Google's brand, so I would actually expect frequent updates as they are made available to Android. Same thing goes for Apple.

    The problem is the other 3rd parties that makes Android phones. My Asus ZF3D only got Android 8 a few months ago, although it is 2 years since I got the phone, heard stories of companies stop updating their phones 6 months after release.

    It just sucks that Apple is still too walled in, and Pixel phones are next to impossible to get where I am.
     
  36. sirmonkey1985

    sirmonkey1985 [H]ard|DCer of the Month - July 2010

    Messages:
    21,237
    Joined:
    Sep 13, 2008
    weird i'm on android 7 with my G5plus and i just got the august security patch a couple weeks ago (usually 2 month delay for each official patch release). my phones unlocked though so i get mine straight from motorola instead of verizon which stops updating phones after 1 year.
     
  37. ZodaEX

    ZodaEX 2[H]4U

    Messages:
    3,722
    Joined:
    Sep 17, 2004
    Wrong. I've got a 2016 Samsung phone and it still gets updates.
     
  38. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,954
    Joined:
    Mar 31, 2001
    Mine is unlocked too. I haven't received updates for 6+ months, maybe more?
     
  39. trparky

    trparky Gawd

    Messages:
    975
    Joined:
    Jul 23, 2009
    But what country are you in?
     
  40. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000
    I think that can be solved through drivers and power profiles and instead using a unifoed binary build controlled directly by Google, pushing updates directly to handsets.

    The customization of the Android OS for each device is it's biggest problem and needs to go away.

    IMHO the problem is that the idiot marketeers at all of the handset makers want to differentiate their product based on useless software features rather than just competing based on who can makethe best hardware.

    This needs to stop.

    They need to adapt the desktop OS model where the binary builds are identical from device to device and the wireless carrier and hardware maker have absolutely no say in the software running on the device at all, other than providing drivers and maybe choosing to include some preinstalled apps.

    Once this hurdle is overcome Android will become far superior to where it is today.