Following Google’s decision to charge Android device makers for its core apps, it has now decided to get tough again and updated its Original Equipment Manufacturers (OEM) agreements to force the companies into rolling out security updates regularly.
It has been well known for some time that the organisation of security updates for Android has been poorly managed. And it seems Google has finally had enough.
Even when Google rolls out security patches a major part of the Android ecosystem remains exposed to hackers because device manufacturers do not, on the whole, deliver patches with any regularity or on a timely basis to their customers.
Now Google has addressed this after announcing at it I/O Developer Conference in May plans to update the OEM agreements that will require manufacturers to roll out security updates on a regular basis.
A leaked, but as yet unverified copy of a new contract between Google and the OEMs has revealed some of the terms of the agreement the companies must comply with otherwise they will lose their Google certification for future Android devices.
According to the leaked agreement Android OEMs will be required to release, ‘at least four security updates’ in the first year after the launch of a smartphone. The agreement doesn’t give a specific number for the second year.
It does, though stipulate that a manufacturer must not delay patch updates for any security vulnerabilities for more than 90 days. In effect manufacturers will now be required to issue patch updates every quarter of the first year.
The 90-day requirement, said a Google spokesperson, ‘is a minimum-security hygiene requirement,’ and that ‘the majority of the developed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.’
While the leaked agreement has not be verified by other sources, if true would have an enormous impact on the overall state of security and could benefit millions of Android users.