Android security: Why Google's demands for updates don't go far enough

Google is forcing some Android phone makers to provide two years of security updates, but it's not as good as you'd think.

Michael Simon Oct 30th 2018

If there's one thing about Android that Google desperately wants to fix, it's updates. Unless you're buying a Pixel or an Android One phone, you're never really sure whether you're going to get updates as they're available or, really, at all.

It's a question whether you're buying a thousand-dollar Galaxy Note 9 or something much cheaper: What's going to happen to my phone in 6, 12, or 24 months?

Now Google is trying to make sure everyone has the same answer to that question. According to a report in The Verge, Google's latest Android partner contract finally includes language that mandates security updates for a minimum of two years, lest the OEM in question lose future phone approval.

That all sounds well and good on paper, but it's not like Google is playing hardball here. The requirements are about as light as they can be and apply to a relatively small subset of phones. As The Verge reports, the terms:

  1. Cover devices launched after January 31, 2018;
  2. Apply to phones with at least 100,000 activations;
  3. Stipulate only quarterly security updates for the first year;
  4. Place no minimum on security updates in the second year; and
  5. Make no mention of version updates.

Same old, same old

For many users, things aren't going to change much. Samsung already updates its phones with security patches at least four times a year, as does Huawei, LG, Lenovo, Nokia, Sony, and others. In fact, for some of the phones, meeting Google's bare-minimum requirements would actually represent fewer updates, not more.

mate 20 notchAdam Patrick Murray/IDG

Phone makes like Huawei already offer far more than 4 security updates per year.

Things probably won't change too much even for phones that aren't updated as regularly. Taking the contract at its literal word, Google requires only 5 updates over 24 months. This means phones that are woefully behind on security patches will probably still be woefully behind on security updates this time next year.

Let's say a phone is released January 15, 2019, and reaches the 100,000-sold activation trigger. By next October it could be running Android 8 Oreo with July's security patch and still technically be in full compliance with Google's contract.

Listen, this is a good start, albeit a late one. Android is on its 9th major revision and 16th overall, and Google is only just now getting around to mandating security updates for its partners. But cool, I'm on board with the change, I just wish Google had gone further.

There are 12 security updates each year, so why mandate only four? And what about version updates? Each new release of Android contains plenty of security, performance, and safety features that all Android phones can benefit from, not just the small percentage that are lucky enough to get updates. Why isn't Google demanding that Android phones get at least one version upgrade from the point of sale?

Barely bare minimum 

Google is at something of a crossroads with Android, and not just because it needs to come up with a confection that starts with the letter Q. Now on its third Pixel phone, Google doesn't just promise five updates in two years on its own phones, it promises 36 security updates over three years, plus two full version upgrades. Granted, that's probably too much to bear for many smaller OEMs, but what about half a year of updates? Or raising the limit for phones that sell more than a million units?

pixel 3 xl fullChristopher Hebert/IDG

If monthly security updates are demanded for the Pixel, why are quarterly updates good enough for other phones?

Google is in a position to make much more stringent demands. For example, after a ruling by EU courts that prohibited the company from bundling Chrome and other apps with Android licenses, Google will reportedly begin charging to include essential apps like the Play Store in the free version of Android. If Google can charge as much as $40 per device for the same apps it used to supply for free, surely it can demand six measly security updates a year.

I mean, we're not talking about new features or UI overhauls here. Security updates are about patching the code that already exists, and they shouldn't be too burdensome for manufacturers to implement. If monthly updates are possible for Android One phones, why not others? By Google's own words, "updates on a 90-day frequency represents a minimum security hygiene requirement," but shouldn't Google by asking more than the bare minimum from the phones running its OS?

So, while we can all applaud a move that finally brings some level of uniformity to Android phones when it comes to security, I hope it's just a start of better things to come.