Even after Google timely rolls out security patches for its Android platform, a major part of the Android ecosystem remains exposed to hackers because device manufacturers do not deliver patches regularly and on a timely basis to their customers.
To deal with this issue, Google at its I/O Developer Conference May 2018 revealed the company's plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly.
Now, a leaked, unverified copy of a new contract between Google and OEMs obtained by The Verge reveals some terms of the agreement that device manufacturers have to comply with or otherwise they have to lose their Google certification for upcoming Android devices.
Google's New Terms for Android Security Updates
According to the leaked contract, Android OEMs will now be required to regularly roll out security updates for popular devices—launched after January 31st, 2018 and activated by more than 100,000 users—for at least two years.
The Android device makers are mandated to release "at least four security updates" in the first year following a smartphone's launch, but for the second year, the number of updates is unspecified.
Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days.
In other words, the minimum requirement of the contract is a security patch update every quarter.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
A Google spokesperson says that the 90-day requirement is "a minimum security hygiene requirement" and that "the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days."
As of now, the authenticity of the new Android partner contract is not verified, but the new changes made by Google will definitely have a massive impact on the overall state of Android security and benefit millions of Android users.
In separate news, Google last week announced its plans to charge a licensing fee to European Android phone manufacturers who want to include the Play Store, Gmail, YouTube, Maps, and Chrome on their Android handsets, that otherwise come free with Android OS.
You can read more about it in our previous article published here.