Android security: Why Google’s demands for updates don’t go far enough
A minimum of five updates in two years just doesn’t cut it.
If there’s one thing about Android that Google desperately wants to fix, it’s updates. Unless you’re buying a Pixel or an Android One phone, you’re never really sure whether you’re going to get updates as they’re available or, really, at all.
It’s a question whether you’re buying a thousand-dollar Galaxy Note 9 or something much cheaper: What’s going to happen to my phone in 6, 12, or 24 months?
Now Google is trying to make sure everyone has the same answer to that question. According to a report in The Verge ( go.pcworld.com/2yrs), Google’s latest Android partner contract finally includes language that mandates security updates for a
minimum of two years, lest the OEM in question lose future phone approval.
That all sounds well and good on paper, but it’s not like Google is playing hardball here. The requirements are about as light as they can be and apply to a relatively small subset of phones. As The Verge reports, the terms:
1. Cover devices launched after January 31, 2018;
2. Apply to phones with at least 100,000 activations;
3. Stipulate only quarterly security updates for the first year;
4. Place no minimum on security updates in the second year; and
5. Make no mention of version updates.
SAME OLD, SAME OLD
For many users, things aren’t going to change much. Samsung already updates its phones with security patches at least four times a year, as does Huawei, LG, Lenovo, Nokia, Sony, and others. In fact, for some of the phones, meeting Google’s bare-minimum requirements would actually represent fewer updates, not more.
Things probably won’t change too much even for phones that aren’t updated as regularly. Taking the contract at its literal word, Google requires only 5 updates over 24 months. This means phones that are woefully behind on security patches will probably still be woefully behind on security updates this time next year.
Let’s say a phone is released January 15, 2019, and reaches the 100,000-sold activation trigger. By next October it could be running Android 8 Oreo with July’s security patch and still technically be in full compliance with Google’s contract.
Listen, this is a good start, albeit a late one. Android is on its 9th major revision and 16th overall, and Google is only just now getting around to mandating security updates for its partners. But cool, I’m on board with the change, I just wish Google had gone further.
There are 12 security updates each year, so why mandate only four? And what about version updates? Each new release of Android contains plenty of security, performance, and safety features that all
Android phones can benefit from, not just the small percentage that are lucky enough to get updates. Why isn’t Google demanding that Android phones get at least one version upgrade from the point of sale?
BARELY BARE MINIMUM
Google is at something of a crossroads with Android, and not just because it needs to come up with a confection that starts with the letter Q. Now on its third Pixel phone, Google doesn’t just promise five updates in two years on its own phones, it promises 36 security updates over three years, plus two full version upgrades. Granted, that’s probably too much to bear for many smaller OEMS, but what about half a year of updates? Or raising the limit for phones that sell more than a million units?
Google is in a position to make much more stringent demands. For example, after a ruling by EU courts that prohibited the company from bundling Chrome and other apps with Android licenses, Google will reportedly begin charging ( go.pcworld. com/40ph) to include essential apps like the Play Store in the free version of Android. If Google can charge as much as $40 per device for the same apps it used to supply for free, surely it can demand six measly security updates a year.
I mean, we’re not talking about new features or UI overhauls here. Security updates are about patching the code that already exists, and they shouldn’t be too burdensome for manufacturers to implement. If monthly updates are possible for Android One phones, why not others? By Google’s own words ( go.pcworld. com/evup), “updates on a 90-day frequency represents a minimum security hygiene requirement,” but shouldn’t Google ask more than the bare minimum from the phones running its OS?
So, while we can all applaud a move that finally brings some level of uniformity to Android phones when it comes to security, I hope it’s just a start of better things to come.