An­droid se­cu­rity: Why Google’s de­mands for up­dates don’t go far enough

A min­i­mum of five up­dates in two years just doesn’t cut it.

PCWorld (USA) - - News - BY MICHAEL SI­MON

If there’s one thing about An­droid that Google des­per­ately wants to fix, it’s up­dates. Un­less you’re buy­ing a Pixel or an An­droid One phone, you’re never re­ally sure whether you’re go­ing to get up­dates as they’re avail­able or, re­ally, at all.

It’s a ques­tion whether you’re buy­ing a thou­sand-dol­lar Galaxy Note 9 or some­thing much cheaper: What’s go­ing to hap­pen to my phone in 6, 12, or 24 months?

Now Google is try­ing to make sure ev­ery­one has the same answer to that ques­tion. Ac­cord­ing to a re­port in The Verge ( go.pc­world.com/2yrs), Google’s lat­est An­droid part­ner con­tract fi­nally in­cludes lan­guage that man­dates se­cu­rity up­dates for a

min­i­mum of two years, lest the OEM in ques­tion lose fu­ture phone ap­proval.

That all sounds well and good on pa­per, but it’s not like Google is play­ing hard­ball here. The re­quire­ments are about as light as they can be and ap­ply to a rel­a­tively small sub­set of phones. As The Verge re­ports, the terms:

1. Cover de­vices launched af­ter Jan­uary 31, 2018;

2. Ap­ply to phones with at least 100,000 ac­ti­va­tions;

3. Stip­u­late only quar­terly se­cu­rity up­dates for the first year;

4. Place no min­i­mum on se­cu­rity up­dates in the sec­ond year; and

5. Make no men­tion of ver­sion up­dates.

SAME OLD, SAME OLD

For many users, things aren’t go­ing to change much. Sam­sung al­ready up­dates its phones with se­cu­rity patches at least four times a year, as does Huawei, LG, Len­ovo, Nokia, Sony, and oth­ers. In fact, for some of the phones, meet­ing Google’s bare-min­i­mum re­quire­ments would ac­tu­ally rep­re­sent fewer up­dates, not more.

Things prob­a­bly won’t change too much even for phones that aren’t up­dated as reg­u­larly. Tak­ing the con­tract at its lit­eral word, Google re­quires only 5 up­dates over 24 months. This means phones that are woe­fully be­hind on se­cu­rity patches will prob­a­bly still be woe­fully be­hind on se­cu­rity up­dates this time next year.

Let’s say a phone is re­leased Jan­uary 15, 2019, and reaches the 100,000-sold ac­ti­va­tion trig­ger. By next Oc­to­ber it could be run­ning An­droid 8 Oreo with July’s se­cu­rity patch and still tech­ni­cally be in full com­pli­ance with Google’s con­tract.

Lis­ten, this is a good start, al­beit a late one. An­droid is on its 9th ma­jor re­vi­sion and 16th over­all, and Google is only just now get­ting around to man­dat­ing se­cu­rity up­dates for its part­ners. But cool, I’m on board with the change, I just wish Google had gone fur­ther.

There are 12 se­cu­rity up­dates each year, so why man­date only four? And what about ver­sion up­dates? Each new re­lease of An­droid con­tains plenty of se­cu­rity, per­for­mance, and safety fea­tures that all

An­droid phones can ben­e­fit from, not just the small per­cent­age that are lucky enough to get up­dates. Why isn’t Google de­mand­ing that An­droid phones get at least one ver­sion up­grade from the point of sale?

BARELY BARE MIN­I­MUM

Google is at some­thing of a cross­roads with An­droid, and not just be­cause it needs to come up with a con­fec­tion that starts with the let­ter Q. Now on its third Pixel phone, Google doesn’t just prom­ise five up­dates in two years on its own phones, it prom­ises 36 se­cu­rity up­dates over three years, plus two full ver­sion up­grades. Granted, that’s prob­a­bly too much to bear for many smaller OEMS, but what about half a year of up­dates? Or rais­ing the limit for phones that sell more than a mil­lion units?

Google is in a po­si­tion to make much more strin­gent de­mands. For ex­am­ple, af­ter a rul­ing by EU courts that pro­hib­ited the com­pany from bundling Chrome and other apps with An­droid licenses, Google will re­port­edly be­gin charg­ing ( go.pc­world. com/40ph) to in­clude es­sen­tial apps like the Play Store in the free ver­sion of An­droid. If Google can charge as much as $40 per de­vice for the same apps it used to sup­ply for free, surely it can de­mand six measly se­cu­rity up­dates a year.

I mean, we’re not talking about new fea­tures or UI over­hauls here. Se­cu­rity up­dates are about patch­ing the code that al­ready ex­ists, and they shouldn’t be too bur­den­some for man­u­fac­tur­ers to im­ple­ment. If monthly up­dates are pos­si­ble for An­droid One phones, why not oth­ers? By Google’s own words ( go.pc­world. com/evup), “up­dates on a 90-day fre­quency rep­re­sents a min­i­mum se­cu­rity hy­giene re­quire­ment,” but shouldn’t Google ask more than the bare min­i­mum from the phones run­ning its OS?

So, while we can all ap­plaud a move that fi­nally brings some level of uni­for­mity to An­droid phones when it comes to se­cu­rity, I hope it’s just a start of bet­ter things to come.

Phone mak­ers like Huawei al­ready of­fer far more than 4 se­cu­rity up­dates per year.

If monthly se­cu­rity up­dates are de­manded for the Pixel, why are quar­terly up­dates good enough for other phones?

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.