2019’s Google New Policy for Android: Forced Patch Update from Device Vendors
Since 2008 when the first version of Android has been released, it has been hounded by its perennial problem, fragmentation. This fragmentation not only creates compatibility issues as not all users have the latest version of Android, hence developers need to define the minimum Android version they wish for their apps to work with. This same fragmentation created a big problem when it comes to security, as newer versions of Android not only contains feature updates but also security patches that fix known security vulnerabilities in Android.
Google has tried to fix the update delay issues on Android from within for the last 8 years, but the real problem came from the customization done by every smart device vendor. All Android device vendors wish to differentiate their device from one another, to sell under various price range and become more competitive in the market. However, this same setup prevents the timely updates from trickling down from Google’s Android Open Source Project (AOSP) source to the end-user devices. Samsung, the world’s largest Android manufacturer by profit takes more than half a year before moving their mid to high-end devices to the next version of Android. This same scenario is common across the whole Android device market, except for Google’s own Pixel and AndroidOne brands.
With this facts, Google is now forcing manufacturers to fall in line with Google’s updates with AOSP. Starting 2019, device manufacturers should implement an active and regular 90 days update cycle. Google does not force them to upgrade to the newest version of Android, but at the very least updated to the latest patched version of the current Android installed for the last 90 days. These patches contain critical fixes for zero-day exploits and critical vulnerabilities. Google is also forcing all vendors that license their Google Apps package in their respective device to support the patching process for the next two years after the initial release of the device’s model.
What is the punishment for not complying? Google will discontinue the vendor’s license of bundling Google Services with their devices. The search giant defines the popularity of a device if it has 100,000 activations/day, they strongly believe that popular devices demand long-term support from their respective device vendors. Google hopes this new policy will strongly supplement their Project Treble which was initially released with Android Oreo. “Android 8.0 re-architected the Android OS framework (in a project known as Treble) to make it easier, faster, and less costly for manufacturers to update devices to a new version of Android. In this new architecture, the HAL interface definition language (HIDL, pronounced “hide-l”) specifies the interface between a HAL and its users, enabling the Android framework to be replaced without rebuilding the HALs. Vendors or SOC makers build HALs once and place them in a /vendor partition on the device; the framework, in its own partition, can then be replaced with an over-the-air (OTA) update without recompiling the HALs,” explained Google about Project Treble in their official blog.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.