Thursday, May 10, 2018

Google is starting to require that OEMs roll out regular security patches

At the annual Google I/O developer conference, the company holds several sessions about updates to the Android platform. During the "What's new in Android Security" talk, Google's head of Android platform security Dave Kleidermacher talked about the upcoming security changes in the Android P release. Near the beginning of the talk, Mr. Kleidermacher discussed how the company was making it easier for OEMs to roll out security patches thanks to the architectural changes implemented with Project Treble. He followed this statement with a small, but incredibly important tidbit of information: Google has modified their OEM agreements to include provisions for regular security patches.

"We've also worked on building security patching into our OEM agreements. Now this will really lead to a massive increase in the number of devices and users receiving regular security patches." – Dave Kleidermacher, Google's head of Android platform security

Google releases monthly security patch bulletins that list patches for known vulnerabilities. These security patch bulletins are released to the public generally in the first week of each month, however, OEMs and vendors receive the monthly security patches a month in advance. This gives OEMs and vendor times to patch vulnerabilities before the security bulletin is made public; it's how companies like Essential are able to provide security patch updates on the same day as Google.

Google hasn't required OEMs to update their devices with the latest security patches, though generally, larger OEMs offer them for at least their flagship devices to assure customers that their devices are secure. A recent report revealed that some OEMs have missed patches from monthly Android security bulletins, and data shows that many devices fail to receive security patch updates in a timely manner. Google wants to change that.

The company has a few programs in place to bind their partners to certain terms. One of them is the GMS partner program, and another is the Android partner program. Companies in the latter program work closely with Google to make sure their devices are compliant with Google's requirements for the latest version of Android (specified in the Compatibility Definition Document and tested by the Compatibility Test Suite.) Android partners also receive new Android releases faster than other companies; it's why companies like Xiaomi, Essential, and OnePlus received early access to the Android P Developer Preview 2 while other companies seemingly did not. Now it seems that Google is reworking the agreement with their Android partners to include terms requiring regular security patches.

Unfortunately, there are few details available about the updated Android partner agreement. We don't know how often Google will require their OEM partners to implement patches. Google is likely requiring OEMs to roll out security patches on a monthly basis as Google doesn't want Android devices to stay unpatched, but we aren't sure about the timeline in the agreement. We also don't know if Google has provisions in place to verify that security patches are being properly implemented. Still, the Android partner program is hugely beneficial for OEMs to be in, so it's in their best interests to abide by the changes even if there may be some internal disagreements with the decision. Hopefully, as Mr. Kleidermacher stated, this change will make sure that millions more Android users are kept secure against the latest security threats.



from xda-developers https://ift.tt/2IcbA6a
via IFTTT