Android security: Why Google's demands for updates don't go far enough

A minimum of five updates in two years just doesn't cut it.

Credit: Michael Simon/IDG

If there's one thing about Android that Google desperately wants to fix, it's updates. Unless you're buying a Pixel or an Android One phone, you're never really sure whether you're going to get updates as they're available or, really, at all.

It's a question whether you're buying a thousand-dollar Galaxy Note 9 or something much cheaper: What's going to happen to my phone in 6, 12, or 24 months?

Now Google is trying to make sure everyone has the same answer to that question. According to a report in The Verge, Google's latest Android partner contract finally includes language that mandates security updates for a minimum of two years, lest the OEM in question lose future phone approval.

That all sounds well and good on paper, but it's not like Google is playing hardball here. The requirements are about as light as they can be and apply to a relatively small subset of phones. As The Verge reports, the terms:

  1. Cover devices launched after January 31, 2018;
  2. Apply to phones with at least 100,000 activations;
  3. Stipulate only quarterly security updates for the first year;
  4. Place no minimum on security updates in the second year; and
  5. Make no mention of version updates.

Same old, same old

For many users, things aren't going to change much. Samsung already updates its phones with security patches at least four times a year, as does Huawei, LG, Lenovo, Nokia, Sony, and others. In fact, for some of the phones, meeting Google's bare-minimum requirements would actually represent fewer updates, not more.

mate 20 notch Adam Patrick Murray/IDG

Phone makes like Huawei already offer far more than 4 security updates per year.

Things probably won't change too much even for phones that aren't updated as regularly. Taking the contract at its literal word, Google requires only 5 updates over 24 months. This means phones that are woefully behind on security patches will probably still be woefully behind on security updates this time next year.

Let's say a phone is released January 15, 2019, and reaches the 100,000-sold activation trigger. By next October it could be running Android 8 Oreo with July's security patch and still technically be in full compliance with Google's contract.

Listen, this is a good start, albeit a late one. Android is on its 9th major revision and 16th overall, and Google is only just now getting around to mandating security updates for its partners. But cool, I'm on board with the change, I just wish Google had gone further.

There are 12 security updates each year, so why mandate only four? And what about version updates? Each new release of Android contains plenty of security, performance, and safety features that all Android phones can benefit from, not just the small percentage that are lucky enough to get updates. Why isn't Google demanding that Android phones get at least one version upgrade from the point of sale?

Barely bare minimum 

Google is at something of a crossroads with Android, and not just because it needs to come up with a confection that starts with the letter Q. Now on its third Pixel phone, Google doesn't just promise five updates in two years on its own phones, it promises 36 security updates over three years, plus two full version upgrades. Granted, that's probably too much to bear for many smaller OEMs, but what about half a year of updates? Or raising the limit for phones that sell more than a million units?

pixel 3 xl full Christopher Hebert/IDG

If monthly security updates are demanded for the Pixel, why are quarterly updates good enough for other phones?

Google is in a position to make much more stringent demands. For example, after a ruling by EU courts that prohibited the company from bundling Chrome and other apps with Android licenses, Google will reportedly begin charging to include essential apps like the Play Store in the free version of Android. If Google can charge as much as $40 per device for the same apps it used to supply for free, surely it can demand six measly security updates a year.

I mean, we're not talking about new features or UI overhauls here. Security updates are about patching the code that already exists, and they shouldn't be too burdensome for manufacturers to implement. If monthly updates are possible for Android One phones, why not others? By Google's own words, "updates on a 90-day frequency represents a minimum security hygiene requirement," but shouldn't Google by asking more than the bare minimum from the phones running its OS?

So, while we can all applaud a move that finally brings some level of uniformity to Android phones when it comes to security, I hope it's just a start of better things to come.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Michael Simon

Michael Simon

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?