430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Google requires 2 years of Android security updates for popular devices

The media outlet The Verge obtained a copy of a contract between Google and OEMs that obliges them to two years of security updates for popular phones. Google continues the battle for securing devices of its users, this time making mandatory for device makers two years of Android security updates. One of the main problems with […]

Wi-Fi

The media outlet The Verge obtained a copy of a contract between Google and OEMs that obliges them to two years of security updates for popular phones.

Google continues the battle for securing devices of its users, this time making mandatory for device makers two years of Android security updates.

One of the main problems with patch management is related to the distribution of security patches issued by Google for Android OS.

Device manufacturers often delay the installation of these security patches exposing device owners to cyber attacks. Google is committed to solving this issue, during the Google I/O Developer Conference May 2018 announced it its plan to update its OEM agreements that would require Android device manufacturers to roll out at least security updates regularly.

A Google spokesperson declared that the 90-day requirement is “a minimum security hygiene requirement” and that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”

The media outlet The Verge obtained a copy of the agreement between the tech giant and OEMs, the contract obliges Android device makers to regularly install updates for any popular phone or tablet for at least two years.  For the second year, OEMs have to continue to provide security updates but the contract did not mention the exact number of updates.

In case OEMs violate the contract, they will lose their Google certification for upcoming Android devices, they must roll out at least four security updates within one year of the phone’s launch.

“A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch.” states The Verge.

“Security updates are mandated within the second year as well, though without a specified minimum number of releases.”

Android OEMs will be obliged to regularly provide security updates for popular devices that have been launched after January 31st, 2018 and that have more than 100,000 active users.

Besides this, the contract also stipulates that the manufacturers must not delay patch updates for security vulnerabilities for more than 90 days.

In other words, the minimum requirement of the contract is a security patch update every quarter.

The contract obtained by The Verge could have a massive impact for both OEMs and end-users, the overall level of security for Android device will increase in a significant way.

“But because manufacturers rely on Google for its suite of apps, the company can also make outright demands for updates in its contract. This contractual commitment to patching devices goes much further and guarantees in many cases that devices will remain up to date.” concludes The Verge.

” As Android splits following the EU ruling, the contract also raises questions about how non-Google phones will receive security updates without the same contractual pressures.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – OEMs, Android security updates)

[adrotate banner=”5″]

[adrotate banner=”13″]