The contract applies to any device launched after the 31st of January that has had more than 100,000 activations. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “mandatory security models.” Starting from January 31st 2019, Google says that all mandatory security models will require these security updates. How far along the movement is unknown, and it could fall apart at any time should larger OEMs disagree. It’s unclear which OEMs have signed this new contract. It’s possible that, should a more massive OEM with incredible sway disagree with some of the terms, the contract may be rewritten.
The Google team releases a new set of Android system updates every month, but carriers and handset vendors may not be able to install them in time. Although the problem is complicated, the confidential contract obtained by The Verge shows that many vendors now have a clear obligation to update their Android phones in time.
The contract requires Android device vendors to regularly install updates for popular phones and tablets for at least two years. The agreement between Google and Android partners also stipulates that they must provide “at least four security updates” within one year of the release of the mobile phone. The second year of security updates is also enforced, but there are no clear minimum requirements.
Google’s Android security director David Kleidermacher mentioned the terms at the I/O Developers Conference earlier this year. He said at the time that Google had added a “regular” provision for security updates in its agreement with its partners. However, the specific applicable objects and the frequency of updates were not disclosed at the time.