Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Now Requires Partner OEMs To Offer Two Years of Security Updates To Popular Phones (theverge.com)

Posted by msmash on from the marching-forward dept.

Confidential contracts obtained by news outlet The Verge show many Android smartphone vendors now have explicit obligations to keep their phones updated. From the report: A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google's contract with Android partners stipulates that they must provide "at least four security updates" within one year of the phone's launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.

David Kleidermacher, Google's head of Android security, referred to these terms earlier this year during a talk at Google I/O. Kleidermacher said that Google had added a provision into its agreements with partners to roll out "regular" security updates. But it wasn't clear which devices those would apply to, how often those updates would come, or for how long. The terms cover any device launched after January 31st, 2018 that's been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer's "security mandatory models." Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.

74 comments

  1. Why Start Now? by Anonymous Coward · · Score: 0

    Clearly the WindowsME security model is working for them, why should they change now?

    1. Re:Why Start Now? by jfdavis668 · · Score: 2

      Does Android use the "fail to boot up" or the "crash before it can be hacked" security model?

    2. Re:Why Start Now? by viperidaenz · · Score: 1

      Those issues were resolved through study of the Ballmer Peak

      https://xkcd.com/323/

    3. Re:Why Start Now? by Anonymous Coward · · Score: 0

      Does Android use the "fail to boot up" or the "crash before it can be hacked" security model?

      sadly the answer to that is often YES :( I love my android devices but fuck me the inconsistency and stability of many of them are atrocious.

  2. Not long enough by Anonymous Coward · · Score: 4, Insightful

    It's a step in the right direction, but not long enough. Many people use the same phone for more than two years. Buying a new phone is expensive. It's wasteful to throw out older devices that are still more than capable of meeting the needs of their users. This should be more like five years rather than two.

    1. Re:Not long enough by Anonymous Coward · · Score: 0

      Five years? You want phone VPs to start flying coach? Fuck you!!!!

    2. Re:Not long enough by LostOne · · Score: 1

      True, that. But maybe, just maybe, this can be the camel's nose.

      --

      If it works in theory, try something else in practice.
    3. Re:Not long enough by bobbied · · Score: 4, Interesting

      It's a step in the right direction, but not long enough. Many people use the same phone for more than two years. Buying a new phone is expensive. It's wasteful to throw out older devices that are still more than capable of meeting the needs of their users. This should be more like five years rather than two.

      I fully agree, plus they need to make vendors support user's right to repair by providing commonly used replacement parts such as screens, buttons, batteries and instructions to replace these things. I suppose an open boot loader is a bit much, but that would be a nice option too.

      If Google wants to help device users, let's help them.

      Personally, I'd shell out quite a bit of extra dough on a phone if I knew I could count of having repair options for longer than the warranty gives me.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    4. Re:Not long enough by TheFakeTimCook · · Score: 1

      Five years? You want phone VPs to start flying coach? Fuck you!!!!

      Works for the richest mobile phone OEM in the world...

    5. Re:Not long enough by aitikin · · Score: 2

      Go buy some Motorolas. That's probably the manufacturer of my next phone: https://www.engadget.com/2018/...

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    6. Re:Not long enough by Anonymous Coward · · Score: 0

      It's a step in the right direction, but not long enough. Many people use the same phone for more than two years. Buying a new phone is expensive. It's wasteful to throw out older devices that are still more than capable of meeting the needs of their users. This should be more like five years rather than two.

      I fully agree, plus they need to make vendors support user's right to repair by providing commonly used replacement parts such as screens, buttons, batteries and instructions to replace these things. I suppose an open boot loader is a bit much, but that would be a nice option too.

      If Google wants to help device users, let's help them.

      Personally, I'd shell out quite a bit of extra dough on a phone if I knew I could count of having repair options for longer than the warranty gives me.

      Cough, cough, iPhone.

      Stop supporting shitty Android manufacturers

    7. Re:Not long enough by Archfeld · · Score: 0

      Is that better than the camels' toe ?

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
    8. Re: Not long enough by Anonymous Coward · · Score: 0

      I don't understand why they can't update via Google play :/

    9. Re:Not long enough by Anonymous Coward · · Score: 0

      you have no right of repair with iPhone at all, Apple works hard to ensure 3rd party repairers are fucked over.

    10. Re:Not long enough by Anonymous Coward · · Score: 0

      An open bootloader should be a legal requirement for any device sold, especially for any device that no longer receives regular timely updates.

      Society should demand open bootloaders for everything that can be updated and this should be enshrined in law.

    11. Re:Not long enough by The_Noid · · Score: 1

      Personally, I'd shell out quite a bit of extra dough on a phone if I knew I could count of having repair options for longer than the warranty gives me.

      Get a FairPhone. They sell replacement parts right on their website: https://www.fairphone.com/en/

    12. Re:Not long enough by jjbenz · · Score: 1

      I was thinking 3 years would be pretty good.

    13. Re: Not long enough by Anonymous Coward · · Score: 0

      That is precisely why I stopped buying Nexus devices after the Nexus 9. I would rather have a cheap iPhone SE for £220 and milk the 5 year support lifecycle on a cheap SIM only deal than pay extra to be a wasteful swine who gains little while creating e-waste and a large bill!

      There should be 5 years of full patch support from the vendor (not just security updates) with the option to use community driven patches after the EOL date. 10 years is a reasonable expectation of a modern phone SoC provided one performs reasonable maintenance (such as battery replacement every 4-5 years)

    14. Re:Not long enough by afidel · · Score: 1

      You have to be kidding, an SD801 and they're still trying to get it running Nougat in Q4 2018, yeah, no thanks.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    15. Re:Not long enough by The_Noid · · Score: 1

      If you always want the latest and greatest, then why are you complaining about the support not being long enough? You'll be buying a new phone every other year any way.

  3. work around... by Anonymous Coward · · Score: 0

    a work-around to this requirement is that, in my opinion, manufacturers now release firmware bugs that cause an infinite boot-loop after 1 year and they will then refuse to fix the problem -- I've seen what appears to be one live example of this

    1. Re:work around... by viperidaenz · · Score: 1

      That'll only work in countries with pathetic consumer protection laws, like USA.

    2. Re:work around... by Anonymous Coward · · Score: 0

      >Implying the US has consumer protection laws.

  4. Re:They should simply threaten to quit Google Play by Anonymous Coward · · Score: 0

    So that they dont have to provide security updates?

  5. Wiggle words by ArhcAngel · · Score: 3, Funny

    So the OEM will just say "Sorry, that phone is not popular."

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:Wiggle words by PrimaryConsult · · Score: 1

      The summary specifically states that popular = 100,000 activations. So regardless of what the OEM says, that 100,001th phone triggers this clause.

    2. Re:Wiggle words by fermion · · Score: 1
      In fact any OEM that is not Samsung could, deepening on how device is defined, roll out different models, for example, to different carriers to keep the sales to below 100K. It seems electric appliance manafucterers do this regularly, making slight modifications and changes in model number, I assume to minimize the effect of low price guarantees and the like.

      The cheap cell phone model depends on the ability to use whatever parts fall off the truck. This is similar to the cheap PC model from 25 years ago, except Google apparently is not as skilled as MS to supply an OS that will run on any piece of shit device. The cost of the OEM toupdate appears to be prohibitive. It might not be Googles fault as Android is open source and who knows what the OEM is doing to the. code to drive profits

      In any case it is not sustainable. Phones are based in the PC model where garbages software is realeased and then updated after the end users beta test it. If this is not possible it has to be based on the embedded device model where software is as nearly perfect as possible when shipped. However, no one does this anymore as there are very few emdebbed divices. Even the nest thermostat get regular bug fixes

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  6. Wow by 93+Escort+Wagon · · Score: 1

    Two whole years!

    --
    #DeleteChrome
    1. Re:Wow by Anonymous Coward · · Score: 0

      It's fucking hypocritical too, I bought a Galaxy Nexus and Google refused to update it after about 15 months even though it was their flagship at the time.

      The 2013 Nexus 7 barely fared much better after they murdered mine with planned obsolescence by slowing it down to the point of literal uselessness after only a couple of years.

      Google are hardly in a position to dictate support times to other manufacturers when they were the market leader in poor support duration for quite a while.

      I agree two, even then two years is a fucking joke. Even Microsoft typically manage to support security updates on their OS' for over a decade. Any phone, tablet, desktop, or laptop should receive 5 years of security updates minimum.

    2. Re:Wow by TheFakeTimCook · · Score: 1

      Two whole years!

      That's kinda how I thought, too.

      Meanwhile, iOS 12 supports phones back to the 5s, which was released almost exactly 5 years ago.

      Oh, and iOS 12 actually IMPROVES performance on that old hardware, too, as well as provides the latest security updates...

      Google should be ashamed of itself.

    3. Re:Wow by viperidaenz · · Score: 1

      The same Nexus 7 that got an upgrade to Android 6.0.1 in December 2015, over 2 years after it was release in July 2013? The one they guaranteed security updates until August 2016?

      Their policy was/is 3 years since first release or 18 months since last sale, whichever is longer.

    4. Re:Wow by viperidaenz · · Score: 1

      Meanwhile Apple just got fined $10 million for degrading the performance of old devices with software updates. Along with $5 million for Samsung.

    5. Re:Wow by TheFakeTimCook · · Score: 1

      Meanwhile Apple just got fined $10 million for degrading the performance of old devices with software updates. Along with $5 million for Samsung.

      Yeah, by the same courts that fined Seismologists for an earthquake. And convicted a second person for a murder after they had already convicted a different one.

    6. Re:Wow by viperidaenz · · Score: 1

      Italy are just the first ones to finish their case.
      There's similar cases ongoing in France and USA.

    7. Re:Wow by TheFakeTimCook · · Score: 1

      Italy are just the first ones to finish their case.
      There's similar cases ongoing in France and USA.

      Doesn't mean they'll have the same result.

  7. Half-assed by ilsaloving · · Score: 4, Insightful

    2 years for popular phones? What defines a "popular" phone?

    How about 3 years for ALL phones? You want to use android? Then provide f__king updates. Don't want to provide updates? Then GTFO.

    Oh who am I joking? The consumer is the product. They care more about looking like they're doing something useful than actually doing something useful.

    1. Re:Half-assed by PrimaryConsult · · Score: 2

      If you get a flagship phone (e.g. latest Galaxy, LG G series, Pixel, etc) there's plenty of updates for well over 2 years anyway. This is addressing the cheaper, less flashy phones that might still get a lot of sales yet never see an update.

    2. Re:Half-assed by Anonymous Coward · · Score: 0

      Got a cheap (but brand new) LG X Power via Xfinity Mobile to take advantage of their free (well, included with Internet service) plan. It's still on Marshmallow, and I never got an update. Actually I think they did release ONE security-only update eventually. My previous philosophy was never buy a phone without an unlocked/unlockable bootloader, but for a cheapie I made an exception. Not sure it was worth it even in that case. If I buy the hardware I want to actually own and control it. That's especially beneficial if Treble is going to make it easier to run new OS releases on today's hardware well into the future.

    3. Re:Half-assed by Anonymous Coward · · Score: 0

      > 2 years for popular phones? What defines a "popular" phone?

      Google defined it. It's in the summary: 100,000 activations on the Play Store. This is actually a pretty reasonable thing for Google to do, since they'll be able to tell when a bunch of devices start hitting up their store. (This is why updates from end of sales won't work since a phone can be activated at any time.)

    4. Re:Half-assed by Anonymous Coward · · Score: 0

      I assume you mean Nougat, since I can't see it with Marshmallow. Anyway, you should have gone with the Moto E5 Play. That's on Oreo.

    5. Re:Half-assed by Anonymous Coward · · Score: 1

      I'd be good with three years of security updates from the manufacturer and then open source the firmware/bootloader and let the crowd take over. Then if an older device is popular, it can stay updated by those that use it and have the coding bug. Sure, there would probably be some painful transitions here or there, but it'd be better than however many years the supplier says and then fuck you.

    6. Re:Half-assed by Anonymous Coward · · Score: 0

      If you ask me, it should be 2 years after the last device was shipped.

  8. Consistent Hardware by Anonymous Coward · · Score: 0

    If Google really wants to fix the message that is Android security, they should not mandate that manufacturers provide updates. They should mandate that manufacturers provide hardware that can be updated be it by Google or others. 99% of the hardware in Android phones and tablets can be accessed through drivers and interfaces that are standardized. There's simply no reason that anyone should have to rely upon a manufacturer to provide updates when manufacturers are, generally, the worst people to rely upon for anything but the actual release hardware.

    It's amazing just how badly Android, the open source OS, has become a complete clusterfuck. Just goes to show you how much TiVo-ization is a thing.

  9. European antitrust? by galabar · · Score: 1

    I hate to be paranoid, but couldn't even something like this be considered anti-competitive by the EU if they wanted more money out of Google?

    1. Re:European antitrust? by Anonymous Coward · · Score: 0

      Just goes to show your ignorance.

  10. Re:They should simply threaten to quit Google Play by ilsaloving · · Score: 4, Insightful

    I cannot believe a sane person would actually be against this. Is there something wrong with you? Do you like not getting security updates? Do you want your phone hijacked?

    Google Play is the one thing keeping malware from being worse than it already is. Unless there's an alternative app store that certifies that it thoroughly tests submitted apps, then I will grant them about as much trust as I would for free candy from Bill Cosby.

    IMO Google hasn't gone nearly far enough. The rule should be simple. Security updates for at least 3 years for any android device you release to the public. Period. Don't like it? You are forbidden from using the Android trademark. Very simple.

    Heaven forbid Google used their power for the public good.

  11. Re:They should simply threaten to quit Google Play by Anonymous Coward · · Score: 0

    Let me get this reasoning straight.
    The provider of the OS is saying "thou shalt provide 2 years of updates", so the OEM's should combat that with "Well, I don't wanna use your store"?

    So you're effectively saying each OEM is on their own for an OS AND app store?

  12. Meaningless by Anonymous Coward · · Score: 2, Insightful

    It should be two years starting from the date that the last phone is sold. Otherwise this is meaningless.

  13. Got that right by Anonymous Coward · · Score: 2, Insightful

    And it sounds like 2 years from LAUNCH? That's seriously weak. How about 2 years from end of sales!? That would at least be a start, unless we're really OK with becoming a society that throws multi-hundred-dollar devices i the trash EVERY FRICKING YEAR!

  14. Re:Half-assed - 5 years for Apple by anon+mouse-cow-aard · · Score: 1

    iphone 5s, released in 2013, is still supported by IOS 12 in 2018. Even people who change phones every two years would prefer to be able to resell a functional device. A phone without updates is a brick to me.

  15. Two Years? by Blue+Stone · · Score: 2

    So, a several-hundred dollar piece of consumer technology now has a lifespan cap of two years. Ridiculous.

    Sounds like planned obsolescence to me.

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  16. DEFINITELY Not long enough by Futurepower(R) · · Score: 1

    Mod parent comment up!

    The "2 years" Google is now giving is what has been already established. Everyone is expected to spend $700 to $1100 every 2 years on a new cell phone.

    There is NO REASON for Google to be abusive. A mid-level Google manager told me years ago that Google is making more money than it knows how to spend.

    Google has moved from "Do no evil" to "Let's be destructive to others if that will make money". One article: Google Removes 'Don't Be Evil' Clause From Its Code of Conduct (May 18, 2018)

    Another article: Google erases 'Don't be evil' from code of conduct after 18 years (May 21, 2018)

  17. A great start, but not nearly far enough by Anonymous Coward · · Score: 0

    As others have said, it should be from LAST day of sale for any model -- and more like 5 years, not 2.

    Hah, CAPTCHA 'update'

  18. Re:They should simply threaten to quit Google Play by TheFakeTimCook · · Score: 1

    I cannot believe a sane person would actually be against this. Is there something wrong with you? Do you like not getting security updates? Do you want your phone hijacked?

    Google Play is the one thing keeping malware from being worse than it already is. Unless there's an alternative app store that certifies that it thoroughly tests submitted apps, then I will grant them about as much trust as I would for free candy from Bill Cosby.

    IMO Google hasn't gone nearly far enough. The rule should be simple. Security updates for at least 3 years for any android device you release to the public. Period. Don't like it? You are forbidden from using the Android trademark. Very simple.

    Heaven forbid Google used their power for the public good.

    Every time I have argued this, I was told that Android is Open Source, and thus Google couldn't FORCE the OEMs to do ANYTHING.

    Guess I was right after all...

    Stupid Slashtards.

  19. what about the phone carriers? ban there rom's by Joe_Dragon · · Score: 1

    what about the phone carriers? ban there rom's or force some like samsung to give out an knox safe base rom file.

  20. Re:They should simply threaten to quit Google Play by Anonymous Coward · · Score: 0

    I don't get it, you don't want security updates?

  21. We'll see... by Anonymous Coward · · Score: 0

    OEMs like Lenovo are the worst. Except for a couple of flagship models Lenovo regularly release products that receive no updates, ever. Not a single update.

  22. Doesn't do much for me by Anonymous Coward · · Score: 0

    Why phones only? And as others have pointed out, what's the definition of "popular", and why just 2 years?

    This still does nothing for me or any of the 4 Android tablets I have.

    I'd be a real sucker if I purchased *yet* another Android device if it was based on a belief that this one, for real this time, will really, really get updates, pinky-swear.

    I despise the fruity company, and I've already been burned too many times by Android. What's left for me? Windows tablets?

    1. Re:Doesn't do much for me by viperidaenz · · Score: 1

      Perhaps you should have read TFS instead of just the title, where it states "phones and tablets"
      It's all devices that OEM's want to use the Play Store on.

    2. Re:Doesn't do much for me by scdeimos · · Score: 1

      I don't think you addressed the core of AC's complaint.

      The summary uses the term "popular phones and tablets." What does "popular" mean?

      Even in TFA it says:

      A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years.

      What does "popular" mean?

      To answer my own question on what's "popular," TFA goes on to say:

      The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users.

      How many individual models of Android phones and tablets actually reach sales and activations of 100,000 units? I expect to the majority of phone and tablet buyers this will continue mean absolutely nothing: same old neglect and no updates.

    3. Re:Doesn't do much for me by viperidaenz · · Score: 1

      In terms of global sales, 100,000 isn't that much.
      Let's pretend someone wants to sell a $500 phone and not provide support.
      That's $50M in revenue to cover all the tooling, manufacturing, design, components, marketing, shipping, retail margin, taxes, etc.
      The manufacturing and components alone are going to cost $100, that's $10M gone already.
      The non-recurring costs for tooling so you can start manufacture will be in the millions.
      You need to pay people to develop the original software build.
      It'll cost you up to $100,000 for PTCRB and FCC certification just so you can import it to USA. You'll probably want to do compliance testing with other authorities, like CE
      It's just not worth it to plan for such low volumes.

    4. Re:Doesn't do much for me by Anonymous Coward · · Score: 0

      It's just not worth it to plan for such low volumes.

      I don't think Lenovo would agree with you. The Lenovo ThinkCentre M910x had a production run of only 5,000 (five thousand) units. For some things small production runs can still be worth it. Also, to avoid the patch requirements coming out of producng 100,000 units of something you'll see OEMs using tricks such as assigning different product codes to different colors. This is something Samsung, Apple and many others have been doing for years justifying it with comments like "different colored cases are made from different materials, produced by different suppliers."

  23. Some cars cost less than these phones! 2yrs!???? by Anonymous Coward · · Score: 0

    I bought a crap car in college for less than my last phone. Drove it for 7 yrs. Seems that something costing $400+ should be expected to have updates for at least 5 yrs.

    My current phone has 5 sub-models. So, while they are "popular" when grouped together, they are not when taken as each model alone.

    5 yrs seems to be the minimal acceptable amount for a $400-$1800 device.

  24. Re:Some cars cost less than these phones! 2yrs!??? by viperidaenz · · Score: 1

    Your crap second hand car had zero free vendor support.
    Although, I just had the airbags replaced for free in my 2005 car. That's a safety thing though.
    It's never had a software update, ever.
    Cars don't get recalled when the keyless entry systems get hacked, even when it's still under warranty they generally don't fix it.

  25. That wasn't so hard... by found404 · · Score: 2

    All this nonsense about fragmentation, etc... Google could have done this at anytime. They have finally taken responsibility for the wares they create. Quite happy to hear this. Two years is better than nothing. Would have been happier with three years. By the time people purchase these phones, a good 9 months could have passed. Means that end-users might only be receiving actual OTA updates for about a year.

  26. Re:They should simply threaten to quit Google Play by JThundley · · Score: 1

    inb4 F-droid.

  27. Just bring it all in-house. by SvnLyrBrto · · Score: 1

    If Google really wants Android to stop sucking, it's simpler than trying herd that particular batch of feral cats. They need to learn the lesson Apple learned when they made the mistake of partnering with Motorola on the ROKR... the same lesson Google themselves should have taken to heart years ago... and kick all these crap composite like Samsung, HTC, Xiaomi, and the aforementioned Motorola, revoke all their licenses, bring the hardware in-house along with the software, and do it all themselves. They also need to revoke the carriers' ability to pollute Android with their bloatware, adware, UI skins, and other trash.

    Google is a much more competent company than any of their cellular partners. And vanilla Android, as developed by Google and untainted by any handset manufacturer to cellular carrier, is not a bad OS. The problem with Android is just that they're letting half-competent... and actively maleficent in some cases... randos screw up their shit.

    --
    Imagine all the people...
  28. Re:They should simply threaten to quit Google Play by afgam28 · · Score: 1

    IMO Google hasn't gone nearly far enough. The rule should be simple. Security updates for at least 3 years for any android device you release to the public. Period. Don't like it? You are forbidden from using the Android trademark. Very simple.

    Agreed, which is why I stick to phones from the Android One program, which has this exact requirement.

  29. stop this nonsense! by sad_ · · Score: 1

    Stop this nonsense and just make Android One the only valid certified Android.
    Updates come directly from google, how it should be.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  30. Re:They should simply threaten to quit Google Play by thegarbz · · Score: 1

    Empty threats are fun. Or did you miss the anti-trust rulling against Google recently which identified that the App Store itself formed a significant amount of market power for Google in the Android eco-system?

  31. Re:They should simply threaten to quit Google Play by Anonymous Coward · · Score: 0

    I just run Lineage.

  32. Re:They should simply threaten to quit Google Play by Mr.+Droopy+Drawers · · Score: 1

    Thanks for the tip! Looks like only one phone on the Android One program is targeted for the US marked (Nokia 7.1 available at the end of this month).

    --

    To Copy from One is Plagiarism; To Copy from Many is Research.

  33. Google should give a good example with the Nexus 6 by Anonymous Coward · · Score: 1

    The Nexus 6 (Motorola XT1103 Shamu) has better performance and features compared to many current phones but the last security update was October 2017 (7.1.1). It is just obsolete because of the lack of updates.