Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Now Requires Partner OEMs To Offer Two Years of Security Updates To Popular Phones (theverge.com)

Posted by msmash on from the marching-forward dept.

Confidential contracts obtained by news outlet The Verge show many Android smartphone vendors now have explicit obligations to keep their phones updated. From the report: A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google's contract with Android partners stipulates that they must provide "at least four security updates" within one year of the phone's launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.

David Kleidermacher, Google's head of Android security, referred to these terms earlier this year during a talk at Google I/O. Kleidermacher said that Google had added a provision into its agreements with partners to roll out "regular" security updates. But it wasn't clear which devices those would apply to, how often those updates would come, or for how long. The terms cover any device launched after January 31st, 2018 that's been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer's "security mandatory models." Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.

46 of 74 comments (clear)

  1. Not long enough by Anonymous Coward · · Score: 4, Insightful

    It's a step in the right direction, but not long enough. Many people use the same phone for more than two years. Buying a new phone is expensive. It's wasteful to throw out older devices that are still more than capable of meeting the needs of their users. This should be more like five years rather than two.

    1. Re:Not long enough by LostOne · · Score: 1

      True, that. But maybe, just maybe, this can be the camel's nose.

      --

      If it works in theory, try something else in practice.
    2. Re:Not long enough by bobbied · · Score: 4, Interesting

      It's a step in the right direction, but not long enough. Many people use the same phone for more than two years. Buying a new phone is expensive. It's wasteful to throw out older devices that are still more than capable of meeting the needs of their users. This should be more like five years rather than two.

      I fully agree, plus they need to make vendors support user's right to repair by providing commonly used replacement parts such as screens, buttons, batteries and instructions to replace these things. I suppose an open boot loader is a bit much, but that would be a nice option too.

      If Google wants to help device users, let's help them.

      Personally, I'd shell out quite a bit of extra dough on a phone if I knew I could count of having repair options for longer than the warranty gives me.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Not long enough by TheFakeTimCook · · Score: 1

      Five years? You want phone VPs to start flying coach? Fuck you!!!!

      Works for the richest mobile phone OEM in the world...

    4. Re:Not long enough by aitikin · · Score: 2

      Go buy some Motorolas. That's probably the manufacturer of my next phone: https://www.engadget.com/2018/...

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
    5. Re:Not long enough by The_Noid · · Score: 1

      Personally, I'd shell out quite a bit of extra dough on a phone if I knew I could count of having repair options for longer than the warranty gives me.

      Get a FairPhone. They sell replacement parts right on their website: https://www.fairphone.com/en/

    6. Re:Not long enough by jjbenz · · Score: 1

      I was thinking 3 years would be pretty good.

    7. Re:Not long enough by afidel · · Score: 1

      You have to be kidding, an SD801 and they're still trying to get it running Nougat in Q4 2018, yeah, no thanks.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    8. Re:Not long enough by The_Noid · · Score: 1

      If you always want the latest and greatest, then why are you complaining about the support not being long enough? You'll be buying a new phone every other year any way.

  2. Re:Why Start Now? by jfdavis668 · · Score: 2

    Does Android use the "fail to boot up" or the "crash before it can be hacked" security model?

  3. Wiggle words by ArhcAngel · · Score: 3, Funny

    So the OEM will just say "Sorry, that phone is not popular."

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    1. Re:Wiggle words by PrimaryConsult · · Score: 1

      The summary specifically states that popular = 100,000 activations. So regardless of what the OEM says, that 100,001th phone triggers this clause.

    2. Re:Wiggle words by fermion · · Score: 1
      In fact any OEM that is not Samsung could, deepening on how device is defined, roll out different models, for example, to different carriers to keep the sales to below 100K. It seems electric appliance manafucterers do this regularly, making slight modifications and changes in model number, I assume to minimize the effect of low price guarantees and the like.

      The cheap cell phone model depends on the ability to use whatever parts fall off the truck. This is similar to the cheap PC model from 25 years ago, except Google apparently is not as skilled as MS to supply an OS that will run on any piece of shit device. The cost of the OEM toupdate appears to be prohibitive. It might not be Googles fault as Android is open source and who knows what the OEM is doing to the. code to drive profits

      In any case it is not sustainable. Phones are based in the PC model where garbages software is realeased and then updated after the end users beta test it. If this is not possible it has to be based on the embedded device model where software is as nearly perfect as possible when shipped. However, no one does this anymore as there are very few emdebbed divices. Even the nest thermostat get regular bug fixes

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  4. Wow by 93+Escort+Wagon · · Score: 1

    Two whole years!

    --
    #DeleteChrome
    1. Re:Wow by TheFakeTimCook · · Score: 1

      Two whole years!

      That's kinda how I thought, too.

      Meanwhile, iOS 12 supports phones back to the 5s, which was released almost exactly 5 years ago.

      Oh, and iOS 12 actually IMPROVES performance on that old hardware, too, as well as provides the latest security updates...

      Google should be ashamed of itself.

    2. Re:Wow by viperidaenz · · Score: 1

      The same Nexus 7 that got an upgrade to Android 6.0.1 in December 2015, over 2 years after it was release in July 2013? The one they guaranteed security updates until August 2016?

      Their policy was/is 3 years since first release or 18 months since last sale, whichever is longer.

    3. Re:Wow by viperidaenz · · Score: 1

      Meanwhile Apple just got fined $10 million for degrading the performance of old devices with software updates. Along with $5 million for Samsung.

    4. Re:Wow by TheFakeTimCook · · Score: 1

      Meanwhile Apple just got fined $10 million for degrading the performance of old devices with software updates. Along with $5 million for Samsung.

      Yeah, by the same courts that fined Seismologists for an earthquake. And convicted a second person for a murder after they had already convicted a different one.

    5. Re:Wow by viperidaenz · · Score: 1

      Italy are just the first ones to finish their case.
      There's similar cases ongoing in France and USA.

    6. Re:Wow by TheFakeTimCook · · Score: 1

      Italy are just the first ones to finish their case.
      There's similar cases ongoing in France and USA.

      Doesn't mean they'll have the same result.

  5. Half-assed by ilsaloving · · Score: 4, Insightful

    2 years for popular phones? What defines a "popular" phone?

    How about 3 years for ALL phones? You want to use android? Then provide f__king updates. Don't want to provide updates? Then GTFO.

    Oh who am I joking? The consumer is the product. They care more about looking like they're doing something useful than actually doing something useful.

    1. Re:Half-assed by PrimaryConsult · · Score: 2

      If you get a flagship phone (e.g. latest Galaxy, LG G series, Pixel, etc) there's plenty of updates for well over 2 years anyway. This is addressing the cheaper, less flashy phones that might still get a lot of sales yet never see an update.

    2. Re:Half-assed by Anonymous Coward · · Score: 1

      I'd be good with three years of security updates from the manufacturer and then open source the firmware/bootloader and let the crowd take over. Then if an older device is popular, it can stay updated by those that use it and have the coding bug. Sure, there would probably be some painful transitions here or there, but it'd be better than however many years the supplier says and then fuck you.

  6. European antitrust? by galabar · · Score: 1

    I hate to be paranoid, but couldn't even something like this be considered anti-competitive by the EU if they wanted more money out of Google?

  7. Re:They should simply threaten to quit Google Play by ilsaloving · · Score: 4, Insightful

    I cannot believe a sane person would actually be against this. Is there something wrong with you? Do you like not getting security updates? Do you want your phone hijacked?

    Google Play is the one thing keeping malware from being worse than it already is. Unless there's an alternative app store that certifies that it thoroughly tests submitted apps, then I will grant them about as much trust as I would for free candy from Bill Cosby.

    IMO Google hasn't gone nearly far enough. The rule should be simple. Security updates for at least 3 years for any android device you release to the public. Period. Don't like it? You are forbidden from using the Android trademark. Very simple.

    Heaven forbid Google used their power for the public good.

  8. Meaningless by Anonymous Coward · · Score: 2, Insightful

    It should be two years starting from the date that the last phone is sold. Otherwise this is meaningless.

  9. Got that right by Anonymous Coward · · Score: 2, Insightful

    And it sounds like 2 years from LAUNCH? That's seriously weak. How about 2 years from end of sales!? That would at least be a start, unless we're really OK with becoming a society that throws multi-hundred-dollar devices i the trash EVERY FRICKING YEAR!

  10. Re:Half-assed - 5 years for Apple by anon+mouse-cow-aard · · Score: 1

    iphone 5s, released in 2013, is still supported by IOS 12 in 2018. Even people who change phones every two years would prefer to be able to resell a functional device. A phone without updates is a brick to me.

  11. Two Years? by Blue+Stone · · Score: 2

    So, a several-hundred dollar piece of consumer technology now has a lifespan cap of two years. Ridiculous.

    Sounds like planned obsolescence to me.

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  12. DEFINITELY Not long enough by Futurepower(R) · · Score: 1

    Mod parent comment up!

    The "2 years" Google is now giving is what has been already established. Everyone is expected to spend $700 to $1100 every 2 years on a new cell phone.

    There is NO REASON for Google to be abusive. A mid-level Google manager told me years ago that Google is making more money than it knows how to spend.

    Google has moved from "Do no evil" to "Let's be destructive to others if that will make money". One article: Google Removes 'Don't Be Evil' Clause From Its Code of Conduct (May 18, 2018)

    Another article: Google erases 'Don't be evil' from code of conduct after 18 years (May 21, 2018)

  13. Re:They should simply threaten to quit Google Play by TheFakeTimCook · · Score: 1

    I cannot believe a sane person would actually be against this. Is there something wrong with you? Do you like not getting security updates? Do you want your phone hijacked?

    Google Play is the one thing keeping malware from being worse than it already is. Unless there's an alternative app store that certifies that it thoroughly tests submitted apps, then I will grant them about as much trust as I would for free candy from Bill Cosby.

    IMO Google hasn't gone nearly far enough. The rule should be simple. Security updates for at least 3 years for any android device you release to the public. Period. Don't like it? You are forbidden from using the Android trademark. Very simple.

    Heaven forbid Google used their power for the public good.

    Every time I have argued this, I was told that Android is Open Source, and thus Google couldn't FORCE the OEMs to do ANYTHING.

    Guess I was right after all...

    Stupid Slashtards.

  14. what about the phone carriers? ban there rom's by Joe_Dragon · · Score: 1

    what about the phone carriers? ban there rom's or force some like samsung to give out an knox safe base rom file.

  15. Re:Why Start Now? by viperidaenz · · Score: 1

    Those issues were resolved through study of the Ballmer Peak

    https://xkcd.com/323/

  16. Re:work around... by viperidaenz · · Score: 1

    That'll only work in countries with pathetic consumer protection laws, like USA.

  17. Re:Doesn't do much for me by viperidaenz · · Score: 1

    Perhaps you should have read TFS instead of just the title, where it states "phones and tablets"
    It's all devices that OEM's want to use the Play Store on.

  18. Re:Some cars cost less than these phones! 2yrs!??? by viperidaenz · · Score: 1

    Your crap second hand car had zero free vendor support.
    Although, I just had the airbags replaced for free in my 2005 car. That's a safety thing though.
    It's never had a software update, ever.
    Cars don't get recalled when the keyless entry systems get hacked, even when it's still under warranty they generally don't fix it.

  19. That wasn't so hard... by found404 · · Score: 2

    All this nonsense about fragmentation, etc... Google could have done this at anytime. They have finally taken responsibility for the wares they create. Quite happy to hear this. Two years is better than nothing. Would have been happier with three years. By the time people purchase these phones, a good 9 months could have passed. Means that end-users might only be receiving actual OTA updates for about a year.

  20. Re:Doesn't do much for me by scdeimos · · Score: 1

    I don't think you addressed the core of AC's complaint.

    The summary uses the term "popular phones and tablets." What does "popular" mean?

    Even in TFA it says:

    A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years.

    What does "popular" mean?

    To answer my own question on what's "popular," TFA goes on to say:

    The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users.

    How many individual models of Android phones and tablets actually reach sales and activations of 100,000 units? I expect to the majority of phone and tablet buyers this will continue mean absolutely nothing: same old neglect and no updates.

  21. Re:They should simply threaten to quit Google Play by JThundley · · Score: 1

    inb4 F-droid.

  22. Re:Doesn't do much for me by viperidaenz · · Score: 1

    In terms of global sales, 100,000 isn't that much.
    Let's pretend someone wants to sell a $500 phone and not provide support.
    That's $50M in revenue to cover all the tooling, manufacturing, design, components, marketing, shipping, retail margin, taxes, etc.
    The manufacturing and components alone are going to cost $100, that's $10M gone already.
    The non-recurring costs for tooling so you can start manufacture will be in the millions.
    You need to pay people to develop the original software build.
    It'll cost you up to $100,000 for PTCRB and FCC certification just so you can import it to USA. You'll probably want to do compliance testing with other authorities, like CE
    It's just not worth it to plan for such low volumes.

  23. Just bring it all in-house. by SvnLyrBrto · · Score: 1

    If Google really wants Android to stop sucking, it's simpler than trying herd that particular batch of feral cats. They need to learn the lesson Apple learned when they made the mistake of partnering with Motorola on the ROKR... the same lesson Google themselves should have taken to heart years ago... and kick all these crap composite like Samsung, HTC, Xiaomi, and the aforementioned Motorola, revoke all their licenses, bring the hardware in-house along with the software, and do it all themselves. They also need to revoke the carriers' ability to pollute Android with their bloatware, adware, UI skins, and other trash.

    Google is a much more competent company than any of their cellular partners. And vanilla Android, as developed by Google and untainted by any handset manufacturer to cellular carrier, is not a bad OS. The problem with Android is just that they're letting half-competent... and actively maleficent in some cases... randos screw up their shit.

    --
    Imagine all the people...
  24. Re:They should simply threaten to quit Google Play by afgam28 · · Score: 1

    IMO Google hasn't gone nearly far enough. The rule should be simple. Security updates for at least 3 years for any android device you release to the public. Period. Don't like it? You are forbidden from using the Android trademark. Very simple.

    Agreed, which is why I stick to phones from the Android One program, which has this exact requirement.

  25. stop this nonsense! by sad_ · · Score: 1

    Stop this nonsense and just make Android One the only valid certified Android.
    Updates come directly from google, how it should be.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  26. Re:They should simply threaten to quit Google Play by thegarbz · · Score: 1

    Empty threats are fun. Or did you miss the anti-trust rulling against Google recently which identified that the App Store itself formed a significant amount of market power for Google in the Android eco-system?

  27. Re:They should simply threaten to quit Google Play by Mr.+Droopy+Drawers · · Score: 1

    Thanks for the tip! Looks like only one phone on the Android One program is targeted for the US marked (Nokia 7.1 available at the end of this month).

    --

    To Copy from One is Plagiarism; To Copy from Many is Research.

  28. Google should give a good example with the Nexus 6 by Anonymous Coward · · Score: 1

    The Nexus 6 (Motorola XT1103 Shamu) has better performance and features compared to many current phones but the last security update was October 2017 (7.1.1). It is just obsolete because of the lack of updates.