Google mandates two years of security updates for popular Android phones

The Verge breaks news that Google added a provision into its agreement with Android partners to update phones on a regular basis. According to a contract seen by the site, the contract mandates that Android partners need to provide "at least four security updates" within one year of the phone's launch, and at least one update in the second year. The terms went into effect on any device launched after January 31, 2018, but it only covers products with over 100,000 device activations.

The terms stipulate a popular device can't go more than 90 days out of date on security:

The terms cover any device launched after January 31st, 2018 that’s been activated by more than 100,000 users. Starting July 31st, the patching requirements were applied to 75 percent of a manufacturer’s “security mandatory models.” Starting on January 31st, 2019, Google will require that all security mandatory devices receive these updates.

Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.

Definitely an improvement versus the old Wild Wild West days, but still far from ideal.