Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Monthly Patches Are Recommended Best Practice for Android, Google Says

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

Each month for the past three years, the search company has been releasing security patches for the Android platform and has been also urging device manufacturers to push the updates to their users in a timely manner.

In October last year, Kaspersky revealed that the security fixes were still slow to arrive on many devices. Things aren’t looking much better this year either, as Security Research Labs revealed in April: manufacturers often omit patches when releasing security updates.

Now, three years after the critical Stagefright flaw prompted Google to take a more active stance on addressing vulnerabilities in Android, the Internet giant says that monthly security updates are the recommended best practice for Android smartphones.

Google is providing manufacturers with monthly Android source code patches so they can include those in firmware updates, and also allows them to leverage the Google firmware over-the-air (FOTA) servers for free.

Moreover, the search company pushes its own set of updates over-the-air to Pixel devices and also requires that these monthly patches be released for all devices in the Android One program.

According to Google, Android manufacturers should at least deliver regular “security updates in advance of coordinated disclosure of high severity vulnerabilities,” which are usually published in Android bulletins.

“Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement,” Google notes.

Advertisement. Scroll to continue reading.

This is also one of the requirements for Android devices to be listed in the Android Enterprise Recommended program: devices should receive security patches at least every 90 days, with monthly updates strongly recommended.

To make the update process easier for device makers, Google has improved Android’s modularity, so that subsystems can be updated individually, without impacting others.

“The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components,” Google explains.

The company also developed security update testing systems that are meant to ensure patches aren’t omitted when security updates are released.

A new testing infrastructure allows manufacturers “to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing,” Google says. The Android build approval process now also scans device images for specific patterns to reduce the risk of omission.

Last year, security updates arrived on around a billion Android devices, a 30% growth over the preceding year, and Google expects the growth to continue. Thus, the company aims to decrease the incidence of potentially harmful exploitation of bugs.

“We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements,” Google reveals.

Related: Google Fixes Critical Android Vulnerabilities

Related: Android Vendors Regularly Omit Patches in Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.