Monthly Patches Are Recommended Best Practice for Android, Google Says

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

Each month for the past three years, the search company has been releasing security patches for the Android platform and has been also urging device manufacturers to push the updates to their users in a timely manner.

In October last year, Kaspersky revealed that the security fixes were still slow to arrive on many devices. Things aren’t looking much better this year either, as Security Research Labs revealed in April: manufacturers often omit patches when releasing security updates.

Now, three years after the critical Stagefright flaw prompted Google to take a more active stance on addressing vulnerabilities in Android, the Internet giant says that monthly security updates are the recommended best practice for Android smartphones.

Google is providing manufacturers with monthly Android source code patches so they can include those in firmware updates, and also allows them to leverage the Google firmware over-the-air (FOTA) servers for free.

Moreover, the search company pushes its own set of updates over-the-air to Pixel devices and also requires that these monthly patches be released for all devices in the Android One program.

According to Google, Android manufacturers should at least deliver regular “security updates in advance of coordinated disclosure of high severity vulnerabilities,” which are usually published in Android bulletins.

“Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement,” Google notes.

This is also one of the requirements for Android devices to be listed in the Android Enterprise Recommended program: devices should receive security patches at least every 90 days, with monthly updates strongly recommended.

To make the update process easier for device makers, Google has improved Android’s modularity, so that subsystems can be updated individually, without impacting others.

“The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components,” Google explains.

The company also developed security update testing systems that are meant to ensure patches aren’t omitted when security updates are released.

A new testing infrastructure allows manufacturers “to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing,” Google says. The Android build approval process now also scans device images for specific patterns to reduce the risk of omission.

Last year, security updates arrived on around a billion Android devices, a 30% growth over the preceding year, and Google expects the growth to continue. Thus, the company aims to decrease the incidence of potentially harmful exploitation of bugs.

“We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements,” Google reveals.

Related: Google Fixes Critical Android Vulnerabilities

Related: Android Vendors Regularly Omit Patches in Security Updates