Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Monthly Patches Are Recommended Best Practice for Android, Google Says

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

The timely delivery of security updates for Android smartphones is a highly important defense-in-depth strategy, Google says.

Each month for the past three years, the search company has been releasing security patches for the Android platform and has been also urging device manufacturers to push the updates to their users in a timely manner.

In October last year, Kaspersky revealed that the security fixes were still slow to arrive on many devices. Things aren’t looking much better this year either, as Security Research Labs revealed in April: manufacturers often omit patches when releasing security updates.

Now, three years after the critical Stagefright flaw prompted Google to take a more active stance on addressing vulnerabilities in Android, the Internet giant says that monthly security updates are the recommended best practice for Android smartphones.

Google is providing manufacturers with monthly Android source code patches so they can include those in firmware updates, and also allows them to leverage the Google firmware over-the-air (FOTA) servers for free.

Moreover, the search company pushes its own set of updates over-the-air to Pixel devices and also requires that these monthly patches be released for all devices in the Android One program.

According to Google, Android manufacturers should at least deliver regular “security updates in advance of coordinated disclosure of high severity vulnerabilities,” which are usually published in Android bulletins.

“Since the common vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum security hygiene requirement,” Google notes.

Advertisement. Scroll to continue reading.

This is also one of the requirements for Android devices to be listed in the Android Enterprise Recommended program: devices should receive security patches at least every 90 days, with monthly updates strongly recommended.

To make the update process easier for device makers, Google has improved Android’s modularity, so that subsystems can be updated individually, without impacting others.

“The modularity strategy applies equally well for security updates, as a framework security update can be performed independently of device specific components,” Google explains.

The company also developed security update testing systems that are meant to ensure patches aren’t omitted when security updates are released.

A new testing infrastructure allows manufacturers “to develop and deploy automated tests across lower levels of the firmware stack that were previously relegated to manual testing,” Google says. The Android build approval process now also scans device images for specific patterns to reduce the risk of omission.

Last year, security updates arrived on around a billion Android devices, a 30% growth over the preceding year, and Google expects the growth to continue. Thus, the company aims to decrease the incidence of potentially harmful exploitation of bugs.

“We continue to work hard devising thoughtful strategies to make Android easier to update by introducing improved processes and programs for the ecosystem. In addition, we are also working to drive increased and more expedient partner adoption of our security update and compliance requirements,” Google reveals.

Related: Google Fixes Critical Android Vulnerabilities

Related: Android Vendors Regularly Omit Patches in Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem