Posted past times Dave Kleidermacher, VP, Head of Security - Android, Chrome OS, Play
At Google I/O 2018, inwards our What's New inwards Android Security session, nosotros shared a brief update on the Android safety updates program. With the official liberate of Android ix Pie, nosotros wanted to portion a to a greater extent than comprehensive update on the nation of safety updates, including best exercise guidance for manufacturers, how we're making Android easier to update, in addition to how we're ensuring compliance to Android safety update releases.
Commercial Best Practices about Android Security Updates
As nosotros noted inwards our 2017 Android Security Year-in-Review, Android's anti-exploitation forcefulness straightaway leads the mobile manufacture in addition to has made it exceedingly hard in addition to expensive to leverage operating organization bugs into compromises. Nevertheless, an of import defense-in-depth strategy is to ensure critical safety updates are delivered inwards a timely manner. Monthly safety updates are the recommended best exercise for Android smartphones. We deliver monthly Android beginning code patches to smartphone manufacturers thence they may contain those patches into firmware updates. We too deliver firmware updates over-the-air to Pixel devices on a reliable monthly cadence in addition to offering the complimentary purpose of Google's firmware over-the-air (FOTA) servers to manufacturers. Monthly safety updates are too required for devices covered nether the Android One program.
While monthly safety updates are best, at minimum, Android manufacturers should deliver regular safety updates inwards advance of coordinated disclosure of high severity vulnerabilities, published inwards our Android bulletins. Since the mutual vulnerability disclosure window is 90 days, updates on a 90-day frequency represents a minimum safety hygiene requirement.
Enterprise Best Practices
Product safety factors into buy decisions of enterprises, who frequently catch device safety update cadence, flexibility of policy controls, in addition to authentication features. Earlier this year, nosotros introduced the Android Enterprise Recommended plan to aid businesses brand these decisions. To hold upwardly listed, Android devices must satisfy numerous requirements, including regular safety updates: at to the lowest degree every xc days, alongside monthly updates strongly recommended. In improver to businesses, consumers interested inwards agreement safety update practices in addition to commitment may too refer to the Enterprise Recommended list.
Making Android Easier to Update
We've too been working to brand Android easier to update, overall. H5N1 telephone commutation pillar of that strategy is to amend modularity in addition to clarity of interfaces, enabling operating organization subsystems to hold upwardly updated without adversely impacting others. In 2017, most a billion Android devices received safety updates, representing unopen to 30% growth over the preceding year. We proceed to locomote hard devising thoughtful strategies to brand Android easier to update past times introducing improved processes in addition to programs for the ecosystem. In addition, nosotros are too working to movement increased in addition to to a greater extent than expedient partner adoption of our safety update in addition to compliance requirements. As a result, over coming quarters, nosotros facial expression the largest e'er growth inwards the issue of Android devices receiving regular safety updates.
Bugs are inevitable inwards all complex software systems, simply exploitability of those bugs is not. We're working hard to ensure that the incidence of potentially harmful exploitation of bugs continues to decline, such that the frequency for safety updates volition reduce, non increase, over time. While monthly safety updates represents today's best practice, nosotros run across a hereafter inwards which safety updates becomes easier in addition to rarer, spell maintaining the same destination to protect all users across all devices.
