Google now requires two years of regular security patches for popular Android devices
Moving forward, Android manufacturers will need to provide a minimum of four updates during the first year of release, which equates to at least one patch every three months, and an unspecified number during the second year of release. Moreover, by the end of each calendar month, any vulnerability discovered over 90 days ago must be patched. This same rule is valid with newly-released devices, regardless of when they were announced.
This latest agreement centers around smartphones launched after January 31st, 2018. However, not all are subject to the contract. Instead, Google is focusing on popular devices and will only require manufacturers to regularly update smartphones that have been activated by 100,000 users or more. As of July 31, 2018, these patch requirements were applied to 75% of “security mandatory models” but starting January 31, 2019, the rules will cover every one.
On a related note, if manufacturers fail to comply with this latest set of rules, Google reserves the right to stop approving future phones which means the companies in question may no longer be able to release Android-powered smartphones.
These specifics can be found inside Google’s updated licensing agreement for the European Union and, while it’s likely that some small details may be changed, very similar terms are expected in other regions of the world.