At Google I/O back in May, the company pledged to work with manufacturers of Android phones to ensure more regular security patches. It's now come to light that Google is mandating at least two years of security updates on Android phones, and enforcing this by writing it directly into OEM contracts.
This was discovered by The Verge, who obtained one of those contracts. In it, Google requires makers of Android phones and tablets to release at least four security updates in the first year the device is on sale, as well as an unspecified number of patches in year two. This agreement comes into effect on January 31st 2019, and applies to all phones released since the end of January this year (Edit: one important caveat: more than 100,000 user activations must have been made for each model).
While this will certainly mean an improvement for owners of some devices, the terms could have been even stronger. Google releases security updates every month, so updating four times a year would still leave some users vulnerable for up to 90 days, which is the time-limit Google is setting for patching exploits. It is a step in the right direction, at least.
- The Verge