Android has since long had a reputation for not taking security seriously. Google, however, has tried to change that through efforts like introducing Google Play Protect last year, pushing its enterprise device game up a notch, using machine learning to weed out malicious apps, and promising security updates for Android P. The tech giant could now be changing the way monthly security patches are sent out to users to increase the efficiency of these updates.
Google powers more than 60,000 device models and despite sending monthly patches for the Android framework, getting OEMs to push out regular updates for each device can be challenging. This is because all device manufacturers are required to patch the complete list of vulnerabilities sketched out by Google in that month’s security bulletin. Another reason for the delay – no, it’s not laziness of the OEMs – is that frequent updates need support from chipset manufacturers like Broadcom and Qualcomm as well, and providing a different patch for each device might get somewhat overwhelming for these vendors.
To solve this problem, Google might be separating Android framework patch level and vendor patch level. This change was discovered by XDA Developers through a new commit in the Gerrit repository of Android Open Source Project (AOSP). This step is likely to allow OEMs to roll out the latest OS-side security updates even if the chipset vendor has not provided the latest update.
This technique is currently used by the developers of AOSP-based custom ROMs which usually update the Android framework patches without updating the ROM on the basis of vendor-side, kernel, or bootloader patches. It is currently unclear how Google intends to show the two different levels of security patches – whether the older of the two patches will be shown or use some other way to display the levels of both patches.
Nevertheless, the distinguishing Android framework-side and vendor-side patches will allow OEMs to counter vulnerabilities much faster than normal. It will be a key development as experts around the world expect attacks on smartphones to rise this year.