Devices with over 100,000 users are reportedly obligated to receive 4 security updates in one year
Google was spotted to have mandated two years of Android security updates for all popular smartphones and tablets. The new development is reportedly a part of the contract that device manufacturers need to sign to use the Android operating system on their hardware. It comes months after Android Security Head David Kleidermacher at developer-focused Google I/O 2018 revealed the modification of OEM agreements to include revisions related to regular security patches. Interestingly, the search giant already offered its Project Treble to help manufacturers easily push new software updates to their Android devices.
According to the terms of the new contract, as obtained by The Verge, any Android device launched after January 31, 2018 that has over 100,000 users is required to receive security updates for at least two years and at least four security updates within one year of its launch. It is reported that as of July 31, the new security update requirements were applied to 75 percent of a manufacturer's "security mandatory models", though this will be expanded to all security mandatory models starting January 31, 2019.
It is worth pointing out that the manufacturers won't be obligated to provide each security update to their devices. However, Google has reportedly added the condition of "at least four updates" within the first year after the launch of the device to ensure that all the major vulnerabilities will be fixed. The company didn't specify the number of updates required in the second year, though. Having said that, the Android device makers are also required to protect the security mandatory models against all vulnerabilities identified over 90 days ago - irrespective of how many updates they've already pushed, as per the reported contract.
If a manufacturer fails to follow the terms specified in the reported contract, it is said that Google could withhold approval of future devices from the same manufacturer. This would encourage all the major device makers to honour the terms.
The reported terms initially appear in Google's EU licensing agreement that is designed for Android phones and tablets using Google apps and services in the European Union. However, Google could roll them out in the global markets to limit security issues on Android devices.
A Google spokesperson didn't explicitly confirm whether the reported contract will be valid for devices available in the global markets though in a statement to The Verge said 90-day patches were a "minimum security hygiene requirement" and stated that "the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days."
During I/O 2018 in May, Android Security's Klidermacher reportedly hinted at the development by revealing a modification in Google's OEM agreements to include the requirement of regular security patches. "We've also worked on building security patching into our OEM agreements," Kleidermacher was quoted as saying.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.