Google I/O: 14 Android OS modules to get over-the-air security updates in real-time

Google announces a new way for delivering Android security updates for core OS components.
Written by Catalin Cimpanu, Contributor

At the Google I/O 2019 developer conference held today in Mountain View, California, Google announced a major change to the way the upcoming Android Q mobile operating system will receive security updates.

Also: The Pixel 3A is official: Here's what you need to knowAndroid Q: Everything you need to know

"Your regular device gets regular security updates already but you still have to wait for the release, and you have to reboot when they come," said Stephanie Cuthbertson, Senior Director for Android, while speaking on stage. "We want you to get these faster. Even faster."

"And that's why in Android Q we're making a set of OS modules updateable directly over the air, so now these can be updated individually as soon as they're available and without a reboot of the device."

Google chooses 14 OS components for rapid-fire updates

To get this done, Google engineers have been working for the past year to split several OS core components into separate OS modules.

These modules, despite encompassing a core service of the Android OS, will work similar to Android apps and will receive security updates packed similar to how all apps receive their updates from the Google Play Store.

Once a security update is available, Google says it will push the update to all devices that support this mechanism. The device will stop that particular OS component, apply the update, and restart the component without having to shut down the entire OS --and inherently the user's device.

According to an exclusive interview with The Verge, Android Q will be able to receive security updates for 14 of its core components, listed below:

Captive portal login
DNS resolver
Documents UI
Media codecs
Media framework components
Network permission configuration
Networking components
Permission controller
Time zone data
Module metadata

All are core services, and not something that a regular user would be able to recognize; however, they are usualy the components in which security researchers typically find security flaws --per the company's monthly Security Bulletins.

Not broadly available

Unfortunately, The Verge reports that device makers will be able to opt out of using this new feature --which Google calls internally Project Mainline.

Further, Mainline is also only supported on Android Q, and only handsets that will ship with Android Q installed by default will be able to use it. Devices running older Android versions updating to Q are not eligible.

Android Q devices on which the phone maker opts not to support the Mainline feature will receive security updates in the old way --in one bulky update, either over-the-air from the phone maker or mobile carriers.

Other security features also included

Besides this improved system for security updates, Android Q also comes with 50 other improved privacy and security features, which Cuthbertson described as the main focus of this release.

This includes support for TLS3, MAC address randomization, increased control over location data, and a settings section where users can check which apps have access to a particular permission --with the option of revoking that app's access if needed.

More from Google I/O 2019 is available in the conference live feed. Cuthbertson's presentation on Android Q's new privacy and security features is at the 1:08:30 mark.

Google I/O 2019: The biggest announcements from the keynote

More from Google I/O:

Editorial standards