Google is trying to clean up haphazard Android patching by contractually obliging Android handset makers to regularly distribute its patches for at least two years.
If successful, the move would bring Android partners closer to Google's patching commitments while offering vendors some leeway to cater for broad product lines.
Google guarantees that Pixel 3 and 3 XL phones will receive security updates for at least three years after release.
And while Google updates its Pixel devices with each month's Android security updates, it's up to Android vendors whether and when these patches reach end-user devices.
That situation has led to variations in patching, not just between vendors, but within each vendor's product lineup, which are often far broader than Google's hardware offerings.
Samsung, the first vendor to adopt monthly Android patches, regularly distributes monthly Android security updates, but only to select devices.
It aims to but doesn't guarantee that Galaxy S, Note, and A5 and A8 phones get monthly Android security updates, and it makes no commitment to the duration of updates. Meanwhile, cheaper models, like J Series phones, only get quarterly updates, again with no commitment to the duration.
But a confidential Android vendor contract obtained by The Verge spells out how this situation could change.
SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)
The terms wouldn't affect Samsung much, but it could bring other vendors -- assuming they want the essential Google Play Store app on a device -- into a similar state.
Vendors would need to provide "at least four security updates" within the first year of the phone's launch. Android security updates must also be delivered in year two, but no frequency has been specified.
As mentioned, Samsung already meets these requirements for a range of high- and low-end devices, with the exception of the two-year guarantee. Interestingly, Samsung recently won a court case in the Netherlands that aimed to force it to provide patches for at least two years.
The terms aren't just aimed at flagship models; any phone model launched after January 31, 2018 that has been activated by more than 100,000 users must comply, according to The Verge.
The contract requires the vendor to meet Google's patching terms for 75 percent of the models that fit this lower limit by July 31. By January 31, 2019, Google expects all covered models to be receiving patches as per the terms.
The patching terms appear in the new Google licensing agreement that is rolling out to comply with the EU's €4.34bn antitrust fine and ruling, under which Google has now agreed to charge device makers for core Google apps like the Google Play Store.
The contract applies to Android phones and tablets to be distributed in the EU that bundle Google's apps.
How well Google can monitor and therefore enforce compliance with the contract is another question.
Researchers recently found some vendors were gaming Google's Android patch-level system, indicating on devices they have been patched to a certain level, when in fact they weren't or contained missing patches.
The contract reportedly states that Google could withhold approval for future phones if the vendor fails to comply. And phones without the Google Play Store are unlikely to sell that well.
Previous and related coverage
No, Samsung doesn't have to keep patching old smartphones, court rules
Samsung beats consumer advocates in case over smartphone security updates.
Android security: Your phone's patch level says you're up to date, but that may be a lie
Study into missed security updates casts doubt on Google's Android patch level system.
Android antitrust: Google hit with giant €4.34 billion fine by Europe
Search giant told to change its practices in 90 days.
These Android smartphone OEMs provide the fastest security updates to users TechRepublic
Timely security updates continue to be a problem for Android devices. Find out how your manufacturer compares.
For the Pixel 3, Google is betting on a chip to bring Android security CNET
The chip is a variation of what Google uses to protect its data centers.