Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Google may change how Android security updates work.
- But larger patch cycles might give hackers more time.
- ‘High-risk first’ model could streamline OEM patches.
Google is considering an overhaul of security patch update rollouts in a bid to improve Android security.
Risk-based update system
According to Android Authority<!–>, the new system – dubbed the “Risk-Based Update System” (RBUS) – will continue to protect Android users while streamlining Original Equipment Manufacturer (OEM) patching procedures.
Also: Your Android phone’s most powerful security feature is hidden and off by default – turn it on now
Currently, Google operates Android Security Bulletins (ASBs) listing fixes for vulnerabilities impacting the Android operating system. Android partners and OEMs are notified of all issues at least a month before the public release.
Instead of throwing every available fix for everything from high-risk, critical vulnerabilities to low-risk bugs into a monthly ASB, Google may pivot to a focus on shipping updates for critical real-world issues within its monthly patch cycles. So, if a vulnerability is being actively exploited in the wild or is considered to be of extreme risk to user privacy and security, it will be patched more quickly than a low-risk denial-of-service memory issue, for example.
As noted by the publication, however, there is a difference between an official “critical” rating as issued by authorities in CVSS scoring and what the tech giant could deem high risk. This means that a security issue with a low CVSS score that is used in a wider exploit chain, theoretically, may be included in monthly updates.
This means that other, ‘low risk’ security problems could be transitioned to quarterly ASB patch cycles.
What does this mean for OEMs?
OEMs utilize the Android operating system to operate their devices, but this doesn’t mean they follow the same security patch update cycles, and many run their own bulletins. Google appears to want to reduce the sheer number of fixes that need to be deployed on Android handsets, which could mean that fewer patches need to be tested and deployed on a monthly basis.
If high-risk bugs are tackled first, this may give OEMs more breathing room and more control over what fixes they want to deploy, and when.
Also: I still prefer my Google Pixel 9 Pro over the expensive flagships – and it’s not even close
However, a downside is that delays in resolving security issues may occur, which could give threat actors more time to use security flaws in their attacks. There’s also a risk that upcoming releases could be leaked, giving attackers forewarning on what bugs are due to be fixed and when.
Quarterly ASBs will likely be far larger, and this is demonstrated already if you consider Google’s September–> ASB, which contained fixes for over 100 vulnerabilities. Compare this July<!–> or August–>, in which none or very few bugs were listed in the bulletins.
“Android and Pixel security bulletins are published monthly,” a Google spokesperson told ZDNET. “To keep users safe, we build powerful security deep into Android’s foundation. Android stops most vulnerability exploitation at the source with extensive platform hardening, like our use of the memory-safe language Rust and advanced anti-exploitation protections. Android and Pixel continuously address known security vulnerabilities and prioritize fixing and patching the highest-risk ones first.”
Also: 7 ways to lock down your phone’s security – before it’s too late
In related news, starting next year, the developers behind apps installed on Android-certified<!–> devices will be required to verify themselves. In particular, sideloading – a tunnel that allows users to bypass Google Play and install apps from unverified sources – will be restricted, and Google says this should allow the company to clamp down on fake and fraudulent software.
–>
Source: Robotics - zdnet.com
