Back around Google I/O, a talk revealed that Google was building a requirement for security updates into its agreement with Android OEMs. Now, thanks to some leaked documentation, we’re getting more details on exactly what that means.

Documentation acquired by The Verge reveals a handful of new details regarding how Google plans to require OEMs to provide regular security updates. Apparently, the latest OEM agreement requires new devices to get security updates for a minimum of two years. Currently, there’s no requirement in place regarding security updates like this.

On top of the two-year requirement, Google will also require that devices are updated at least four times within their first year of being available under this new agreement. While that’s a far cry from the ideal 12 times we’d want to see, it’s a huge improvement over what some OEMs manage currently.

These new terms apparently cover any device that is activated by over 100,000 users and launched after January 31st, 2018. From July 31st, these patching requirements were applied to 75% of any OEMs “security mandatory models,” and starting on January 31st, 2019, all security mandatory devices will have to follow these rules. The Verge further explains:

Manufacturers have to patch flaws identified by Google within a specific timeframe. By the end of each month, covered devices must be protected against all vulnerabilities identified more than 90 days ago. That means that, even without an annual update minimum, this rolling window mandates that devices are regularly patched. Additionally, devices must launch with this same level of bug fix coverage. If manufacturers fail to keep their devices updated, Google says it could withhold approval of future phones, which could prevent them from being released.

Notably, these terms appear in Google’s EU licensing agreements when an OEM opts to bundle Google services. It’s unclear if this is a worldwide set of rules, but Google’s various comments on the matter seem to indicate that. A spokesperson for Google says that the 90-day requirement is “a minimum security hygiene requirement” and that “the majority of the deployed devices for over 200 different Android models from over 30 Android device manufacturers are running a security update from the last 90 days.”

More on Android:

Check out 9to5Google on YouTube for more news:

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Schoon

Ben is a writer and video producer for 9to5Google.

Find him on Twitter @NexusBen. Send tips to or encrypted to