Security has never been Android's best friend, and the biggest reason is because users don't receive latest security patch updates regularly.
Since it's first inception, Google has been struggling to push updates to its end users due to the many complications from device manufacturer (Android OEMs) and carriers. They have their own ways and time to roll out patches, and sometimes were caught lying about updates, telling people that they're running the latest version while in fact they don't.
Google has no control of these OEMs that create the billions of Android devices. With Project Treble, Google has brought some significant update to Android, giving Google a bit more role in update deliveries. But the problem persists.
The reason is because of OEMs in not delivering all patches regularly and on a timely basis, leaving parts of the Android ecosystem exposed to hackers. But here, Google is starting to force manufacturers to roll out updates regularly, starting Android P.
The head of Android platform security David Kleidermacher revealed that Google has modified its OEM agreements to include provisions for regular security patches for all devices.
"We've also worked on building security patching into our OEM agreements. Now this will really…lead to a massive increase in the number of devices and user receiving regular security patches," said Kleidermacher, stating that OEMs should be contractually obligated to issue regular security patches.
The focus of Android P, is identity and authentication. These are the places where hacks and data breaches happen.
According to Kleidermacher, Android Protected Confirmation is Google's effort to "break through the trust ceiling" with mobile devices to enable stronger authentication for things like managing medical devices, transferring large sums of money, and possibly even voting via mobile device.
Kleidermacher also said that Google has been considering expanding its transparency report to make it easier for people to know what devices have support for these advanced security features.
In terms of securing Android, Google is quick and can be comparable with Apple with iOS.
For example, the company is quick on releasing monthly security patch bulletins that list patches for known vulnerabilities. These security patches are released to the public generally in the first week of each month. However, OEMs and vendors receive the monthly security patches a month in advance.
The thing is, Android’s security patches have never really had any requirements. As a result, most OEMs were pushing out updates to some extent, mainly to help users have a sense of security on their device. But in a long run, the updates were totally optional.
Some OEMs have shown a good track record for updating their phones with security patches on a timely basis, but other brands have the tendencies to keep users waiting and waiting.
This is the problem Google wants to solve, once and for all.