For 2 years, Google has been looking to make it simple for companies to run and deploy dependable Android units via its Android Undertaking Advisable (AER) program. It is necessarily a choice of qualified {hardware} with positive minimal promises: They will have to be eligible for zero-touch enrollment, carrier-unlocked, and must obtain safety updates no later than 90 days of unlock for no less than 3 years. As XDA Builders studies, the latter requirement may quickly be considerably comfy in want of extra nebulous transparency necessities.

In accordance to a couple leaked, nonfinal paperwork, Google is taking a look into shedding the 90-day safety replace requirement altogether. As an alternative, producers have a brand new rule to paintings with: Transparency. On their internet sites, OEMs need to post the date when their collaborating telephone will obtain its remaining safety replace and which patch is recently to be had. In addition they need to proportion how continuously they will replace it. The similar is correct for brand spanking new Android releases: Consumers will have to have the ability to know which instrument the telephone to begin with shipped with, which model it is recently on, and which replace you’ll be able to be expecting to be the remaining.

The required 3-year toughen for Emergency Safety Upkeep Releases (ESMR) stays lively, even though. That implies that important safety flaws will have to be patched for a minimum of 3 years, although the telephone does not obtain common machine updates any further.

Check out the leaked desk beneath for the entire minuscule adjustments. When you surprise why it says “30-day safety updates” and no longer 90 within the Android 10 phase, it sort of feels like Google has up to date the requirement to be extra rigorous, however has simplest knowledgeable producers, no longer most of the people.

Class

Serial Quantity

MUST / MAY

Characteristic and Implementation

Feedback

Q (Android 10)
R (Android 11)
Tool Safety
1
MAY
Perform an OEM Vulnerability Rewards Program (VRP)
Perform an OEM Vulnerability Rewards Program (VRP)

2
MAY
StrongBox toughen
StrongBox toughen

3
MAY
{Hardware} sponsored Keystore toughen
{Hardware} sponsored Keystore toughen

4
MAY
Tool ID attestation toughen
Tool ID attestation toughen

5
MAY
Key attestation toughen
Key attestation toughen

6

30-day safety updates
Requirement got rid of
Changed with Safety transparency requirement

7
MUST
Three 12 months toughen for Emergency Safety Upkeep Unencumber (ESMR)
Three 12 months toughen for Emergency Safety Upkeep Unencumber (ESMR)
Changed with Safety transparency requirement

8

Report-based encryption – on through default. Makes use of AOSP implementation.
Requirement got rid of
It is a GMS requirement enforced for all units

9

90-day safety updates
Requirement got rid of
Changed with Safety transparency requirement

10

Three yr safety replace toughen (would possibly sub third yr ESMR)
Requirement got rid of
Changed with Safety transparency requirement

11

Post newest safety patch stage
Requirement got rid of
Changed with Safety transparency requirement

Above: Revision to Tool Safety necessities. Under: New transparency necessities.

Class

Serial Quantity

MUST / MAY

Characteristic and Implementation

Feedback

Q (Android 10)
R (Android 11)
Safety/OS Updates transparency
1
MUST

MUST post following updates data on OEM web page
– SMR toughen end-date (remaining date when the tool will obtain SMR)
– Newest safety patch to be had
– Frequency of updates the tool will obtain
– Fixes contained in safety patch, together with any OEM-specific fixes
Converting the requirement from SMR toughen to SMR/patches/updates transparency

2
MUST

MUST post following OS data on OEM web page
– OS that the tool is sent with
– Present primary OS ver
– All primary OS model replace that the tool will obtain
Converting the requirement from toughen to transparency
eg: Pixel 3
– Shipped ver – Android 9
– Present Ver – Android 10
– Anticipated primary ver – Android 11

3
MUST

Post the tool to IoXT certification
IoXT scoring provides to transparency

Needless to say those are simply proposed adjustments. The brand new regulations are not carved in stone, and Google may make a decision in opposition to them ahead of it publishes the following finalized model of the AER pointers. We will additionally simplest speculate as to why Google considers making the foundations much less strict. It is conceivable that those necessities at the moment are a part of the name of the game contract Google and producers input after they wish to use Android. We as soon as had a look at this kind of file again in 2018, when a leak confirmed that telephones needed to be up to date for a minimum of two years. If that is the case, the additional requirement for the AER program can be pointless.

After all, the transparency requirement might be recommended for all telephone house owners — we might after all have the ability to reliably in finding replace data on all producers’ internet sites, serving to us pass judgement on which telephones would be the maximum protected and long-lasting.