Bad news for custom ROMs: Google changes Android security patch strategy

Contents

Google has made changes to the release strategy for Android security patches. Only high-risk vulnerabilities are to be patched monthly, others only quarterly. For developers of custom ROMs, this change is not very welcome and represents a potential stumbling block.

Moving away from monthly security patches

Mishaal Rahman from Android Authority, who claims to have received his information from Google sources, reports on the upcoming change. Since 2015, Google has released security patches for its mobile operating system every month, patching security vulnerabilities of different risk levels that hardware partners had to adapt and distribute for their devices. Google can only roll out a few of these itself via Google Play Services – namely those that are located in the previously modularized Android components. Google has been working for years under the Mainline project on putting Android into individual modules, which the company can then update independently of the manufacturers.

In addition to the security patches released on the first Monday of every month, Google also publishes the so-called Android Security Bulletins (ASB) every month, which contain all fixed security vulnerabilities. Manufacturers themselves had already received this information a month in advance so that they were not blindsided and could adapt patches for their devices.

Google deviated from this cycle in July of this year: the company published its ASB without a single security vulnerability. The one for September, on the other hand, contained a considerable 119 vulnerabilities. According to Rahman, this will continue in the future, so that the bulletins in the three-month cycle – March, July, September, and December – will be larger. This cycle also coincides with Google's own update window for the so-called "Pixel Drops", which include patches as well as new functions. With the most recent "Pixel Drop" at the beginning of September, Google released the Material 3 Expressive design for its smartphones, for example.

"Risk-based update system"

Only high-risk security vulnerabilities are to be patched in the monthly security patches – Google calls this new strategy the "Risk-Based Update System" (RBUS). According to Android Authority, Google defines "high-risk" security vulnerabilities as problems that need to be fixed immediately, such as those that are actively exploited or are part of a known exploit chain. This classification is also based on the actual threat level and differs from the formal classification of a vulnerability as "critical" or "high".

It means less work for manufacturers, who have sometimes been rather careless in patching their devices, as they would have to compile, test and deliver fewer patches each month. This reduces the difficulty of delivering monthly updates and could lead to some manufacturers distributing them more frequently to more devices. With the new approach, Google seems to be making it easier for manufacturers to provide their devices with at least the most important patches. Some manufacturers, such as Samsung, distribute security patches every month, while for other manufacturers it is too much of a challenge, and they sometimes only secure their devices with patches on a quarterly basis or even less frequently.

Custom ROM developers "not amused"

On the user side, the changeover basically means hardly any change. For developers of custom ROMs, however, the new approach will be less pleasing, as Google will no longer publish the source code for monthly security updates, but only for quarterly updates. With the current version, Google also seems to be taking its time with the publication of the source code in the AOSP. This means that custom ROM developers can no longer deliver monthly security updates. This has already been made more difficult by Google, as the manufacturer no longer publishes device trees for its Pixel devices.

In addition, the custom ROM developer Graphene-OS criticizes the risk-based update system. Previously, Google gave manufacturers one month's notice. Now they receive this several months in advance for the major quarterly updates. The Graphene-OS developers consider this longer time window to be problematic, as it also gives malicious actors more time to find leaked details of security vulnerabilities and develop exploits before patches are generally available.

(afl)