After 10 years Google revolutionizes security updates for Android

Perhaps few noticed it, but that of July was the First security bulletin of Android in which There was no vulnerability. Has Android become so safe and reliable? In reality, this anomaly (an event never recorded since Google began to publish the monthly bulletins in 2015) reports an important change in the Management of security updates for Android. From Mountain View, in fact, they are introducing a new system that focuses on the real risk of vulnerability instead of the simple monthly accumulation of security patches. The novelty, so far not officially announced but confirmed by multiple sources close to the company, has emerged precisely from the July bulletin.

Follow Google Italia on Telegram, Receive news and offers first

Google’s new approach

This apparent “absence of problems” does not mean that there were no vulnerability, but reflects one strategic turning point. Google has in fact decided to Introduce the so-called Risk-Based Update System (Rbus)a system that deeply changes the logic of distribution of updates for Android. Basically, monthly updates now include only the vulnerability considered to high risk, that is those that require immediate interventionor because potentially exploited in real attacks or because part of already known attacks. All the other patches are instead grouped in quarterly bulletins, making the publications of March, June, September and December richer in content.

The direct consequence of this new approach is one greater flexibility for smartphone manufacturerswhich have been struggling for years to promptly distribute monthly updates, especially on economic devices or sold through telephone operators. Thanks to the risk system, producers must manage a lower number of patch every month, which could facilitate a more constant distribution and, in some cases, even more frequent than updates. In parallel, producers can concentrate their resources on quarterly updates, which become the real central moment of the maintenance of the safety of Android devices.

For end users, this change will be almost invisible, at least for those who already receive monthly updates. Those who are used to receiving them with less regularity could take advantage of an improvement in the punctuality of updates, at least in the critical moments of the year. The monthly bulletins, however, may be empty in cases where they have not been detected High risk vulnerabilityjust as happened in July. Some producers, such as Samsung, have still released updates in that month, but without being able to publish the details of the correct vulnerabilities, following the directives imposed by Google.

The critical issues of this new approach

As often happens, net of significant improvements are still present. An aspect underlined by reality such as Grapheneosopen source project focused on privacy, concerns the risk linked to Management of private bulletins. While before the producers received a notice of about a month, they are now informed several months in advance for quarterly bulletins. Although this information is transmitted safely, the fact that they are accessible to thousands of engineers all over the world opens the possibility, even if only theoretical, that some details can Trapet and end up in the wrong hands. An escape of information in advance could offer hackers the time needed to build targeted attacks, to be used before the patches are actually distributed.

Another consequence of this strategy concerns the world of modding. Google has in fact stopped publishing the Source code of monthly updatesreleasing it only for the quarterly ones. This makes it more difficult for personalized Roma developers, such as Lineageos, promptly integrating security patches. In a period in which the chances of personalization of Android are already suffering restrictions, this choice risks further penalize a part of the ecosystem which historically contributed to the growth and innovation of the operating system.