The real story with Android’s new security update setup

Android Security Updates

It’s easy to get lost in a sea of Google I/O information. After all, Google gave us tons of tasty nuggets to digest at its developers’ conference last week — everything from a new midrange Pixel phone to a totally revamped (again) Android gesture interface — so when it comes to the more technical announcements, perhaps it’s no surprise to see some of the finer points get a bit muddled.

I’m talking specifically about something called Project Mainline — a huge effort Google revealed that rethinks the very way security updates are handled across Android. It’s without a doubt one of the biggest and most potentially impactful announcements to come out of I/O this year, but much of the coverage surrounding it has been incomplete or flat-out misleading.

I’ve been studying the effort closely and chatting with Google about the specifics over the past several days. Here are some important points to understand about Project Mainline and what exactly it will — and won’t — mean for you.

1. At its core, Project Mainline is a continuation of Google’s ongoing deconstruction of Android

On this same month nine years ago, Google started wholeheartedly charging forward with a plan to deconstruct Android — to pull once-integrated pieces of software out of the operating system and put them instead into the Play Store, where they could be treated like any other apps and updated frequently throughout the year. Equally important, the pieces could be updated directly by Google, without any manufacturer or carrier involvement and in a way that allows the updates to reach all compatible devices at the same exact time.

Over the years, Google has extended its ambitions and applied this approach not only to system-level apps like Google Calendar, Gmail, and Chrome (all of which, remember, were once part of Android itself and updated only via full-fledged OS updates — just as their Apple equivalents are still treated today on iOS) but also to under-the-hood components like Google Play Services, which powers all sorts of location-, privacy-, and security-related elements (including the entire Google Play Protectsystem).

This effort has had an enormous impact on Android, as it’s made OS updates less all-important (though certainly not irrelevant). The reason is simple: Even if your device doesn’t get an OS update in a timely manner, it is still getting updates to all sorts of system-level apps numerous times a month — both above the surface and in places you don’t actively notice. That pattern continues even when your device gets long in the tooth and is no longer receiving OS updates at all. Particularly considering how poorly most Android device-makers do at providing timely and ongoing OS updates to their users, the importance of this shift can’t be overstated.

Well, Project Mainline takes that same basic concept and pushes it even further into Android’s engine room. Google is now pulling apart more core parts of the operating system and transforming them into a series of standalone components — all of which are easily updatable by Google itself, without the need for over-the-air updates or any sort of manufacturer involvement. It’s something that Android chief Hiroshi Lockheimer hinted to me might be in the cards when I broached the subject with him a few years back, and now we’re seeing that possibility turn into reality.

2. Despite what much of the coverage out there suggests, Project Mainline does not replace Android’s traditional monthly security patches

I’ve read lots of reports that make it sound like this new system is meant to be a replacement for the traditional monthly-security-patch setup Android’s had for quite a while now. That isn’t actually correct.

First of all, Project Mainline affects only phones with Android Q in place. So right off the bat — and for much of the foreseeable future — a huge majority of Android devices will be completely unaffected by this and will continue to rely solely on the traditional monthly patches for critical updates.

But more broadly, Mainline isn’t meant to replace the monthly patches entirely — not anytime soon, anyway. The system handles updates related to 13 specific areas, ranging from media framework components to network components, but any necessary updates that aren’t covered by those areas will still happen in a traditional monthly patch-like arrangement — even for phones running Q.

Google tells me a large part of what’s previously been included in the monthly patches will be addressed by the Mainline modules — particularly the media-related ones, which represent somewhere around 40% of a typical monthly security patch, according to Google. For devices running Q, the monthly patches will become much smaller as a result. But patches for things like a device’s radio or its kernel (the operating system’s command center, in the simplest possible terms) will still have to be handled outside of the Mainline system, with a manufacturer- and carrier-dependent over-the-air update — the same way they’re handled now.

Google also noted to me that the list of modules covered by Mainline could very well expand over time, particularly in the areas related to security — so what we’re seeing now may be only a first step.

3. Project Mainline isn’t only about security

Despite the general emphasis on security, this new Android Q system actually covers three separate areas: security, privacy, and platform-wide consistency. Nearly half the Mainline modules, in fact — six out of 13 — fall under the “consistency” banner. So while security is certainly a significant part of the equation, it isn’t actually the entire picture.

4. In contrast to what you’ve probably read, device-makers can’t opt out of the automatic update program

One of the most muddled areas of Project Mainline is the idea that it’s completely optional for Android device-makers. There’s a pinch of reality there, but the message got incredibly mixed up along the way.

Here’s the real deal: Android manufacturers do have the option to decline a handful of the modules within the Mainline program. Specifically, they can choose to prevent their devices from receiving updates related to:

  • Captive Portal Login
  • Conscrypt
  • DNS Resolver
  • Network Permission Configuration
  • Networking Components

The reason for this, Google tells me, is that these are areas where certain manufacturers have their own proprietary features that differ from what’s present in Google’s standard Android software. As a result, automatic updates in those areas could cause things to stop working properly on any associated devices.

But that’s it: The bulk of the areas Project Mainline will update aremandatory and will be present on all new devices launching with Android Q (as long as they have Google Play support — so in other words, pretty much every Android device in America). Manufacturers can’t opt out of the program, and the only reason they would opt out of any small part of it is if there were a conflict created by their own software customizations in any of the five areas mentioned above.

5. Project Mainline is actually already active in the latest Android Q beta

If you’re running the latest Q beta software on your device, surprise: This new updating system is already up and running on your phone. There’s just one catch: Right now, in the beta software, any Mainline-provided updates will result in a forced restart of your phone. This is a temporary requirement that Google built into the beta software to allow it to keep track of Mainline updates and remain aware of any issues that might come up with them during this testing period. Once the final Q software rolls out this summer, the updating process will basically become invisible: Android will simply download an update in the background and then apply it automatically whenever a device is next restarted.

Also of note: Just like Play Store updates, all Mainline-provided updates will happen whenever they’re needed — not in a consolidated monthly bundle, like Android’s traditional patches. Advanced users who want to keep track of incoming changes will have a way to do so, but for most regular Android-totin’ folk, it’ll all just happen on its own and without any real interruption or badgering.

Ultimately, it’s another piece of an increasingly intricate puzzle Google’s creating to try to take control of Android upgrades and work around profit-hungry device-makers who clearly don’t care about post-sales software support. Some of the efforts have been wildly successful — like the ongoing move to pull pieces out of Android and update them in the Play Store. Some have been far less effective — certainly not as effective as anyone would have hoped (hi, Project Treble!).

But the more Google can take manufacturers out of the equation and handle updates on its own, the better things will be for us as users — and even with its inherent limitations, Project Mainline certainly seems poised to further that goal.

No matter what kind of Android phone you’re using or what style of software you prefer, it’s hard to see that as anything but a step in the right direction.

[“source=computerworld”]