Google recently required that popular phones have a minimum of two years of security updates from the manufacturers themselves. This would cover any phone released after January 31st, 2018 and activated by 100,000 users or more. And for future phones after January 31st, 2019 Google will expand it to all phones with Google suite installed.
Fragmentation has always been an issue for the Android ecosystem, and this move aims to reduce vulnerability to the constant threats out there. Phone manufacturers have previously ignored older products as user rates dwindle, however this leaves the ecosystem open to severe threats. With this new mandate in place, all Android phones should be updated within 90 days of threat identification. If manufacturers fail to comply, Google will withhold approval of future models, potentially preventing their release.
The Android One program promises monthly updates for up to three years, but most phones don’t come under that umbrella. Google wants to make the 90-day policy their new “minimum security hygiene requirement”. This would ensure security flaws are patched at least three months after they are identified.
It has taken Google awhile to reach this stage of security awareness, as previous builds of Android were only patched yearly by some manufacturers. Thankfully, those manufacturers have now come around to the commitment of security for their users. And Google has also made it easier to push out OS updates since Android Oreo, with restructuring of the system to enable easier and faster updates.