When word got out that Google would require timely security updates for Android devices, there were unanswered questions: when would it take effect, how long would it last, and which devices would be affected? Now we know. The Verge says it has obtained a contract showing that, as of July 31st, 75 percent of a company's "security mandatory" Android devices (hardware activated by over 100,000 people) must provide consistent security updates for at least two years. All qualifying devices will have to receive those updates starting on January 31st, 2019.
The terms don't require vendors to supply every update, but they aren't allowed to slack for long. They have to supply "at least" four updates in the first year after a device's release, and provide an unspecified number of updates in the second year. They also can't afford to let security go neglected for very long -- at the end of each month, companies have to offer protection against all vulnerabilities identified over 90 days ago, no matter how many updates they've issued.
There are teeth behind the agreement, too. If a company doesn't honor the requirements, Google can refuse approval and effectively block the sale of a device.
In a response, a Google representative didn't directly acknowledge the contract but did say 90-day patches were a "minimum security hygeine requirement" and observed that "the majortity" of more than 200 Android devices had security updates from the last 90 days.
It's not certain that you'll get the updates in a timely fashion. You'll still have to deal with carrier testing delays in some cases. Even so, this could help address the bad habits of those Android makers who either deliver updates sporadically or reserve fixes for certain models. Now, even a modestly successful device will have to be relatively secure. While the policy won't help much if there's a very recent security flaw, it should set a baseline to prevent particularly serious lapses.