Another downside is that Google is no longer releasing the source code for monthly security updates, only for quarterly ones. This, in conjunction with other delays in OS source code, means most custom ROMs can’t ship monthly updates anymore. Add this to the pile of other things that make it harder to mod your Android phone in 2025.

Great, Google is making AOSP-based, Google-free ROMs less secure. To accomodate corporate partners that are unable to do monthly bug fixes.

Ah, I thought I’d seen this story already:

There is one potential downside to the Risk-Based Update System, as highlighted by the folks behind GrapheneOS, a privacy and security-oriented fork of AOSP. In the past, Google gave OEMs a one-month heads-up. Now, they receive several months of advance notice for the larger quarterly updates. This longer window could be problematic, as it gives bad actors more time to potentially find leaked vulnerability details and develop exploits before patches are widely available. While the private ASB is shared securely, it’s accessible to tens of thousands of engineers across dozens of companies, making it conceivable that details could leak to malicious third parties. This remains a hypothetical risk, though, as it would require bad actors to leverage the right exploit on the right devices before they’re patched.

Instead of bundling all available security patches into the next ASB, Google now prioritizes shipping only “high-risk” vulnerabilities in its monthly releases. The majority of security fixes, meanwhile, will be shipped in quarterly ASBs. Google defines “high-risk” vulnerabilities as issues that are crucial to address immediately, such as those under active exploitation or that are part of a known exploit chain. This designation is based on real-world threat level and is distinct from a vulnerability’s formal “critical” or “high” severity rating.

Reckless behavior! You cannot adequately rate a vulnerability’s real risk, and we have a very limited view of what’s being exploited in the wild. Threat actors don’t exactly publish their successes, and even the smallest bugs can be used to build powerful primitives in ways that can be really surprising (e.g. a single off-by-one null byte overflow that seems minor can lead actual code execution with sufficient control of the heap). Picking and choosing is a direct security compromise that makes Android less secure no matter which way you slice it.

This reads to me as sugar-coating a cost-cutting measure. “Prioritize fixing and patching the highest-risk ones first” my ass. When you know of a bug that could have security relevance, you fix that bug. This just says you can’t afford the developers to actually fix your broken code.

I don’t really see how delaying patches makes android any more secure than a monthly release.

Sure, it’s probably a tradeoff between the time it takes to ship security patches and might help some vendors to at least ship quaterly updates, but … it keeps known vulnerabilities unpatched for up to three months.

Google might be trying to package critical security updates with a subscription in the future. Looks like this is the first step to make users accept they’re fine without all security patches then soon, hey, why not create a subscription for people who want them immediately?