With rapid innovation and diverse competition, the Android community has always embraced a certain amount of chaos. The result has been a vibrant ecosystem of hardware and software.

When it comes to enterprise IT managers, though, innovation and competition take a back seat to something more important: mitigating mobile security vulnerabilities. Solving the problem of distributing updates to thousands of Android devices made by dozens of manufacturers and connected to various carriers isn’t easy. There are a lot of moving parts and, to some extent, the fragmentation of the market will always complicate things.

Recognizing this, Google’s Android team, major carriers, and major smartphone manufacturers have worked together to develop the Security Maintenance Release (SMR) process for Android.

With SMR, users receive fast-tracked security updates Over-the-Air every month, and with almost no user interaction required. The result is a much-reduced window of risk, and a more predictable lifecycle for smartphones.

Android Maintenance Releases

To further understand the SMR process, it’s worth looking at normal Android releases and the maintenance release (MR) process. When Android releases a new version or significant patches, that’s just the starting point for an MR. Each smartphone vendor has to customize Android for their individual devices. Software has to be built and tested for each smartphone, and vendor-specific hardware gets layered on top: device drivers, security enhancements and so on. These components have to be thoroughly tested by the vendor before they’re released.

But the MR story doesn’t end there, because most Android devices are sold in the U.S. by mobile carriers. The carrier-specific Galaxy S9 in your pocket isn’t just running Google’s Android operating system compiled and tested by Samsung. It’s also further packaged by the carrier with their specific settings, preloaded applications and branding before it gets released. That takes time: three to six months for an MR is not unusual, and users typically have to specifically accept and install the major update.

Delivering a predictable, tested and stable operating system is a critical part of merging the dynamic nature of open source with the world of telephony. But the timelines and costs involved — which keep some carriers from releasing updates to older devices — aren’t compatible with good enterprise security. That’s where SMRs come in to address mobile security vulnerabilities in a timely fashion.

Security Maintenance Release Process

The SMR process relies on a relationship between Google, smartphone carriers and device and chip vendors such as Samsung. IT managers should ensure that when they select smartphone devices, their carrier and their hardware vendor are both fully committed to the SMR process. It’s a fast-track from Google to hardware vendor to carrier to the customer that gets security updates out as quickly as possible. Rather than collecting updates and patches into a larger release — such as a major Android update — security updates are done on a monthly or quarterly basis, depending on the device. The goal is that the SMR updates work independently of Android updates and are frequently, and in a timely fashion, streaming down to devices via the carrier’s Firmware Over-the-Air (FOTA) update servers.

The SMR process starts with the Android team’s Partner Security Bulletin, which comes out the first week of each month. This bulletin lists the new patches available from the Android team, broken into “Should” and “Must” patch lists. (“Should” patches are usually from chip vendors, and turn into “Must” patches when the binary updates are available after a few months.) The patches for the problems are incorporated into the Android source code and are available to hardware vendors. The SMR bulletins don’t define a new Android version number, but a date-stamped security patch level.

Manufacturers participating in SMR will immediately begin integrating and testing all security patches. This can take days or weeks, depending on the number of patches and how complex the testing and integration process is. As each patch is ready to go, it is released to the carriers, who launch their own testing and integration process.

The Partner Security Bulletin, manufacturer integration and testing, and carrier integration and testing happen within a month (unless something goes wrong). At the start of the following month, the Android Security Bulletin goes public, and carriers begin sending the tested patches out via their FOTA update servers. Smartphones automatically accept the SMR updates and apply them.

Users can check the status of their SMR updates by tapping “Settings,” then “About Phone” in the Settings app. The Android version is shown separately from the Android Security Patch Level. Once a smartphone has downloaded and applied all of the patches in the security bulletin, the security patch level is updated.

IT managers should ensure that smartphones are configured to automatically download and apply security patches, even if general Android updates are held for evaluation and testing.

Tips for Effective Updates

IT managers know about the chain of updates from Android to their smartphone users. When a phone is packaged by a carrier, even if it’s sold through a retailer, then the updates must come from that carrier. That means that changing carriers calls for a phone refresh: You have to turn in your old smartphones and get new ones because porting old phones to a new carrier will generally block them from getting Android updates.

Smartphones bought directly from major vendors, such as Samsung, will get their updates from the vendor’s FOTA servers, making them carrier independent. IT managers with multiple carriers, either in the U.S. or internationally, should buy unlocked phones direct from the hardware vendor. The pricing may not be subsidized, but you won’t end up with a smartphone that doesn’t get updates because of frequent travel. There’s a slight security advantage to buying directly as well: you cut out the middleman when it comes to testing and releasing security updates, ensuring updates arrive as quickly as possible.

Finally, remember that Google only commits to security updates on each new software version for three years. The result is that a typical Android phone will stop receiving security updates after about three years. Some vendors, such as Samsung, extend that to four years for their flagship phones, to give a longer lifecycle. IT managers should plan for a three- (or four-) year replacement cycle for Android phones to ensure that devices can meet enterprise security requirements and decrease potential vulnerabilities.

Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.