The Android Security & Privacy team presented a new initiative on Friday evening to protect non-Pixel smartphones, in other words those of third-party manufacturers. Named APVI, for Android Partner Vulnerability Initiative, it allows Google to notify OEMs of issues discovered on their devices, and no longer just those in Android.
Currently, Google collects vulnerabilities reported through its reward programs. The changes to the code are then disseminated to Android Open Source Project (AOSP) through Android Security Bulletins (ASB), which can be read monthly. These bulletins must then be adopted by the OEMs.
APVI complements this process. Google gives two examples. In the first, a third-party service responsible for system updates exposed an API to elevated privileges, while looking for a password written in the code. In the second, a browser could expose user credentials.
Through this program, Google communicates directly with the company or the developers concerned. A more active position therefore, which customers will not complain about.
The security of Android devices still largely depends on the goodwill of third-party manufacturers. Currently, an Android smartphone most of the time receives two years of major updates, three in rare cases. Tracking of security bulletins is often spotty, with many only processing one in two or three.