Delayed Security Patches for AOSP (Android Open Source Project)
92 comments
·September 7, 2025bhouston
transpute
Thanks for the clarification. 90 day embargo of patches for all Android is worse than delaying for AOSP, https://news.ycombinator.com/item?id=45158523#45161240
They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.strcat
X cut off the link you copied within our reply. Here's that link along with 2 alternatives other than X:
https://x.com/GrapheneOS/status/1964754118653952027
scottbez1
This is entirely unsurprising. It's been clear that Google has been into their Android duopoly-abusive stage for a while now, with more and more of their Android changes moving into GMS or non-AOSP Google apps (like camera, messages, location services, etc) over the last decade. Graphene has been doomed to this fate for a long time, and anyone who thought otherwise was naively optimistic.
The same is clearly coming for Chromium forks, which is why I've always thought the privacy and ad-blocking forks are a joke - if they ever gain enough marketshare, or if google just tires of the public open source charade, they have no chance of maintaining a modern browser on their own.
This is all the more likely now that Google has been emboldened by not having to sell off Chrome for anticompetitive reasons.
strcat
Security patches aren't being delayed for AOSP specifically but rather Android as a whole including the stock Pixel OS. The title is misinterpreting our reply. We didn't say they're delaying patches to AOSP specifically. Stock Pixel OS has delayed patches too.
A more detailed explanation is at https://x.com/GrapheneOS/status/1964754118653952027.
GrapheneOS has an OEM partner and early access to the security patches so our complaint isn't about us not having access. Google has added an exception to the embargo where binary-only patches can be released which we could use for a special security update branch but that's a ridiculous exception and it should be allowed to release the sources. It can be reversed from the security patches anyway and is trivial for Java and Kotlin. We can't break the embargo ourselves but we CAN publish the security patches early under the rules of the embargo via a special branch and people could reverse the patches from there which could then be applied to the regular GrapheneOS branch. The system is ridiculous and our hope is these changes are undone.
The title should really be changed from "for AOSP" to "for Android". There's a binary-only exception in the embargo now but that's not really about AOSP and isn't being used in practice even for Pixels. They've really just delayed all patches 4 months instead of 1 while also destroying any semblance of there being a real embargo (which was already very weak).
transpute
Thanks for the clarification. Delaying patches for all Android is even worse than delaying for AOSP. Excerpts below.
.. Google recently made.. misguided changes to Android security updates.. almost entirely quarterly instead of monthly to make it easier for OEMs. They're giving OEMs 3-4 months of early access which we know for a fact is being widely leaked including to attackers.
.. Google's existing system for distributing security patches to OEMs was already.. problematic. Extending 1 month of early access to 4 months is atrocious. This applies to all of the patches in the bulletins. This is harming Android security to make OEMs look better by lowering the bar.. The existing system should have been moving towards shorter broad disclosure of patches instead of 30 days.
.. Android's management has clearly overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons.. Android is very understaffed due to layoffs/buyouts and insufficient hiring.. Google does a massive portion of the security work on the Linux kernel, LLVM and other projects.. providing the resources and infrastructure for Linux kernel LTS releases. Others aren't stepping up to the plate.
null
ACCount37
Just a year prior, I would have been against a decision to force Google to part with either Android or Chrome.
Now, I'm of the opinion that they should have been forced to sell off both, and maybe Chromebooks too, for the good measure.
No company with a direction as vile and openly user-hostile as what Google currently demonstrates should have anywhere near this level of control over the ecosystem.
thewebguyd
They should lose YouTube as well. Remember how they used their control over YouTube to kill Windows Phone back in the day also. They should have lost it right then.
Google is very clearly an abusive monopoly, and has been for a very long time. We all overlooked it because they were mostly benevolent. That is no longer the case.
overfeed
> YouTube to kill Windows Phone back in the day also.
I hope you're not referring to YouTube blocking the 3rd party YT Windows Phone client that didn't play or display ads? At the time, Microsoft was threatening Android OEMs with patent infringement (without disclosing the specific patents!), and making it go away if they agreed to make Windows phone models[1]. Google refusing to make a first-party YouTube client for Windows Phone was to be expected, it was an ugly, hand-to-hand fight and all parties used the weapons they had at hand.
1. The agreements were never made public, but HTC and Samsung disclosed they'd be making Windows phones in their respective agreements with Microsoft. Microsoft also initially filed an Amicus brief in Google v Oracle - supporting Oracle's position.
scottbez1
The sad thing is I think Google keeping Chrome is actually likely the better of two possible bad outcomes... Anyone else interested and willing to pay the true value of owning the entire Internet ecosystem is almost certainly going to look to extract value from that, and that's almost certainly worse than what Google does today. E.g. using everyone's browser to extract training data for AI without getting IP blocked.
ACCount37
A year or so ago, I would have agreed. Not anymore.
Sure, a company can buy Chrome and proceed to sell user browsing habits data to the highest bidder, or use it as a backbone for decentralized scraping - backed by real user data and real residential IPs to fool most anti-scraping checks. But if they fuck with users enough, Chrome would just die off over time, and Firefox or various Chromium forks like Brave would take its place. This already happened to the browsing titan that was IE, and without the entire power of Google to push Chrome? It can happen again.
The alternative is Google owning Chrome for eternity - and proceeding with the most damaging initiatives possible. Right now, Google is seeking to destroy adblocking, tighten the control over the ad data ecosystem to undermine their competitors, and who knows what else they'll come up with next week.
palata
Split it to a point where no one company can own the entire Internet ecosystem. Apply antitrust laws to keep it like this.
Maybe the development will slow down, but let's be honest: we would still be fine if Android and iOS had stopped "improving" years ago. Now it's mostly about adding shiny AI features and squeeze the users.
izacus
And by destroying the Android development team you'd achieve what exactly? Magical appearance of the security patches you're complaining about here?
Would you start to actually pay for all those hundreds of engineers maintaining the OS?
ACCount37
Either the new company takes over maintaining Android, or it fumbles the bag and the development becomes less centralized for a while - until some leader emerges and takes over.
Either way, the new control center of Android wouldn't be Google. A decade ago, I would have seen that as a very bad thing. Now, I'm almost certain that this would be a change for the better. Google is not what it once was.
palata
Drone manufacturers like Samsung, Xiaomi etc need an OS. Right now it's more profitable for them to just pay licences to Google. But if Google lost Android... they would need to find a solution.
I would like to see this, at least something would be happening.
wmf
I wonder if Android and Chrome would support open source even less as independent companies though.
SpaghettiCthulu
Why not spin them each off into an independent non-profit?
cosmic_cheese
Yep. If we’re gonna be forking browsers, Firefox should be the base, not Chromium. Mozilla is in much less of a position to abuse their position, and more Firefox forks means more chances that one catches on with some slice of the larger public and helps chip away at Blink hegemony.
dutchCourage
Fully agreed. I am however worried by the fact that Firefox is basically kept alive by Google. I assume it's just so that they can pretend Chrome isn't a monopoly, but the minute Firefox becomes an inconvenience they can stop financing it. I hope we can find a way for Firefox to sustain itself long term.
cosmic_cheese
It’s a valid concern, and it may not be possible to properly address so long as Mozilla in its current form continues to be the controlling party of Firefox/Gecko. The best scenario might actually be for Mozilla to collapse and some other NPO or PBC with better financial sense to pick up the projects and their engineers.
wmf
Google pays Firefox for traffic acquisition, not out of pity. If Google stopped paying, another search engine like Bing or Perplexity would be happy to take over.
palata
> This is all the more likely now that Google has been emboldened by not having to sell off Chrome for anticompetitive reasons.
Exactly. The only thing that can prevent this behaviour is regulations. But apparently nobody wants to regulate, so we're screwed.
flotzam
"No tags were pushed to AOSP for the July 2025 monthly release of Android. We asked about this on the android-building group but each of our posts was rejected. We emailed people at Google we've previously contacted about mistakes pushing tags but received no response this time."
https://xcancel.com/GrapheneOS/status/1952413110947430786
"July monthly release was not pushed to AOSP and then neither was the August monthly release. September quarterly release hasn't been pushed yet."
strcat
That's about the monthly and quarterly releases of Android, not the Android security patches. The post title is misinterpreting what's wrong. There is a lot wrong but that's not it. The baseline Android security patches are being delayed for Android as a whole, not AOSP specifically.
Not having the very tiny monthly updates pushed to AOSP is an annoyance which will delay a subset of non-security bug fixes until the quarterly releases. It's a bad change, although we know have a good idea why it happened and need the reason it happened to be reversed for them to push those again.
We've been told by multiple people at Google that the quarterly releases would still be pushed and that monthly releases are largely being phased out. However, the quarterly update was not pushed as expected on September 3rd. If it's pushed on Monday, it will be 6 days late. There hasn't been a similar delay for quarterly and yearly releases in the past.
GrapheneOS can still provide security updates but not having the quarterly release is a major problem and it's not clear why it wasn't pushed when they said it was going to be pushed.
There's a separate issue not specifically tied to AOSP impacting security patches which is what the initial part of our reply was about. See https://x.com/GrapheneOS/status/1964754118653952027 for an explanation.
strcat
This is an official response from GrapheneOS:
The title of this post linking our reply is inaccurate and is not what we said ("Delayed Security Patches for AOSP"). It should really be changed from "for AOSP" to "for Android". Security patch backports were pushed to AOSP on September 2nd for Android 13, 14 and 15 as expected. The issue isn't the security patches being delayed for AOSP. We didn't say patches are being delayed for AOSP.
Security patches for Android are being delayed as a whole. The delays aren't specific to AOSP. They're moving to quarterly security updates with 4 months of early OEM access instead of monthly security updates with 1 month of early OEM access. They realize that the patches distributed to OEMs are hardly secret once they're so broadly distributed. Therefore, they've relaxed the rules of the embargo and permitted releases of patches under certain rules without being allowed to providing a description or the sources for the patch. This is ridiculous because it's easy to reverse the patches from binary-only releases.
Google trying to cover for OEMs not keeping up with patches by making it seem as if the patches are now quarterly and largely being delivered on time while actually broadly disclosing them 4 months early and permitting quietly fixing them early.
We posted a much more detailed explanation at https://x.com/GrapheneOS/status/1964754118653952027. It would be better to link to our more detailed post.
mdasen
Google sold Android to nerds as open source. We thought that mobile operating systems would be won by the "Linux of mobile OSs."
But Google has made sure that didn't happen and we're left with devices more locked down than the proprietary Windows ecosystem we were hoping to leave in the past - and with a company in charge looking to exert even more power over us than Microsoft did.
arcane23
The trick is adding a ton of features which expose extra attack surface that needs them to maintain and fix, under the pretense that it will make everyone's life easier. Make it complicated enough so that the community cannot maintain it, enabling the corporation to throw its weight around.
cosmic_cheese
It’s the perfected form of what MS was trying to achieve with IE back in the 90s. All the power of a closed source monopoly, further enhanced by friends and foes alike incorporating your tech as a load-bearing pillar of their strategies, with a cloak of plausible deniability in the form of an open source repo protecting you from antitrust enforcement. A true have your cake and eat it situation.
yupyupyups
This is what happened with the Qt app dev framework. The Qt Company delayed releases of LTS updates to non-paying users by 1 year, while not properly dealing with the steady stream of regressions that were affecting normal releases. I quit Qt development partially because I felt that I was dealing with forever-beta software.
But actually, with Qt you do have KDE devs who push their own patches which does help deal with the flaws in the upstream project.
In the Android world, they need more devs doing the same and supporting projects like GrapheneOS with security testing/hardening.
strcat
Note the post title is incorrect. See https://news.ycombinator.com/item?id=45160975. Android patches are being delayed in general, not only for AOSP.
delecti
XCancel link which will show the thread context if you aren't logged in to Twitter: https://xcancel.com/grapheneos/status/1964561043906048183
strcat
Note the post title is incorrect. See https://news.ycombinator.com/item?id=45160975. Android patches are being delayed in general, not only for AOSP.
gessha
> We want to make sure that if you download an app from a developer, regardless of where you get it, it's actually from them. That's it.
In what scenario is this a serious threat because I can't think of any.
wmf
People are installing banking apps that are actually from criminals. Basically app phishing.
dvrj101
> People are installing banking apps that are actually from criminals.
and this identification does nothing about that, this is not to protect users. such phishing are always found on play-store alone.
OutOfHere
Let's not call them banking apps. They're not. They're scam apps.
The problem represented in the tweet is deeper. It is about not receiving patches which means the device is basically unsafe to use altogether.
charcircuit
It sounds like EV certificates, and it turned out that in practice no one cared about id verification.
null
arcane23
Seems like there needs to be a split of both hardware and software. Mobile phones morphed into something else lately. Not all of us need all the features of a smart phone, but still need a comms device. We need a simpler OS with simpler hardware that focuses on comms and less features. Simpler OS, lower attack surface, simpler to maintain without the help of a gigantic corporation. I don't need a supercomputer in my pocket.
gruez
>Not all of us need all the features of a smart phone, but still need a comms device. [...] I don't need a supercomputer in my pocket.
What's stopping you from using a feature phone?
markus_zhang
I don’t even want a smart phone if the banks/trading firms don’t force me to use a phone for auth. I keep a used smart phone for company stuffs (again auth) and bank stuffs.
arcane23
Security/privacy?
gruez
So you want a $100 feature phone that has serious security features like monthly security patches and dedicated security coprocessors? It's tough to make the economics of that work out. All the serious security features costs money to implement, either in the form of development costs or added costs to the BOM. Those costs can be absorbed if you're selling a $600 phone, but not a $100 phone. If you try to add those features to a $100 phone, it'll end up making the phone more expensive, which means nobody but security freaks would buy your phone, and you lose economies of scale that's needed to make a phone at all.
Back to your point, there's already a "split of hardware and software" in the PC market, and we know how it works out. Security there is a joke. Windows might be getting monthly security patches, but the same can't be said of the panoply of third party drivers/firmware. Whenever microsoft tries to push for better security they get shouted down by people claiming it's some sort of conspiracy to implement DRM.
palata
The only reason that would make me fear from an antitrust judgement splitting Android from Google is that it may lose the Google contributions to AOSP.
Google is more and more showing that they really don't want to contribute to AOSP.
So for me, Android should be split out of Google. Maybe the other Android manufacturers will start contributing to AOSP, and maybe Android will die. But let me be honest: if Google keeps going this way, I will move to an iPhone (and I've been using and developing for Android forever). We may as well try the split, and if it fails I'll end up with an iPhone anyway.
strcat
Note the post title is incorrect. See https://news.ycombinator.com/item?id=45160975. Android patches are being delayed in general, not only for AOSP.
neilv
Looks like PostmarketOS (mainline Linux for phones, with choice of frontend, such as Plasma Mobile or Phosh) has demoted all their previous "Main"-tier devices to "Community" or lower tier:
https://wiki.postmarketos.org/wiki/Devices#Main
Anyone know whether this is a sign of a push for being daily driver quality? Or a sign that volunteers previously doing promising work have drifted away, and they're acknowledging that?
Arnavion
I am the pmOS maintainer for the PinePhone. It was demoted from main to community because I was the only maintainer and one of the criteria for main is to have two or more maintainers. ( https://gitlab.postmarketos.org/postmarketOS/pmaports/-/merg... ) Originally many pmOS core devs were maintainers, which is why it was in main, but they all lost interest and it was about to be demoted to testing / unmaintained, so I volunteered to become the maintainer to stop that from happening.
A blanket statement of a phone being "of daily driver quality or not" is impossible to make because everyone has different expectations of a "daily driver". I have been daily-driving the PinePhone since 2021 (it is my first and only smartphone) but that doesn't mean everyone else will be happy with it.
fabrice_d
Main is described as "The most supported devices, with all the features and stability you'd expect from a regular OS."
Unfortunately there was/is no device supported by postmarketOS that fits that description. You'll need at least good telephony support including 4G features like VoLTE, proper camera support (not potato polaroid from the 80s quality), Wifi, Bluetooth, geolocation, working GPU acceleration, media hardware decoders, decent battery life. And I'm probably forgetting a few things.
Let's hope that initiatives like https://liberux.net/ will help make a fully working, long lasting device available!
palata
Unfortunately, and as much as I like Linux for phones, I think it's very, very far from AOSP. It completely misses the AOSP security model and the apps (no, I don't believe that running waydroid on Linux is entirely viable, otherwise instead of Linux for phone we would have Waydroid as an alternative to Android).
I think the only realistic alternative would be to build upon AOSP properly, with Google being just a contributor instead of the owner. But it cannot come from a community fork by someone in their garage, it has to come from Android manufacturers. I was hoping that Huawei would start something like that, instead they went with their own HarmonyOS.
null
null
charcircuit
Security of the Android ecosystem should not be compromised just to make the lives of Googlers easier in handling the public, internal, and pixel branches of AOSP.
Edit: The HN title is false and security patches were released. But this is more about Google trying to appease OEMs who aren't capable with keeping up with a monthly OS release schedule.
FYI the poster this story links to says that this title is incorrect:
https://x.com/grapheneos/status/1964757878910136346?s=46
They say this:
Our reply here was linked on Hacker News with an inaccurate title ("Delayed Security Patches for AOSP"). Security patch backports were pushed to AOSP on September 2nd for Android 13, 14 and 15 as expected.
More information is available at x.com/GrapheneOS/sta… explaining the situation with security patches. It would be better to have a thread linking to that instead. We have early access to the security patches, but we can't break the embargo. We can only release the sources once source release is allowed. We could make a security preview branch but the system simply doesn't make sense.
Android 16 QPR1 is a new major release, not a security patch release. Our reply is talking about 2 different issues. Android 16 QPR1 is what was delayed for AOSP and we don't currently know why. It's possible it was a mistake and it will be pushed on Monday.