Last Friday, Google announced a major new initiative that promises to solve one of the many problems that keeps Android phones from being promptly updated. Coming as a part of the forthcoming Android O, Google will soon begin separating the Android operating system from the hardware-specific drivers and firmware on each individual Android phone in a move called "Project Treble." If successful, Project Treble will prevent a repeat of what we saw last year with Android Nougat, when Qualcomm’s unwillingness to support the update on older hardware made it impossible for companies to release the update on older devices even if they wanted to.

But as we wrote last week, this is still just a solution for one of Android’s many update problems. Treble can help OEMs support older hardware for longer and with less effort, and that’s unquestionably a good thing. But the core issue remains: wireless carriers and phone makers are still the gatekeepers for updates, and since they all make their money primarily from selling new hardware, they have little incentive to offer continued support for stuff they’ve already sold—especially once it’s no longer on store shelves.

There are technical and political reasons why Android updates don’t come directly from Google. On the technical side, carriers need to do their own validation and testing to prevent network problems, and OEMs need to make sure that their skins and other differentiating features work with new Android versions before releasing them. Politically, OEMs and carriers don’t want to become “dumb” conduits for Google’s software and services, since it reduces their ability to differentiate themselves from their competitors, and they don’t want to be subject to Google’s every whim or demand.

As long as these realities exist, it may not be possible to put Google in full control of Android OS updates the way Microsoft controls Windows updates on PCs. But Project Treble takes an important step in that direction, and Google should use it to take control of security updates on every phone that runs Android O.

Monthly security updates recapped

Starting in late 2015, Google began releasing monthly security patches for Android that were different from normal OS updates. The patches didn’t increment the operating system version, and they made no changes to APIs or other underlying features. They were totally separate from the underlying Android version, and newer versions of Android even track the monthly patch level (e.g. “December 1, 2016”) separately from the OS version (e.g. “Android 7.1.1”).

The security updates were Google’s response to the “Stagefright” vulnerability, and the monthly patches aim to improve the state of Android security by making it easier to plug holes without requiring a major update. And as in Windows and macOS, Google releases these updates for several older Android versions (Google’s site currently says updates are supported on anything running the circa-2013 version 4.4 and newer).

The problem is that phone makers are still in full control of these updates, and their commitment to actually releasing them is all over the place. Google updates Nexus and Pixel phones and tablets directly, and as long as they’re within their three-year-ish support window you can expect security updates even after Google stops giving you major version updates (for example, the Nexus 9 isn’t getting Android 7.1.2, but you can still download the May 2017 security update for Android 7.1.1). At best, OEMs like Samsung and LG generally release them monthly, but only for “major flagship models;" at worst, companies like Motorola promise “quarterly” updates that they don’t always actually stick to, and good luck getting any kind of commitment at all from no-name phone makers like Blu.

Using a phone that’s more than two or three years old? You get nothing. Using a low-cost phone like the Samsung Galaxy J7 or the LG X Power? Nothing. Using something from a company that doesn’t make Android hardware anymore or that got bought by someone else, like Nextbit? Good luck.

It’s time for Google to own its security problem

Let’s not mince words: Google created Android’s update problem. The company's response to the threat of iOS was to cede a lot of control over the operating systems to carriers and phone makers in the name of amassing as much market share as possible. But times have changed—every competing first- and third-party smartphone operating system from anyone other than Apple is either stalled or dead, giving Google political leverage it didn’t have a few years ago. Plus, Project Treble makes it more technically feasible for Google to update Android directly without fear of bricking the underlying hardware.

Starting with Android O, Google should begin releasing Android’s monthly security updates to phones directly, cutting out carriers and phone makers entirely.

The company shouldn’t have to update phones indefinitely, and it's possible that it would have to do more work to make absolutely certain that security updates wouldn't break phone-specific features (something Windows has managed for years). But imagine if all phones running Android 4.4 and newer were actually getting the security updates that Google is already making. According to the data from Google’s Android version distribution chart, the security updates would cover 89 percent of all Android devices, instead of the infinitesimally small fraction of hardware that reliably receives these updates now. Everybody wins: Google gets a more secure, more unified ecosystem; users get more secure devices that they can use for longer without putting their security at risk; and phone makers no longer have to put in the development effort to test and release these updates themselves, freeing up time and effort to work on major version updates or other software.

Since 2013 or so, Google’s solution to the update problem has been to make more and more bits of Android separate from the operating system itself, beginning with apps and moving on to lower-level stuff like Google Play Services, system webviews, and possibly even API extensions. Security updates should be the next chunk of the operating system that Google takes control of. It’s the responsible thing to do.