No, but Google has significantly downgraded security from it used to be and Apple isn't sharing security patches very broadly outside their company 4 months ahead of fixing them. They don't have partners to share it with. That's not to say there aren't people in the company leaking them but they likely don't take that long to fix most patches. We considered the Pixel stock OS largely competitive with iOS on security but recent changes including but not limited to this are changing our mind. Both the Linux kernel and Google with Android are doing a horrific job with security. Apple has their own issues but it's not this embarrassingly bad and getting consistently better. Google could easily provide strong security for Pixels and AOSP but is downgrading them to appease OEMs failing to keep up with the previous already bare minimum patch system they were expected to follow.

An issue reported to Google 3 months ago and fixed today would likely get disclosed to partners around November 2025 or December 2025 and then officially fixed in March 2025. It's not just 1 month of early access for OEM partners now but rather around 4 months. Patches are artificially delayed beyond the time to fix them by 4 months. This is completely ridiculous. Google also doesn't control the patch releases for many projects such as the Linux kernel and many other external projects they use. This means they're always going to be at least around 4 months behind on including a small number of patches for those projects as mandatory to fix for Android OEMs. The bar for Android OEMs was already ridiculously low and they've made it far lower. It's dragging down the Pixel stock OS with it to a significant extent.

Google realizes this system is horrible and has therefore added a binary-only exception to the embargo which is a complete joke since they know it's easy to reverse the patches. However, it's not really being used in practice. It's just an option to ship binary-only patches without the long delay now. We have this option for GrapheneOS since we do have access to the partner bulletins via an OEM partner. We could also ask our OEM partner not to share them with us and instead obtain them another way with no NDA to publish them right away. We haven't asked for the December patches yet since we haven't decided how to handle it. The current embargo would allow us to publish a special delayed source release variant of GrapheneOS this month with December 2025 patches, but we want to provide source code for all our releases and do not want to have a special variant of the OS needed for the latest Android patches. With how broadly they've distributed the December 2025 patches, they can't seriously be considered private and it should be permitted to simply ship them now.

Android's partner licensing people are destroying the security work. Play Integrity API is similar pretend security actually just enforcing Google's partner licensing model while actually disallowing using much more secure devices. That's highly anti-competitive and so is what they're doing with security patches. Both should result in substantial regulatory action against them, and perhaps it will, but it will probably come a very long time from now when the damage is done.

> Both should result in substantial regulatory action against them, and perhaps it will, but it will probably come a very long time from now when the damage is done.

Instead of focusing on ChatControl, the EU should look into that...

Thanks, very informative