GrapheneOS exposes Google's empty promises on Android security updates

Google just got called out big time, and frankly, it’s about time someone said it. GrapheneOS, the privacy-focused Android alternative that doesn’t mess around when it comes to security, has thrown some serious shade at Google over what they’re calling “empty promises” on Android security updates.

The story starts with Google’s Sameer Samat recently defending Android’s sideloading capabilities on X, claiming the platform remains committed to protecting users. GrapheneOS fired back with what can only be described as a brutal reality check. They pointed out that Google recently made changes to Android’s security update system that actually makes things worse for everyone.

Here’s what’s really happening behind the scenes. Google used to give device manufacturers about a month of early access to security patches before releasing them publicly. Now? They’ve stretched that to a whopping four months. That might sound like they’re being more generous to manufacturers, but GrapheneOS explains why this is actually terrible news.

Those security patches are now floating around to countless OEM partners and their engineers for months before regular users get them. GrapheneOS points out that companies like NSO Group can easily get their hands on these patches during this extended period. Essentially, the bad actors know about vulnerabilities months before they’re fixed for most people.

But wait, it gets worse. Remember how Google promised in June that AOSP releases would continue? Well, they then proceeded to not release July, August, or September updates to the Android Open Source Project. That’s three months of radio silence after publicly committing to the opposite.

I’ve been covering Google’s recent moves quite a bit lately, including their push to make AI the default in Search and their concerning statements about the “rapid decline” of the open web. There’s also the whole mess with Android sideloading restrictions that I ranted about on Tech Issues Today.

All of these pieces fit into a troubling pattern where Google says one thing publicly while doing something completely different behind closed doors.

GrapheneOS isn’t just complaining either. They’re taking action by working on special release channels that could ship December 2025 security patches right now, though they’d have to do it without source code due to Google’s embargo system. They’ve also secured early access to security patches through an OEM partner, which helps them work around some of Google’s artificial delays.

Google frames these changes as being “for security” when they’re clearly making things less secure. GrapheneOS called it exactly right when they said Google’s management has “overruled the concerns of their security team and chosen to significantly harm Android security for marketing reasons.”

The delays are having real consequences too. GrapheneOS support for new Pixel phones is running behind schedule because Google still hasn’t pushed Android 16 QPR1 to AOSP, despite repeated promises that it would happen. GrapheneOS suspects this might be due to Google laying off too many people, which honestly wouldn’t surprise anyone at this point.

The Android ecosystem deserves better than empty promises.