Over-the-Air Updates

Software updates are an important aspect of the Android platform. Android devices can receive and install over-the-air (OTA) updates to system and application software.

Note: Google takes security patch backporting seriously. Security patches are applied to previous Android releases. For details, see Security Updates and Resources.

Standard Android OTAs

Device updates use the following workflow. For more information, see OTA Updates:

  1. Notification. A device is notified when a new build is available.
  2. Download/Verification. If the device is in a state that enables it to receive the update, a cryptographic signature is used to download and verify the update.
  3. Recovery. The device reboots into recovery mode, a limited and restricted environment separate from other Android partitions with its own own kernel image and RAMdisk. Recovery mode verifies the OTA binary blob and applies the updates to system, vendor, and boot partitions.
  4. Installation. The installation process depends on the type of OTA design on the device. A/B updates are typically installed while Android is running and operational. Non-A/B updates are installed when devices are running in Recovery mode.
  5. Boot. When the update is complete, he device boots up normally and the updated partitions take effect.

Android Automotive OTAs

Android Automotive OTAs differ slightly in the Download step due to support for Garage Mode. Moreover, as part of the update, the car manufacturer may update other components (ECUs) in the car in addition to the Android device For the:

  • Notification. Vehicle users get a notification when a new update is available. Notifications can be received in the field (while vehicle is away from the home Wi-Fi) just as other notifications.
  • Download. When the vehicle is connected to a network, it downloads the OTA binary blob. Based on the implementation, Garage Mode may allow the vehicle to continue downloading the data or installing the update even when the vehicle ignition is turned off. Updates through USB may be allowed by the manufacturer. If USB updates are supported, users can download the update to a USB stick and then plug the USB stick into the system.

The remaining update workflow (verification, recovery, boot) remains identical to the standard Android OTA workflow.

Note: An OTA update is the only way to update the OEM-signed car service module (no sideloading allowed). This restriction ensures updates can be performed in a reliable manner. If the car service module is modified outside of an OTA update, subsequent patches may not be applied correctly and could cause system instability and insecurity.

Additional OTA Security

Android Automotive updates also include support for:

  • File-Based encryption . Prevents re-flash attacks that replace the system image with something else. File-based encryption also allows more than one user to be protected as encryption is no longer based solely on a boot time password. For details, see File-Based Encryption.
  • Verified boot. Ensures a malicious Android system image cannot be flashed to the device, protecting the vehicle from persistent Potentially Harmful Applications (PHAs) and decreasing the potential for vehicle compromise. Android Automotive device types MUST implement and enable verified boot. For details, see Verified Boot.