Android Q Project Mainline status

The Android portion of the two-hour Google I/O keynote was brief compared to previous years, but it included a massive change to the way Google is going to push updated to our favorite OS when Android Q arrives. It's called Project Mainline, and the goal is to update core components of Android through the Play Store entirely in the background without needing to reboot the phone or forcing the user to think about a security patch. This system is separate from the monthly security patch or a system version update, and exists so Google can keep critical parts of the OS safe and updated no matter what phone you are using.

To gain a little better understanding of how Mainline works, we sat down with Google's Iliyan Malchev to learn as much as we could.

Android Q beta 3 review: Dark theme, gesture navigation and more notification changes

Everything Mainline touches, and how it works

Project Mainline is a way to update 12 core components in Android that couldn't previously be touched without a major software update due to how important they were to the function of other parts of the OS. Google separates the list into three categories:

  • Security: Media Codecs, Media Framework Components, DNS Resolver, Conscrypt
  • Privacy: Documents UI, Permission Controller, ExtServices
  • Consistency: Timezone data, ANGLE (developers opt-in), Module Metadata, Networking components, Captive Portal Login, Network Permission Configuration

As you can see, these are all pretty important parts of a functioning phone. To update them without interrupting the normal working order of the phone, Google invented a new container it calls Android Pony EXpress (APEX). This new container is sent through the Google Play Store like it's any other APK (app) file, but when it gets to the phone it actually unwraps to be an entire file system which mounts to the phone to do its job. And like Play Services updates, Mainline updates will be slowly rolled out over the entire Android ecosystem throughout the course of a couple of weeks.

When the update is applied, the user doesn't need to do anything and shouldn't ever know it happened. But in the unlikely event something does go wrong with an update, there's a rollback system in place that preserves user data and reverts back to that known good state when needed — if the update goes properly, the old and new user data merge seamlessly.

Project Mainline aims to speed up Android security updates by using the Play Store

So basically, if Google needs to update any of these 12 things for whatever reason, it can do so through the Play Store just like it was updating a part of Google Play Services. And when those updates happen, the user will most of the time be totally unaware it is even happening.

Mainline for every Android phone

You know those times in the past where Google said "hey we have a cool new way to make updates better" only to have some OEMs say "nah we're good lets just never update our phones" and it felt like not a lot of progress was made? Project Mainline doesn't work that way, in fact it can't. For starters, these modules happen low enough in Android that custom UIs from companies like Xiaomi and Samsung don't get in the way. Additionally, these 12 modules are the result of a lot of negotiation between Google and its partners. The original list of modules supported through Mainline was actually much larger at the start, but it narrowed down to 12 over the course of negotiations.

Perhaps more important, Google is cool with (and encourages) manufacturers and partners using APEX to deliver updates through the Play Store for its own components.

These 12 modules are updated through the Play Store, which means OEMs need to agree to allow these updates in order to access the Play Store. Project Mainline is a primary part of Android compatibility now, so if your phone is running Android Q and has access to the Google Play Store it is supported through Project Mainline.

For everything that doesn't fall under that umbrella, Google made the APEX container open source, which means it would be possible for nonstandard Android devices to still choose to update critical components this way even if it uses something other than the Play Store. This is great news for the Amazon ecosystem, as well as phones released in places like China where the Play Store isn't a guarantee.

Perhaps more important, Google is cool with manufacturers and partners using APEX to deliver updates through the Play Store for its own components. This could mean companies like Samsung would be able to use APEX to update its own system-level apps without requiring a total reboot and update on behalf of the user. In theory, this could also be used by carriers to update network-related things on your phone if it was deemed necessary. None of this is a guarantee, of course, but Google has made it clear there's a lot of potential here for shared use.

The beginning of the future

The underlying mechanics of how Project Mainline works is a lot of deeply technical stuff, but it's ridiculously important to the future of the platform. As Google continues to straddle the line between self-managed ecosystem and open federated platform, negotiating a path forward where features could be added and changed without a full system update, or something like the Stagefright vulnerability could be instantly patched on every phone, is a massive accomplishment. And one our talk with Iliyan made clear, this is just the beginning of what Mainline and its related technologies will be capable of.

It's easy to look at Google talking about system updates and think "yeah yeah, we've heard updates are improving before" but the truth is we've seen steady improvements for years and only just now starting to see the benefits. And even with that success, it's worth pointing out Mainline works is a genuinely new thing and a massive step towards making sure every user is protected when they need it most.