Here in the land o’ Android, wrapping your noggin around the subject of software updates isn’t always easy to do.
We’ve got regular OS updates, sure — and info on the various phone-makers’ performance in that domain is readily available, if you (a) know where to find it and (b) are even aware that you should be looking for such data in the first place. But still, that’s only one piece of the puzzle.
There’s also the ever-increasing array of unbundled “core OS”-like elements to consider — items that were once part of the main operating system but are now handled separately and updated numerous times a year, directly by Google and in a manner that reaches all devices without delay — and then, last but not least, there’s the massive multilayered meatball of Android security updates to take into account.
In a way, Android security updates are the trickiest of all those areas to assess — because, plain and simple, the data on how quickly manufacturers send out such updates over time is difficult to collect and track on any meaningful scale. Android security updates are an important part of the overall Android security picture, though — and while they certainly won’t make or break your smartphone-owning adventure, you absolutely should know what type of experience you’re likely to encounter before you plunk down your hard-earned dollars on a manufacturer’s device.
For the first time now, Google is clueing us in on which phones we can trust to get security updates in a timely and reliable manner. It’s not a direct rating system, per se, but it’s as close as we’ve gotten yet — and it’s invaluable data to keep in mind as you approach your next smartphone purchasing decision.
The Android security update guarantee
Before we dive into the data, we first need to take a quick rewind to set the stage: Back in February of this year, Google announced a new initiative called Android Enterprise Recommended. The program, according to Google, “establishe[d] best practices and common requirements for devices and services, backed by a thorough testing process conducted by Google” — and all devices certified as a part of it are guaranteed to “meet an elevated set of specifications for hardware, deployment, security updates, and user experience to help organizations handle the most challenging and diverse business environments.”
Blah, blah, blah — I know. I honestly didn’t think much about it back when it came along, either.
But then this week, Google announced an update to the Android Enterprise Recommended effort. Nothing earth-shattering, on the surface — just the addition of a handful of new devices into the program. It was a tweet from recently instated Google VP and Android security chief Dave Kleidermacher that caught my eye, though. In it, Mr. Kleidermacher offered up some pretty revealing context about the announcement and what we might take away from the lineup of included products:
Ding, ding, ding! Now, the notion of Samsung’s Galaxy flagships getting consistent timely security patches may be somewhat sugarcoated (and we all know how the company fares when it comes to actual OS updates — right?). But the idea that devices are included in the Android Enterprise Recommended list because they get reliable security updates is an interesting notion to noodle over.
According to the official Android Enterprise Recommended requirements, a phone has to deliver every relevant security patch within 90 days of its release in order to qualify — not exactly a super-strict requirement, given that sending out a security patch within the same month as its release seems like the ideal standard. Google has a list of other requirements, but most of them are factors that any reasonable current phone from the midrange level and up will more or less automatically meet. The security update reliability really is the biggest variable, and it doesn’t seem too far-fetched to think it might be the main determining factor for a device’s inclusion.
(As far as Samsung goes, by the way: Back in February, Google went on the record as saying it “worked closely with Samsung” on the requirements and “invited” the company to be part of the program — and yet, Samsung devices are conspicuously absent from the Android Enterprise Recommended list. Take from that what you will.)
So all of that being said, which devices are included in the list? Here’s the complete collection, as of this moment:
- BlackBerry KeyOne
- BlackBerry Motion
- Google Pixel/Pixel XL
- Google Pixel 2/Pixel 2 XL
- Huawei Mate 10/Mate 10 Pro
- Huawei MediaPad M5
- Huawei P Smart
- Huawei P10/P10 Plus/P10 Lite
- Huawei P20/P20 Pro
- LG G6
- LG V30
- Moto X4
- Moto Z2 Force Edition
- Moto Z3 Play
- Moto G6/G6 Plus
- New Nokia 6
- Nokia 3.1
- Nokia 5.1
- Nokia 7 Plus
- Nokia 8/8 Sirocco
- Sharp Aquos Sense SH-01K
- Sonim XP8
- Sony Xperia XA2/XA2 Ultra
- Sony Xperia XZ Premium
- Sony Xperia XZ1/XZ1 Compact
- Sony Xperia XZ2/XZ2 Compact
Beyond that? Well, you can certainly take your chances. Some phones, such as the Essential Phone, may be missing from the list simply because of their manufacturers’ small size and limited resources — even if they do receive regular security patches, as Essential’s device generally does. But when it comes to the big boys, it’s hard not to read between the lines and wonder what an omission might tell us, especially with Kleidermacher’s comments in mind.
The bottom line is this: If you want an actual guarantee of timely and reliable ongoing security updates, these are the devices that are gonna give it to you — no ifs, ands, or buts about it. For a not-so-inexpensive piece of technology you’re likely to use multiple hours a day for two or three years, that’s a valuable bit of assurance to have.
Sign up for JR’s weekly newsletter to get more practical tips, personal recommendations, and plain-English perspective on the news that matters.