Google’s incredibly serious about making Android appealing to the enterprise and the broader universe of business users.

That’s the official company line, at least — and the narrative Google’s been pushing hard since launching its Android Enterprise Recommended program in February 2018.

Android Enterprise Recommended, the company told us, would be a “Google-led global initiative that raises the bar of excellence for enterprise devices and services.” It’d establish “best practices and common requirements” for business-ready Android devices, and it’d ensure any phone with the stamp of approval provided a professional and properly supported experience without all of the common ecosystem asterisks.

It certainly sounds smart and sensible. The enterprise realm in particular is closely tuned into security and data protection, and having workers carry devices that don’t receive timely and reliable software updates — whether we’re talking about the monthly security patches or the bigger operating system releases around them — poses an unacceptable risk for any cautious organization.

Some four years after its launch, though, Google’s Android Enterprise Recommended program seems to have devolved into a mostly meaningless afterthought. There’s a disconcerting disconnect between the program’s front-facing promise and what you find when you dig deeply into its offerings and look closely at what’s actually happening with the devices it’s endorsed.

And for any company that’s relying on that seal of approval as a guide to which Android phones offer an optimally secure and up-to-date environment suitable for enterprise use, that disconnect could lead to some troublingly flawed decisions.

The Android Enterprise Recommended story

I first wrote about the issues with Google’s Android Enterprise Recommended program nearly two years ago, in July 2020. At the time, I noted that the program’s “Devices” page prominently featured some phones that were woefully out of date and in direct conflict with the security-minded promises on that very same screen.

Specifically, as I observed at the time, the first phone listed on the page was the Motorola-made Moto Z4 — a device that was “validated by Google” for meeting its “highest standards,” with “regular security updates guaranteed,” as the page proclaimed.

The Moto Z4, however, had received the then-current Android 10 operating system update more than six months after its release, with absolutely no communication along the way. And reporting at the time indicated it had gone months without any security patch updates and remained perpetually out of date on that front as well.

Now, the truly shocking twist: Pull up that same first-level “Devices” page today, nearly two years later, and what do you see? Yep, you guessed it: the now-three-year-old Moto Z4, still prominently featured as the top device earning Google’s stamp of approval.

JR Raphael/IDG

The Moto Z4, suffice it to say, hasn’t been officially supported with updates for months at this point. Heck, it was barely supported even when it was technically still in line for active ongoing rollouts. And yet, it’s somehow still the top-featured device on Google’s Android Enterprise Recommended website — along with other equally outdated and no-longer-supported products.

And that, unfortunately, is just the tip of the iceberg.

A deeper device problem

Having a prominent introductory page that doesn’t seem to have been updated in years obviously isn’t a good sign for the state of the associated program. But maybe that’s just an oversight. Maybe the database itself is still current and full of meaningful enterprise-ready Android phone recommendations. Right?

Well, maybe. But not exactly.

Make your way over to the full list of Android Enterprise Recommended products, and you will indeed see some more current devices in the collection of approved and endorsed items. For North America, specifically, phones such as the Motorola Edge (2021), Moto G Stylus (2022), and Samsung Galaxy S21 and S22 are all included, as are a number of current Google-made and Nokia-made devices.

I decided to dig deeper yet, though, and see how well some of those products were actually keeping up with the Android Enterprise Recommended promise. And outside of Google’s self-made Pixel products, the answer isn’t exactly uplifting.

The Moto G Stylus, for instance, still hasn’t received the now-seven-month-old Android 12 update as of this writing. Equally unsettling, it’s running a five-months-outdated security patch from December 1, 2021 at this present moment — despite the device’s in-phone System Update screen assuring owners that “everything looks good” and that they’re “using the latest software.”

JR Raphael/IDG

A phone’s price shouldn’t have any bearing on its ability to keep up with this program’s promises, of course, but for perspective, even Motorola’s 2021 Edge flagship — which sells for $700 and launched last September, roughly one month before Android 12’s release — just started getting the Android 12 update days ago, in late April.

Nokia’s devices, meanwhile, seem to be faring much better on the security patch front. I checked out the Nokia G10 as an example and found it to be running the security update from March 5, 2022. Sure, it’s missing the more recent April update, in conflict with its stated promise for monthly security patch rollouts, but it’s at least pretty close to where it ought to be.

But that’s where the good news ends. The Nokia G10 is still running 2020’s Android 11 software as of this moment — a release that’s now nearly 20 months out of date. And as anyone who studies Android closely can tell you, operating system updates absolutely do matter beyond what you see on the surface. They typically contain numerous privacy- and security-related improvements along with critically important changes to the way apps are allowed to interact with devices and sensitive user data.

Neither Motorola nor Nokia has made any meaningful communication to customers about the status of their rollouts, either, or when any progress can be expected.

And remember, the core Android Enterprise Recommended promise is an assurance that you’ll get “timely security patches and clear information about major updates” with any endorsed devices (though amusingly enough, the Android Enterprise Recommended site’s database actually has a built-in filter to identify products where the security update frequency is “not provided,” and it currently features 227 devices with that designation). Beyond that, Nokia’s G10 phone is technically also part of Google’s Android One program for consumers, which has a similar speedy-update promise — though that program appears to be abandoned and no longer actively maintained.

JR Raphael/IDG

Following an initial acknowledgment of my inquiry, Nokia did not respond to multiple requests for comment on this matter. Motorola, meanwhile, provided the following statement via a spokesperson:

We know OS and security updates are important, and we’re constantly evaluating our strategy and working with partners and our internal teams to ensure consumers have the latest and best technology on their Motorola devices. Essential features can also be updated via the Play Store, which allows us to provide key updates more often. Users can expect ongoing support for software features like new My UX experiences, new camera features, and new Ready For experiences, dependent on hardware compatibility. Additionally, we know security is important to our consumers, so we’ve increased [security maintenance release] update support from two to three years to all mid-tier and premium devices.

As for Samsung, after years of dismal software support performance, the company is actually doing a reasonably decent (if still slower-than-optimal) job at keeping its devices up to date and keeping its customers in the loop about its progress. The Galaxy S21, for instance, currently has Android 12 and the April 2022 security patch.

But, somewhat troublingly, all Galaxy phone models rely on the same universal Samsung privacy policy, as Samsung confirmed to me — and that policy, among other things, states that:

• Samsung “may allow certain third parties (such as advertising partners) to collect your personal information.”
• Samsung “may have” previously sold sensitive info to undisclosed third parties — everything ranging from “unique personal identifiers” associated with a device to “records of products or services purchased, obtained, or considered”; “other purchasing or consuming histories or tendencies”; “internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with websites, applications, or advertisements”; and “inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
• Samsung may have also “disclosed” even more personal info to “vendors” for “a business purpose” — including customer names, addresses, phone numbers, signatures, bank account numbers, credit card numbers, purchase histories, browsing histories, search histories, geolocation data, and “inferences drawn” from all of that.

The list keeps going from there, with a whole separate policy surrounding a Samsung software layer that, if enabled, can collect, analyze, and even share user data associated with Samsung’s Galaxy-branded calendar and browser apps.

How is any of that appropriate for enterprise use — or for anyone who’s serious about protecting their privacy, for that matter?

Android enterprise answers

To be fair, Google’s in a bit of an awkward position here. Given Android’s open-source nature and the way device-makers are able to change and customize the core operating system software, there’s no real way Google itself could completely control every aspect of the user experience — including the delivery of updates on devices outside of its own Pixel line.

When I presented some of these findings to the company, a Google spokesperson provided the following statement:

Android Enterprise Recommended provides businesses with an easy way to find the best devices to deploy for their needs. Partners and their devices are assessed and vetted based on a number of criteria, and we’re always working to make improvements to the program. When we become aware of any discrepancies in what partners are reporting through Android Enterprise Recommended, we work with them to bring their devices into compliance with the Android Enterprise Recommended program.

That seems sensible enough, but the fact remains that these issues in the program have been present for years now — and the same device-makers and even specific device models continue to be included in spite of their clear lack of compliance with its parameters.

And that ultimately points us to the real root of the problem.

“The promise of this program is pretty clear,” says Avi Greengart, lead analyst at research firm Techsponential. But, he notes, the program’s effectiveness seems to depend entirely on the individual vendors keeping up with their end of the bargain — and when devices aren’t in compliance, there appears to be no real recourse or actively enforced system for correction.

“It’s not clear to me [that] there’s a process in place that Google has for kicking vendors out of the program, flagging products that aren’t in compliance, and more to the point providing some assurance to enterprises that if they buy this today, it will be maintained,” he says.

So, short of Google turning the ship around and actually starting to enforce its standards, what’s the ultimate answer for companies seeking out guidance on which Android devices will be optimally up to date, secure, privacy-protecting, and generally advisable for enterprise use?

The reality, unfortunately, is that there is no easy answer. Android Enterprise Recommended was created to address that very problem — the lack of clear, official info about which devices can be trusted to provide timely and reliable updates and a fully optimal, enterprise-appropriate setup. And once you realize that the program’s recommendations don’t mean much, there’s little you can do beyond relying on your own experiences with different device-makers and any available research conducted by independent, external sources.

My own Android Upgrade Report Cards speak volumes. The consistent message, year after year, is clear: If you want devices that are guaranteed to remain optimally up to date and with the strongest privacy, security, and performance protections possible, Google’s self-made Pixel phones are the only fully advisable options you should consider.

They use Google’s own core Android software, without the interface-muddying and sometimes privacy-jeopardizing modifications other manufacturers make, and they reliably receive all software updates within days of their release, directly from Google — even when they’re no longer the hot new kids on the block.

For all of its progress as of late, Samsung still doesn’t come close to matching that standard. Its most current top-of-the-line flagship had a 65-day delay in receiving Android 12 in the US, while its previous-gen, just one-year-old flagship phone waited a full 95 days — more than a quarter of a year — to get the latest Android software.

Beyond that, no one else is really even trying.

Android most certainly can be an effective option for the enterprise, and Google’s approach to pulling integral system-level elements out of the operating system and updating them independently, via the Play Store, offers an important and broadly underappreciated advantage over Apple’s all-in-one bundled update approach — even with Apple having the benefit of being the sole device-maker within its iOS ecosystem.

But even with that factor, operating system updates and security patches remain an important part of the overall equation — for anyone, really, but especially for enterprises that require the most current and complete measures and methods of protection. And for now, at least, Google’s Android Enterprise Recommended program simply isn’t an effective way to assess how reliable any given device will be at consistently providing those pieces of the puzzle.