Google\u2019s Android operating system dominates smartphone usage throughout the world \u2014 in every region except North America and Oceania, in fact. Thus, businesses in many regions are likely to support and issue Android devices to employees as their mainstay mobile devices. Even in areas where Apple\u2019s iPhone dominates or is comparable in market share, businesses are likely to support or issue Android devices at least as a secondary option.But Android security has long been an IT concern, despite significant security improvements made to the platform a decade ago in response to security standards put in place for iPhones, which quickly gained the security seal approval as a result. That makes the buying and support decision around Android phones more complex for CISOs \u2014 whether as corporate-liable devices (that is, the devices that enterprises buy for their employees) or as employee-liable devices or bring-your-own devices (BYOD) that IT allows access at least to work email and calendars, and often to web-based services.This article surveys the key considerations for Android security and then classifies the major Android vendors based on security level to help narrow IT\u2019s purchase and support choices. (Our sister publication Computerworld details other enterprise buying considerations for Android devices.)Security considerations for Android devicesApple tightly controls the iPhone and its iOS operating system, which gives the CISO strong assurance about software updates, security patches, and manageability. By contrast, the Android world is highly diverse, with dozens of manufacturers using Google\u2019s Android platform but offering varying levels of quality and support, and in many cases few or inconsistent OS and security updates.In the early days of Android, security was a major IT concern for the emerging smartphone market. Research in Motion\u2019s BlackBerry had set high standards in the 1990s and early 2000s for mobile security, whereas the early Android (and iOS) devices fell far short of IT expectations.Apple and then Samsung moved to make mobile security at least as good as BlackBerry\u2019s in the early 2010s, and Google followed suit a few years later by making encryption standard in Android and then making container-based separation of work and personal data and apps\u00a0a standard part of 2015\u2019s Android 5.0 Lollipop OS. By 2017, the Android platform had strong security capabilities. More sophisticated capabilities became available through both hardware and software extensions, such as Samsung\u2019s Knox platform in 2013 for its enterprise devices and Google\u2019s Android for Work (later renamed Android Enterprise) for the rest of the Android world. Android Enterprise support became a standard feature in 2018\u2019s Android 9.0 Pie.Today, IT can count on all Android devices having the basic level of security needed. But some users \u2014 such as high-level executives who deal in sensitive corporate data, or operations staff managing critical infrastructure or supply chains \u2014 need more security.The availability of Android vendors varies widely across the globe, so the choices of suitably secure devices where your organization operates also vary; our sister site Computerworld has outlined in which markets Android vendors have significant presence to guide you to the likely candidates for your business. Based on StatCounter data, 13 current Android vendors have 1% or more usage share in at least one region:GoogleHuaweiInfinix MobilityItel MobileLenovo-owned Motorola MobilityNokiaOnePlusOppoRealme Chongqing TelecommunicationsSamsung ElectronicsTecno MobileVivo Mobile CommunicationXiaomiGoogle has a certification called Android Enterprise Recommended (AER) that focuses on enterprise concerns around performance, device management, bulk device enrollment, and security update commitments. Google publishes an AER tool to help IT see which devices meet that certification in various regions, as well as explore supported Android versions and end dates for security updates. Just keep in mind that the AER tool\u2019s results can be out of date and incomplete, so do not rely solely on it.There are three Android security levels to consider, and many organizations will need more than one in place to cover different sets of employees.Basic Android security definedThis level is appropriate on personal devices permitted to access basic corporate systems like email. The basic security level provides device encryption, password enforcement, remote lock and wipe, and sandboxed execution of security functions. All current Android devices support this level, with even just a basic management tool like\u00a0Google Workspace or Microsoft 365 in place.Moderate Android security definedThis level is appropriate for when IT requires or allows personal devices to be used for corporate access and apps, as well as for corporate-issued devices allowed to also be used for personal purposes. The moderate security level provides the basic level plus separation of work data and apps from personal data and apps via containers, via a unified endpoint management (UEM) platform that supports Google\u2019s Android Enterprise platform or, only for Samsung devices, Samsung Knox platform. Tip: Compare the leading UEM platforms\u2019 capabilities in Computerworld\u2019s guide.All current Android devices with at least 3MB of RAM support work\/personal separation, but some UEM platforms may require that the devices run newer versions of Android than are deployed at your organization.Advanced Android security definedThis level is appropriate for executives, human resources professionals, finance professionals, and anyone dealing with critical data and systems access such as in government, defense\/military, finance, healthcare, and critical infrastructure like utilities, energy, and transport. The advanced security level provides the moderate level plus chip-based security enabled to reduce unauthorized access by spies and hackers, as well as compliance with the US\u2019s recent Common Criteria security standard.Chip-level security detects hacks to the operating system, firmware, memory, and other core systems, and locks down or shuts down the device as a result, via Android\u2019s Keystore service. Such hardware-level security is not an Android Enterprise Recommended requirement, but it is essential for military-grade security.Only a few devices use chip-level security to protect system integrity: Samsung\u2019s Android Secured by Knox phones use Arm\u2019s TrustZone chip for its Trusted Boot, Google\u2019s Pixel series uses its own Titan-M chip for its Trusted Execution Environment (TEE), and Motorola says all its Android devices use Arm\u2019s TrustZone chip for its Strongbox. (Apple\u2019s iPhones have this capability too via the Secure Enclave.) The other Android vendors did not respond to my inquiries about their security capabilities but appear not to support hardware-based security, based on their websites\u2019 specification data.Common Criteria imposes specific security approaches that the US government thus knows it can rely on across devices. Although also not an Android Enterprise Recommended requirement, Common Criteria is a good advanced-security standard for IT to use anywhere in the world.Android models from multiple vendors comply with Common Criteria: a few from Google, Huawei, Motorola, Oppo, Samsung, and Sony, as well as some front-line specialty devices from Honeywell and Zebra Technologies. (Filter by \u201cMobility\u201d in the Common Criteria web tool to get the current list.) Apple\u2019s iPhone also complies.Government security certification for Android devicesOrganizations may want to look to government certifications to determine their Android device selections for sensitive uses. When Apple and Samsung both gained US Defense Department, UK Government Communications Headquarters (GCHQ), and Australian Signals Directorate approval for use of their enterprise-class devices in the mid-2010s, it was huge news \u2014 breaking BlackBerry\u2019s longstanding monopoly on government approval.Today, such announcements are rare, and governments instead focus on ensuring that approved UEM platforms are in place to manage the widely used iPhones and Android phones. Recently the US Department of Defense has approved several Samsung phones and some front-line Android devices from Honeywell and Zebra Technologies for sensitive uses, as it moves to using the Common Criteria standard. The Australia Signals Directorate has approved several Samsung phones recently as well.Security and OS update assurances for Android devicesIT typically wants assurances that devices will get security updates and OS updates for several years to reduce the risk of being hacked via old devices that haven\u2019t kept up their defenses. Google\u2019s Android Enterprise Recommended certification requires only one future OS upgrade. For security updates, it has no minimum, requiring only that vendors publish their update commitments on their websites \u2014 and that information can be hard to find.In my survey of Android vendor sites, three to five years is typical for Android security update commitments on business-class devices, and one to three future Android OS versions is typical for OS updates. (By contrast, Apple typically provides seven years of security updates and five years of iOS updates.) The stingiest Android vendors in terms of OS updates are Motorola, Oppo, and Xiaomi, which commit to just one major Android upgrade for their enterprise-class models. Google and Samsung have the best update commitments.Vendors\u2019 published update commitments for business-class Android devices include:Google: five years of security updates, three years of OS upgradesMotorola: three years of security updates, one year of OS upgradesNokia: three years of security updates, two years of OS upgradesOnePlus: four years of security updates, three major OS upgradesOppo: three years of security updates, one year of OS upgradesRealme: three years of security updates, two major OS upgradesSamsung: \u201cat least\u201d four years of security updates, three \u201cgenerations\u201d of OS upgradesVivo: three years of security updates, three years of OS upgradesXiaomi: three years of security updates, one major OS upgradeI could not find update information at the Huawei, Infinix, Itel, and Tecno sites, and the companies did not respond to my requests for information.For certified devices, you can also use Google\u2019s Android Enterprise Recommended tool to narrow down by what date various vendors\u2019 specific models\u2019 security updates will end. Just keep in mind that the tool may not list recent models. I also recommend you verify whether vendors do what they promise by getting some older devices and seeing how recent the available security updates are: Have they kept up the promised duration?Finally, keep in mind that cellular carriers can override, slow, or block updates in many countries, overriding whatever promises the device vendor has made. For example, Google notes on its Pixel page that Pixel phones bought directly from Google often get updates sooner than those bought through a carrier. That carrier control is a longstanding reality, well pre-dating modern mobile devices, with only Apple able to have fully wrested control over updates from the carriers.Buying guide: How Android phones rank by security levelThe Android market breaks down into four classes of security assurance, based on how vendors address key enterprise IT security concerns:Advanced security: These vendors provide high security levels appropriate even for government and military use and access to sensitive data.Moderate security: These vendors provide adequate security levels and adequate update assurance for basic use such as for productivity apps and web tools.Basic security: These vendors provide adequate security levels but inadequate update assurance.Untrusted: These vendors have strong opposition to their use by major governments.Advanced security: The most secure Android vendorsThere\u2019s just one Android manufacturer with global device availability and enterprise-class (even military-grade) security, plus multiyear software and security updates after purchase: Samsung. That makes Samsung the best (and often only) choice for corporate-liable Android devices in every region of the world. Its enterprise-grade models (what Samsung calls Android Secured by Knox) include the Galaxy S, Galaxy A5x, Galaxy A3x, Note, XCover, Z Flip3, and Z Fold3 series. For these models, security updates are promised for five years after initial release; Samsung publishes the security lifespans for its enterprise-grade devices, which vary by device.Google\u2019s Pixel 7 series phones are similarly secure. Google, too, promises five years of security updates after initial release. However, the Pixel 7 series is available in just Australia, Canada, Denmark, France, Germany, India, Ireland, Italy, Japan, the Netherlands, Norway, Singapore, Spain, Sweden, Taiwan, the United Kingdom, and the United States.Motorola\u2019s enterprise-class Android devices, such as the Edge 30 Fusion and Ultra models, are also similarly secure. They\u2019re available in 65 countries, including most of Europe, much of Latin America, Australia, New Zealand, India, China, Taiwan, Hong Kong, South Korea, Japan, Thailand, the Philippines, Malaysia, Saudi Arabia, the UAE, Canada, the US, and the UK. Where Motorola falls a bit short is in update support: It commits to just three years for security updates and to just one major Android OS version update.Moderate security: The adequately secure Android vendorsThe most secure Android devices are often too pricey for rank-and-file employees and for their businesses to buy for users other than executives or those handling sensitive information. Likewise, the most secure devices are often too expensive for employees to buy on their own for BYOD scenarios.Fortunately, some Android vendors offer a range of inexpensive and moderately priced phones that provide good quality and adequate security: Nokia, OnePlus, Oppo, Sony, and Xiaomi. Samsung also has several moderately priced phones with adequate security, and Motorola has its Moto G and Edge Neo models for the moderate security level.Basic security: The marginally secure Android vendorsAlthough they provide the standard Android security functions as the devices in the moderate-security group, the Android vendors Infinix, Itel, Realme, Tecno, and Vivo have two cautions that should cause the CISO organization to avoid them when possible and at most restrict their use to the most basic BYOD scenarios:The uncertain level of security and operating system upgrade support, which could allow these devices to fall behind on security even if they initially meet standards.As IDC analyst Kiranjeet Kaur noted, they often suffer from application compatibility issues, which indicates poor underlying implementation of the Android platform.Untrusted: The one Android vendor to avoidAlthough based on technical specs it should be in the basic security group, Huawei belongs in the class of untrusted Android devices that IT should not provide or permit access from.IT will not find Huawei devices in Google\u2019s Android Enterprise Recommended database. Google removed them in 2019 after public allegations from the US government that Huawei devices were spying on users via backdoors on behalf of the Chinese government. These concerns are not new: In 2012, I was having drinks with several US intelligence officials and defense contractors at an off-the-record conference of CIOs where they raised the same fears about Huawei, ZTE, and other Chinese computer and telecom manufacturers. Back then (under the Obama administration), US intelligence officials were quietly warning corporate CIOs about Huawei\u2019s alleged spying operations across its whole technology stack.Those fears about Huawei\u2019s alleged being a conduit for spying are no longer quiet, with both the Trump and Biden administrations since speaking publicly. Multiple other governments have also made the same accusations, which Huawei denies.Because Huawei devices are popular in several markets \u2014 China, of course, but also in many parts of Africa, Europe, the Middle East, and South America \u2014 concerned IT departments may want to use management tools to deny Huawei and other distrusted devices access to their resources. Be sure to check whether your management tool can block access based on device vendor. According to their websites, UEM platforms that can block devices by vendor include BlackBerry UEM, Microsoft Intune, and VMware Workspace One.