Your Ultimate Mobile Tech Source


Your Ultimate Mobile Tech Source

Android’s Enterprise program to switch out security update requirements for mandatory transparency


For two years, Google has been trying to make it easy for businesses to run and deploy reliable Android devices through its Android Enterprise Recommended (AER) program. It’s essentially a collection of certified hardware with certain minimum guarantees: They must be eligible for zero-touch enrollment, carrier-unlocked, and should receive security updates no later than 90 days of release for a minimum of three years. As XDA Developers reports, the latter requirement might soon be significantly relaxed in favor of more nebulous transparency requirements.

According to some leaked, nonfinal documents, Google is looking into dropping the 90-day security update requirement altogether. Instead, manufacturers have a new rule to work with: Transparency. On their websites, OEMs have to publish the date when their participating phone will receive its last security update and which patch is currently available. They also have to share how frequently they’ll update it. The same is true for new Android releases: Customers must be able to know which software the phone initially shipped with, which version it’s currently on, and which update you can expect to be the last.

The mandatory 3-year support for Emergency Security Maintenance Releases (ESMR) remains active, though. That means that critical security flaws must be patched for at least three years, even if the phone doesn’t receive regular system updates any longer.

Take a look at the leaked table below for all the minuscule changes. If you wonder why it says “30-day security updates” and not 90 in the Android 10 section, it seems like Google has updated the requirement to be more rigorous, but has only informed manufacturers, not the general public.

Serial Number
Attribute and Implementation
Q (Android 10)R (Android 11)
Device Security1MAYOperate an OEM Vulnerability Rewards Program (VRP)Operate an OEM Vulnerability Rewards Program (VRP)
2MAYStrongBox supportStrongBox support
3MAYHardware backed Keystore supportHardware backed Keystore support
4MAYDevice ID attestation supportDevice ID attestation support
5MAYKey attestation supportKey attestation support
630-day security updatesRequirement removedReplaced with Security transparency requirement
7MUST3 yr support for Emergency Security Maintenance Release (ESMR)3 yr support for Emergency Security Maintenance Release (ESMR)Replaced with Security transparency requirement
8File-based encryption – on by default. Uses AOSP implementation.Requirement removedThis is a GMS requirement enforced for all devices
990-day security updatesRequirement removedReplaced with Security transparency requirement
103 year security update support (may sub 3rd year ESMR)Requirement removedReplaced with Security transparency requirement
11Publish latest security patch levelRequirement removedReplaced with Security transparency requirement

Above: Revision to Device Security requirements. Below: New transparency requirements.

Serial Number
Attribute and Implementation
Q (Android 10)R (Android 11)
Security/OS Updates transparency1MUSTMUST publish following updates information on OEM website
– SMR support end-date (last date when the device will receive SMR)
– Latest security patch available
– Frequency of updates the device will receive
– Fixes contained in security patch, including any OEM-specific fixes
Changing the requirement from SMR support to SMR/patches/updates transparency
2MUSTMUST publish following OS information on OEM website
– OS that the device is shipped with
– Current major OS ver
– All major OS version update that the device will receive
Changing the requirement from support to transparency
eg: Pixel 3
– Shipped ver – Android 9
– Current Ver – Android 10
– Expected major ver – Android 11
3MUSTSubmit the device to IoXT certificationIoXT scoring adds to transparency

Keep in mind that these are just proposed changes. The new rules aren’t carved in stone, and Google might decide against them before it publishes the next finalized version of the AER guidelines. We can also only speculate as to why Google considers making the rules less strict. It’s possible that these requirements are now part of the secret contract Google and manufacturers enter when they want to use Android. We once had a glance at such a document back in 2018, when a leak showed that phones had to be updated for at least two years. If that’s the case, the extra requirement for the AER program would be unnecessary.

In the end, the transparency requirement could be beneficial for all phone owners — we’d finally be able to reliably find update information on all manufacturers’ websites, helping us judge which phones will be the most secure and long-lasting.

Leave a Reply

Your email address will not be published. Required fields are marked *

9to5mac-daily:-june-29,-2020-– iphone-12-in-box-accessories,-more

9to5Mac Daily: June 29, 2020 – iPhone 12 in-box accessories, more


Monday deals: Apple Watch Series 3 $169, new Anker sale from $10, MacBook Pro, more

Back to Top
Send this to a friend