Industry News

Google does a U-turn over Android Lollipop full disk encryption

Ever felt let down by someone who you made a promise, and then broke it?

That’s what millions of Android users must be feeling right now when it comes to Google and Android.

Last September, Google announced that mobile devices running the new version of Android (5.0, also known as Lollipop) would have full-disk encryption enabled by default.

lollipop

Here is how Google announced the news to the media in a statement:

“For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement. As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.”

And each of every one of us who cares about security and privacy said, “This is a good thing. Well done Google.”

The news of the “encryption-by-default” was reaffirmed in a blog post from Google’s Android team in October last year:

More secure, from the first time you turn it on
People use safes and combination locks to protect their physical goods. With digital information, encryption acts like a safe to protect your information from thieves and snoops. That’s why we’ve worked hard to provide this added security for our users, which will now be the default from the moment you power on a new device running Lollipop, keeping your data safer without needing you to fiddle around in the settings. Full device encryption occurs at first boot, using a unique key that never leaves the device. This is the safest way to encrypt your device, which is why it’s how we’ve built encryption on Android since it first launched three years ago.

It all sounds good, right? Wrong.

Because we were a little hasty in breaking open the champagne last year, as Ars Technica has discovered that Google has quietly gone back on its promise and not all new Lollipop devices are going to have encryption by default.

It turns out that while Google’s own Nexus 6 and Nexus 9 devices do indeed have encryption enabled by default, other older devices upgraded to Lollipop are not so lucky.

Furthermore, brand new third-party Android devices (such as the second-generation Moto E and Galaxy S6 demonstrated at Mobile World Congress in Barcelona) are also not encrypted by default.

The discrepancy between what Google said last year and what is now being seen on third-party Android Lollipop devices is explained by the OEM guidelines that manufacturers must follow to have their Lollipop devices approved by Google:

fde-guidelines

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data patition) as well as the SD card partition if it is a permanent, non-removable part of the device.For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.

In other words, the manufacturer still has a choice whether they currently enable full-disk encryption or not. And performance issues may mean that some third-party Lollipop devices will not yet have encryption by default.

Ultimately there was a battle between security and performance. The full-disk encryption may have had too much of a hit on some devices, and so Google – fearing resistance from both customers and manufacturers – made the requirement optional. For now at least.

So, if you want your Android to be fully encrypted you will still have to enable the option for yourself.

Let’s hope not too many people have been lulled into a false sense of security by Google’s statements of last year.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment

Leave a Reply to Anon Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “Because we were a little hasty in breaking open the champagne last year, as Ars Technica has discovered that Google has quietly gone back on its promise and not all new Lollipop devices are going to have encryption by default.”
    Reaction: this better be because of a hardware limitation. But then it seems it is related to performance. Okay, it is true there is overhead. But why not work with the manufacturers to support this? That’s google for you, I suppose.

  • So Graham, my questions are, for a lay person like myself – how do i tell if my Sony Android has encryption? & if it doesn’t how do i enable it?

  • Beverley, there is the option to check if your device is encrypted in the Android menu. But please don’t be lulled into a false sense of security. Encryption on a handset WILL CATEGORICALLY NOT stop your device data being read.

    Let me give you this quote, it saves me explaining it:

    “The thing with FDE is that it’s essentially useless/a dangerous placebo unless you manage the encryption key, in the form of a strong password, a key fob, or something similar. If the key is built into the product you’re using: phone, laptop, Amazon S3 bucket, or what have you, the encryption is effectively useless, and only serves to provide a false sense of security and checkmarks in compliance spreadsheets. Military-grade encryption just doesn’t matter if an attacker has access to the key,” said Patrick Nielsen, senior security researcher at Kaspersky Lab.”

    Basically encryption on a mobile device is SECURITY THEATRE!