Google has made a subtle, but important, shift in the requirements for Android handset makers, saying now that OEMs manufacturing phones that will run Lollipop do not have to enable disk encryption by default. This is a major change from the company’s stated position from just a few months ago, but it may not have much of a practical effect on user security, experts say.
Last fall, Google officials said that new Android devices running version 5.0, also known as Lollipop, would have full disk encryption enabled by default from the first time they were powered up. Security researchers and privacy advocates praised the move, saying that it would give users a key defense mechanism, not only against attackers but also against surveillance. But they also cautioned that unless the encryption scheme is set up and managed correctly, it would not make much of a difference to users.
“These are definitely some good moves,” security researcher Zach Lanier said at the time of Google’s announcement. “It’s still a little concerning that even though Google is doing encryption by default that users might have a false sense that it’s encrypted and they will not have to set a PIN. If a law enforcement officer walks away with the device and there’s no PIN, there goes your stuff. It’s good that Adrian Ludwig is stepping up publicly and telling users you need to set a PIN.”
The shift from Google is contained in the company’s Android compatibility document, a guide for OEMs who manufacture Android devices.
“If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data, (/datapartition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android,” the document says.
When Google announced that Lollipop would enable encryption by default–as Apple did with iPhones around the same time–law enforcement agencies said the change would put them at a disadvantage and give criminals a place to hide their data. However, security experts say that isn’t necessarily true.
“The thing with FDE is that it’s essentially useless/a dangerous placebo unless you manage the encryption key, in the form of a strong password, a key fob, or something similar. If the key is built into the product you’re using: phone, laptop, Amazon S3 bucket, or what have you, the encryption is effectively useless, and only serves to provide a false sense of security and checkmarks in compliance spreadsheets. Military-grade encryption just doesn’t matter if an attacker has access to the key,” said Patrick Nielsen, senior security researcher at Kaspersky Lab.
“This is really problematic on phones because you can’t really use a hardware token, and passwords that are complex enough to be suitable as encryption passwords are too long to type on a phone. Further, it’d be one thing if Android just required you to use a strong password/passphrase when starting up the device, but for some absurd reason they also require that you use the same password as your screen lock password, even though doing so provides no security. If this changed, it would be a noble thing to enable FDE by default during the initial setup – but I’m sure OEMs would still push back since people forget their passwords all the time.”
Despite the shortcomings of the encryption scheme in Android, the decision by Google to make it optional for OEMs is still a net loss for users, said Jon Oberheide, founder and CTO of Duo Security.
“It’s an unfortunate backtrack. It’s likely due to push-back from the OEMs, which may be driven by underlying government and law enforcement pressure. A bad trade-off for security, in my opinion,” Oberheide said.
“Users can still enable encryption manually and organizations can enforce it across their employee devices, but that will have nowhere near the impact of making it a mandatory requirement for all Lollipop devices.”