Without a word, Google shelves default encryption on new Lollipop devices

  • Liam Tung (CSO Online)
  • 03 March, 2015 09:41

Google has quietly stopped requiring that Android OEMs enable full-disk encryption by default in new Android 5.0 Lollipop devices, backtracking on its widely publicised plan to make life harder for snoops and police.

Google has put on hold one of its key plans to lock down everything in response to learning of UK and US government hacking and surveillance brought to light by Edward Snowden.

The Android maker announced ahead of Android 5.0’s November release that full-disk encryption would be turned on by default for all new devices that ship with the new OS.

With Apple already having enabled encryption by default in iOS, the FBI feared Google’s decision would lead to a “black hole for law enforcement”in information they couldn’t access. As opposed to user data stored in Google’s cloud, law enforcement would need to ask the device owner directly to access that data.

While the first devices that shipped with Lollipop, such as the Nexus 6, did have full-disk encryption enabled by default, Ars Technica reports the configuration is omitted in Samsung’s Galaxy S6.

Given Google’s emphasis on the privacy enhancement, it would seem odd for it not to notice that the most popular Android series on the market didn’t comply with the rules Google lays out in its Android Compatibility Definition document — a paper it releases for each version of its OS that sets out the conditions for Android hardware makers to be compatible.

As Ars Technica first noticed, it turns out Google has relaxed the rule but hasn’t bothered to communicate this to would-be buyers.

The change came in revisions this January to the Android 5.0 document, which outlined Google’s new stance on encryption. Where once it stated that OEMs “must” enable encryption from the outset, the document now only strongly recommends they do.

The new policy is under section 9.9 of the document, titled Full-Disk Encryption.

“If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data, (/datapartition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience.”

It continues: “While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.”

The question remains why did it tweak such an important part of the document? Did it cave into pressure from the government? Probably not. On the other hand, Google considered it important enough to tell Android users ahead of the launch of Android 5.0, but didn’t tell users when it removed the requirement.

However, a likely reason as to why it changed its stance can be found in two widely reported benchmark tests of the Nexus 6 — one from Ars Technica and another from AnandTech — late last year that revealed the drastic toll on performance caused by full-disk encryption.

While full disk encryption couldn’t be disabled on new Android 5.0 devices, AnandTech obtained a Nexus 6 from Motorola that didn’t have it enabled. The site's tests revealed that the Nexus 6 with full-disk encryption enabled suffered a 62.9 percent drop in random read performance, a 50.5 percent drop in random write, and 80.7 percent in sequential read.

On top of this encryption wasn’t actually enabled unless the user enabled the lock screen. In other words, Google’s mandatory encryption didn’t necessarily improve privacy, but it was guaranteed to cause a significant performance overhead.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)