Without a word, Google shelves default encryption on new Lollipop devices

Google has quietly stopped requiring that Android OEMs enable full-disk encryption by default in new Android 5.0 Lollipop devices, backtracking on its widely publicised plan to make life harder for snoops and police.

Google has put on hold one of its key plans to lock down everything in response to learning of UK and US government hacking and surveillance brought to light by Edward Snowden.

The Android maker announced ahead of Android 5.0’s November release that full-disk encryption would be turned on by default for all new devices that ship with the new OS.

With Apple already having enabled encryption by default in iOS, the FBI feared Google’s decision would lead to a “black hole for law enforcement”in information they couldn’t access. As opposed to user data stored in Google’s cloud, law enforcement would need to ask the device owner directly to access that data.

While the first devices that shipped with Lollipop, such as the Nexus 6, did have full-disk encryption enabled by default, Ars Technica reports the configuration is omitted in Samsung’s Galaxy S6.

Given Google’s emphasis on the privacy enhancement, it would seem odd for it not to notice that the most popular Android series on the market didn’t comply with the rules Google lays out in its Android Compatibility Definition document — a paper it releases for each version of its OS that sets out the conditions for Android hardware makers to be compatible.

As Ars Technica first noticed, it turns out Google has relaxed the rule but hasn’t bothered to communicate this to would-be buyers.

The change came in revisions this January to the Android 5.0 document, which outlined Google’s new stance on encryption. Where once it stated that OEMs “must” enable encryption from the outset, the document now only strongly recommends they do.

The new policy is under section 9.9 of the document, titled Full-Disk Encryption.

Read more: Apple adds two-step verification to iMessage and FaceTime

“If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data, (/datapartition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience.”

It continues: “While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.”

The question remains why did it tweak such an important part of the document? Did it cave into pressure from the government? Probably not. On the other hand, Google considered it important enough to tell Android users ahead of the launch of Android 5.0, but didn’t tell users when it removed the requirement.

However, a likely reason as to why it changed its stance can be found in two widely reported benchmark tests of the Nexus 6 — one from Ars Technica and another from AnandTech — late last year that revealed the drastic toll on performance caused by full-disk encryption.

While full disk encryption couldn’t be disabled on new Android 5.0 devices, AnandTech obtained a Nexus 6 from Motorola that didn’t have it enabled. The site's tests revealed that the Nexus 6 with full-disk encryption enabled suffered a 62.9 percent drop in random read performance, a 50.5 percent drop in random write, and 80.7 percent in sequential read.

On top of this encryption wasn’t actually enabled unless the user enabled the lock screen. In other words, Google’s mandatory encryption didn’t necessarily improve privacy, but it was guaranteed to cause a significant performance overhead.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

Read more: Google to stop patching Chrome for 60M Android users this May

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags dataencryptedAndroid 5.0 Lollipop devicesus governmentLollipop devicesfbiCSO AustraliaAndroid OEMsAppleArs TechnicaGoogleEdward Snowdenblack holeFull-Disk Encryption

More about AppleCSOEnex TestLabFBIGalaxyGoogleIT SecurityMotorolaSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts