Is data on your new Lollipop Android device encrypted? Maybe not

Google has relaxed a requirement for manufacturers to turn on encryption by default in Lollipop

Some smartphone manufacturers are not configuring devices running the latest version of Android to automatically encrypt personal data, which Google had said would scramble data by default.

Google has apparently left it up to manufacturers to turn encryption on or off, a surprising change that came after the company pledged last September to strengthen defenses around personal data.

It's unclear why Google did not publicize the change, although it is possible some hardware devices will not perform as well with encryption turned on. Analyst Canalys tweeted it was a wise move for Google, as many devices do not have the right hardware to accommodate it.

Company officials could not immediately be reached for comment.

The U.S. government has strongly opposed moves by technology companies to strengthen security around data using encryption, arguing it could jeopardize time-sensitive investigations.

Previous versions of Android have had a full-disk encryption feature, but it wasn't turned on by default. Ensuring encryption is on by default helps protect less sophisticated users who may not know such an option exists.

Ars Technica found that Motorola's Moto E and Samsung's S6, which is on display this week at the Mobile World Congress in Barcelona, do not have encryption on by default. The publication noted that Google's Nexus 6 and 9 devices do have it on by default.

A technical document released by Google on Jan. 11 shows how Google softened its requirements. It describes technical specifications that smartphones must meet in order for Lollipop to perform smoothly.

Manufacturers "should" enable full-disk encryption, it said, adding the caveat that Google may change its stance and make it mandatory for future versions of Android. The document does not explain why manufacturers have the option to leave it off for now.

Apple automatically encrypts data in iOS 8 if the user has a passcode enabled. As with Android, the encryption keys are held on the device, which means that law enforcement would have to serve a user with a court order to turn over their password that unlocks the encryption key.

Many technology companies are moving to systems that make it impossible to comply with a legal order to turn over a user's data. That is accomplished by not storing a copy of the private key necessary to decrypt data.

A person served with a court order could claim the password has been forgotten, leaving law enforcement to try to either figure it out through other means or employ special forensic tools to recover data.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags MotorolaAndroid OSGooglesecuritySamsung Electronicsencryption

More about AppleGoogleMotorolaSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts