Google's 'encrypted-by-default' Android is NOT encrypting by default

It's sad that this isn't really a surprise

Updated Last year, Google said Android 5, codenamed Lollipop, will encrypt the contents of smartphones and tablets by default. Now it's had to do some backtracking.

In short, despite Google's boasts that Lollipop will encrypt handhelds' data by default "out of the box," that simply isn't being enforced on all devices running Android 5. What happened?

Rewind the clock

Apple put the cat among the pigeons in September when it announced that iOS 8 automatically encrypts files stored on iPhones and iPads.

Only the owners of the hardware are able to unlock their documents – rather than, say, thieves or Apple under pressure from the cops, in theory. And by making it a default, it means less tech savvy people can benefit from the security measure while being blissfully unaware of it.

Days later, Google said it too would follow suit and enable file encryption by default, adding that full-storage encryption had been an option in Android for some time. Indeed, in this Android 4.4 design document [PDF] dated November 27, 2013, Google declared:

If the device has lock screen, the device MUST support full-disk encryption.

By September 2014, to keep up with Apple, that rule had been ramped up from an optional feature to an on-by-default. "As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on," Google spokesperson Niki Christoff said at the time.

And in the present day

Now the advertising giant has climbed down from that vow, leaving it up to phone and tablet manufacturers to enable encryption-by-default (and some of them aren't.)

Some Android Lollipop handhelds, particularly those shown off this week at Mobile World Congress 2015, are simply not automatically encrypting their files by default. That includes the second-generation Moto E and the Samsung Galaxy S6, according to Ars.

Lollipop's design document [PDF] states:

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data, (/datapartition) as well as the SD card partition if it is a permanent, non-removable part of the device [Resources, 107]. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.

Note that full-disk encryption-by-default is still a "should," a recommendation, and that only future versions of Android may enforce it.

So why the change? Well, part of the reason is that Android doesn't have all the drivers to take advantage of AES acceleration in the chips powering smartphones and slabs.

For example, the Qualcomm Snapdragon 805 system-on-chip in the Motorola Nexus 6 will do AES encryption and decryption of data in hardware – which should be fast and power efficient.

However, the driver for that feature is not available to the Android project, so Android 5 must do the by-default-enabled file encryption and decryption in software, which is terribly slow – forcing people to switch it off.

Some manufacturers, fearing a similar performance hit, won't turn on encryption if there's no acceleration available. And Google's allowing them to do just that.

Meanwhile, the Google Nexus 9 fondleslab uses an Nvidia Tegra K1 processor with a 64-bit ARMv8-compatible processor. This architecture has standardized AES encryption/decryption instructions that can be used by Android 5 without a specialized driver.

That means Lollipop happily encrypts-by-default on the Nexus 9.

Who wins and who loses?

This whole mess will make Apple fans very smug. Apple has had a separate coprocessor for accelerating encryption for years, and as a result iOS encryption is a much easier process. Apple has total control of its hardware and OS, whereas Google must rely on its hardware friends to play ball.

Based on what we’re seeing from Android gadget makers at this year’s Mobile World Congress shindig in Barcelona, manufacturers would prefer to leave encryption off. When performance and battery life is such a selling point these days, you need every edge you can get.

Will Google make default encryption the rule, rather than a suggestion as it does today? Almost certainly, but it’ll need some hardware evolution before most Android users get their paws on some serious privacy. ®

Updated to add

Google got in touch with us after publication to say:

In September, we announced that all new Android Lollipop devices would be encrypted by default. Due to performance issues on some Android partner devices we are not yet at encryption by default on every new Lollipop device.

That said, our new Nexus devices are encrypted by default and Android users (Jelly Bean and above) have the option to encrypt the data on their devices in Settings ---> Security --- >Encryption. We remain firmly committed to encryption because it helps keep users safe and secure on the web.

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022