Mar 2nd, 2015

Android 5.0 Lollipop DSC07205

In Google’s efforts to make Android a more secure platform, the company once required that all devices with Android 5.0 Lollipop or higher would have key partitions of the system disk permanently encrypted upon first boot. The Nexus 6 and Nexus 9 — the first publicly available devices with Lollipop — sure enough followed suit.

But several other devices to launch with Lollipop since then seem to come without encryption enabled. Many of the newest handsets introduced at Mobile World Congress are also found to have no encryption. So what, exactly, is going on?

Google quietly changed their Android Compatibility Definition policy to say that OEMs are no longer required to enable encryption on their phones out of the box. They still have to support encryption, but there’s nothing that says they have to enable it out of the box.

9.9 Full-Disk Encryption

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data patition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.

Does that mean Google’s vision for an encrypted Android is dead? Not at all. In fact, the company notes that they will be reintroducing the requirement for a later version of Android, and it’s that very reason they urge manufacturers to make a habit of enabling device encryption by default.

So that answers the question of why new devices aren’t coming encrypted out of the box. Now the question changes: why has Google decided to hold off?


The likely answer is that device encryption either isn’t as ready as they thought it was, or that it’s too messy for an OEM to implement if they haven’t designed their phones with the encryption requirement in mind. Device encryption was blamed for the problematic performance issues of the latest Nexus devices (we even showed you how to disable it on the Nexus 6 to boost performance), though Google has yet to confirm whether it’s that feature which causes the issues.

For what it’s worth we’re hearing that many of the issues will be cleared up with the big Android 5.1 Lollipop bug fixer that’s due later this month so perhaps that’s the future version of Android Google is referring to. The delay might also give OEMs more time to adjust their firmware and hardware to handle device encryption more efficiently. Adjustments might include the use of a faster file system and faster flash storage.

Of course, only Google and their OEM partners know the true answer so we’ll have to wait for more details to leak before knowing why, exactly, they’ve decided to shelve the requirements.

[via Ars Technica]

local_offer    Android 5.0 Lollipop