Savvy Android users know that Apple’s face-to-face with the FBI is only the beginning of the phone-encryption furor. Google CEO Sundar Pichai voiced his support for Apple and for strong and safe encryption, but he didn’t give specifics on how Google would deal with this situation if it were in Apple’s shoes.
That’s because if Syed Rizwan Farook, the San Bernardino shooter, had been using an older Android smartphone, we probably wouldn’t be having this discussion.
Encryption has so far lost out to openness in the Android ecosystem. It’s actually been supported since version 4.0 (KitKat), and the latest iterations of Google’s own Nexus devices have encryption on by default, but the rest of Android has been slower on the uptake, especially internationally.
“Android is different because the entire ecosystem is fragmented,” explained Mike Murray, VP of security research at Lookout. “The version of Android that Samsung installs on their phone is different than the version that Google installs on their phone and it’s way different than the third party aftermarket vendor who’s building low-end phones in India or China.”
It’s those smaller manufacturers making budget devices that have especially stymied Google. They fear that onboarding mandatory encryption will hamper their phones’ performance—for example, lower-end processors can struggle with the encrypt-and-decrypt process. But as standards for processors improve, there’s little reason why encryption could not become the norm when you got a new smartphone.
So many Android phones, so little encryption
Google tried again, making encryption mandatory across the board late last year with Android 6.0 Marshmallow. But there’s another flaw in this plan: Only 4.6% of the Android landscape is running Marshmallow (as of this writing), and the compulsory encryption rule applies only to new phones running 6.0, not older phones that have been upgraded (it’s optional in that case). Once again, Android is a patchwork.
On-by-default makes a huge difference in how a person uses a device or an app. Typically, people don’t change the settings much unless they have something specific in mind. By having encryption off by default, a large number of users likely remain unencrypted and oblivious of their vulnerability.
“Every company manufacturing devices that store sensitive data should be using full disk encryption by default,” said Evan Greer, campaign director Fight for the Future, which staged rallies in support of Apple. She added that corporations need to shoulder more of the responsibility in encrypting devices. “We need to build a movement to hold companies accountable and demand that they do everything technologically possible to protect our private information from hackers, and from illegal government surveillance.”
Google’s commitment to privacy is regularly challenged, whether it’s in the company’s expansive use of user data, or more specifically in a Manhattan DA report that claimed Google could remotely access most Android phones.
Android security boss Adrian Ludwig fired back, saying Google cannot access any device protected with a PIN, password, or fingerprint. “Google also does not have any mechanism to facilitate access to devices that have been encrypted,” he said.
Shut the back door
But could Ludwig’s claim be put to the test sooner rather than later? We know the San Bernardino case was never about just one iPhone or Apple. As Fight for the Future’s Greer reminds us, it’s about the FBI’s desire to set a “dangerous precedent” that would be felt for years to come. Enabling end-to-end encryption for all users is just one way of ensuring this doesn’t happen.
“Assuming Android improves their security and become harder to hack, it’s not a question of if the US or other governments will try to force them to weaken that security,” said Greer. “It’s a question of when.”