Mobile device security has been a headline topic for a long time now and it’s no surprise. Our mobile devices – chiefly our smartphone – are often at the very centre of our digital lives, containing our contacts, accounts, messages and photographs. There are a few ways to protect our devices and the main one is keeping it safely in your sight and including a lock code. However, sometimes a device is lost or stolen and should this happen, the contents of the device are often readable by plugging it into a computer via a USB cable unless the device has been encrypted. There’s a very simple answer to this: encrypt the device. Android has offered native full disk encryption (whereby the whole device is encrypted and requires a key to gain access) since version 4.0 Ice Cream Sandwich, but customers needed to turn this on and the operation could take several hours. When Google announced Android 5.0 Lollipop, it also announced that full disk encryption would be turned on at the factory.
As you might expect, there is a processor overhead associated with decrypting the disk. The processor has additional work to do when reading and especially writing data to the internal storage. And shortly after the Nexus 6 was launched, several websites ran articles detailing how sluggish the Nexus 6’s storage was. In benchmark comparisons to the Nexus 5, it could be slower. This was not expected from a device based around a more modern Qualcomm Snapdragon processor, especially one that has built-in hardware decryption functionality.
We’ve started seeing new devices running Android 5.0 Lollipop arriving without full disk encryption enabled as standard, in contradiction of Google’s statement as at September 2014. The recently released second generation Moto E doesn’t have full disk encryption enabled at the factory, nor do the Samsung Galaxy S6 demo handsets (although this could change, of course). Upgrading an existing device to Android Lollipop doesn’t enable encryption nor does performing a factory reset, which makes sense if the older hardware wasn’t designed with full disk encryption in mind. But new devices… they were supposed to have full disk encryption enabled as standard.
Back in January, Google relaxed this requirement. ArsTechnica discovered that the latest Android Compatibility Definition Document has a subtle change in wording, whereby device manufacturers are encouraged to enable full disk encryption: “If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data partition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.” This policy is very similar to Android 4.4 KitKat.
At this juncture, we don’t have the official reason why Google changed their policy. I would speculate that it is related to the criticism directed at the Nexus 6’s slow internal storage performance and how Google have yet to implement hardware encryption and decryption in Android: it is likely that storage performance is the reason. This change in policy also gives manufacturers time to prepare their hardware for mandatory disk encryption through incorporating faster memory and using chips better able to deal with the overhead, but Google should release a statement backtracking their change in policy. Given the publicity over enabling full disk encryption from the factory, there may be customers who believe their device is more secure than it really it.
Do you use full disk encryption? Have you encrypted a device after using it in unencrypted mode? If so, did you notice a difference in performance? Let us know your observations in the comments below.