Google has rescinded on last year’s promise to ensure all Lollipop devices would offer full-disk encryption as a default setting.
It now seems that new devices running Android 5.0 OS aren’t shipping with encryption turned on as standard, Ars Technica reports.
Older versions of Android supported disk encryption as an optional setting, but Android 5.0 Lollipop would set the feature in stone, or so said Google in a blog post last year.
“When it comes to security, Lollipop is the biggest update for Android to date,” wrote Google.
“From the moment you turn on a device running Android 5.0, you’ll have a wealth of new security features protecting you, like encryption by default and a lock screen that’s easier and more powerful than ever.”
Unfortunately, it seems that promise didn’t extend beyond the company’s Nexus program, with the lion’s share of Lollipop phones still unencrypted as standard.
The 2014 Moto G, for instance, which has now upgraded to Lollipop, still doesn’t enforce encryption. Older Nexus devices also skip over the search engine giant’s promise.
One theory behind this is that manufacturers upgrading to Lollipop didn’t enforce encryption because the handsets weren’t originally designed for it as a default setting.
Encryption without dedicated crypto-acceleration hardware can massively impede device performance – as seen on the Nexus 6 and Nexus 9 – which would likely turn OEMs and consumers off.
Ars Technica, however, reports that brand new Samsung Galaxy S6 demo units at Mobile World Congress aren’t encrypted by default either. This means even new, Lollipop-out-of-the-box devices aren’t sticking with Google’s earlier promises.
It turns out that Google actually changed its policy on disk encryption after making the promise. It now reads as follows (all emphasis is Google's):
“For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience.”
It continued: “While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.”
This means that Google is now requiring devices to support encryption (as was previously the case), but it doesn’t actually have to be on by default.
The likeliest scenario is that Google will eventually make it mandatory, giving OEMs some breathing room for now to make the necessary changes to device design.
This could include upgrading to faster flash memory, faster file systems, or chips that are better at encrypting data quickly. Chips based on the ARMv8 framework, for instance, fall under this category, including the Snapdragon 810.