Android 5.0 Devices Aren't Encrypted By Default, Despite Google's Promises

By Jamie Condliffe on at

When Android 5.0 Lollipop launched, Google proudly claimed that full-disk encryption was a standard feature, enabled by default. But now phones with the OS are starting to appear in the wild, that appears not to be the case.

Google spoke about the feature at launch. The search giant told The Washington Post that "encryption will be enabled by default out of the box, so you won't even have to think about turning it on". In a blog post, it explained that a user data partition would be created at first boot, with encryption "on by default from the moment you power on a new device running Lollipop".

Certainly, Google's Nexus 6 and Nexus 9 both feature full-disk encryption by default. When Lollipop hit older Nexus devices as an update, it didn't retrospectively encrypt the devices; that's perhaps understandable as it could have caused some problems. But, Ars Technica reveals, other new handsets don't appear to be encrypted by default either. The second-generation Moto E isn't. Samples of the new Samsung Galaxy S6 at Mobile World Congress aren't. Why?

It turns out that the Android guidelines that Google publish for phone manufacturers — the Android Compatibility Definition document — don't reiterate the promise made at launch. Here's the relevant excerpt, unearthed by Ars Technica:

9.9 Full-Disk Encryption

If the device implementation has a lock screen, the device MUST support full-disk encryption of the application private data (/data patition) as well as the SD card partition if it is a permanent, non-removable part of the device. For devices supporting full-disk encryption, the full-disk encryption SHOULD be enabled all the time after the user has completed the out-of-box experience. While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.

So phones have to support encryption, but it's at the manufacturers discretion as to whether or not it's actually enable. Which is the exact same situation that's been in place since KitKat.

A strong possibility is that the encryption slows down a device to an extent that manufacturers are reluctant to have it running from the get go. After all, firing up your new handset to find it a little sluggish would be disappointing to say the least. Understandable on the part of the manufacturers, then — but less so on the part of Google.

If that last assumption is the case, it's likely Google was persuaded to relax its at-launch demands for the sake of performance. Which is fine. But it shouldn't, perhaps, have made such a song and dance about encryption when it launched Lollipop or at least made a similar fuss about the relaxation.

For now, then, you'll have to encrypt your own Android device—and perhaps Google ought to make it clear that's the case. [Ars Technica]