With the release of Android 6.0 (Marshmallow), Google has finally made good on a promise that it first started making back in 2014 in the run up to Lollipop. Back then, the tech giant claimed that any new devices running the Android 5.0 operating system would be required to ship with full disk encryption as standard. Sadly Google later backed down from that original threat, deciding only to make it a ‘strongly recommended’ feature for devices manufactured and shipped with Android 5.0 – from Google’s old (5.1) Compatibility Definition Document (CDD),
‘While this requirement is stated as SHOULD for this version of the Android platform, it is very strongly RECOMMENDED as we expect this to change to MUST in the future versions of Android.’
This time, however, Google has put its foot down and made full disk encryption an absolute requirement for any devices shipping with the latest version of it’s popular Android Operating System: Marshmallow.
This news comes via the firm’s newly released Android Compatibility Definition Document (pdf), which explicitly states that any device capable of AES crypto performance of above 50MiB-per-second must ship with support for encryption of both the private and public data partitions of the device. This means that any user data stored both in the internal partition of the phone or in any SD data cards inserted into the device must support encryption from the moment the device has gone through it’s out of the box setup process – from Google’s new CDD document,
‘If the device implementation supports a secure lock screen reporting “true” for KeyguardManager.isDeviceSecure(), and is not a device with restricted memory as reported through the ActivityManager.isLowRamDevice() method, then the device MUST support full-disk encryption of the application private data (/data partition), as well as the application shared storage partition (/sd card partition) if it is a permanent, non-removable part of the device.’
‘For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience. If a device implementation is already launched on an earlier Android version with full-disk encryption disabled by default, such a device cannot meet the requirement through a system software update and thus MAY be exempted.’
As such, only cheaper devices that are incapable of running the encryption (phones that ship with low end 32 bit SoCs and are therefore limited by hardware acceleration that is too inadequate to carry out the encryption and decryption process) and devices that ship with no lock screen (such as Android Wear) are exempt.
Though, of course, this does nothing to protect users of phones that shipped prior to the release of Marshmallow or who buy a phone during the change over period, i.e., phones that are currently sitting in shops waiting to be sold. For this reason, anybody buying a phone in the short term should check with their retailer (at the time of purchase) to make sure that the particular model of phone they are getting does live up to this new level of built-in encryption. Unlikely, as we are only aware of the Nexus 6 and Nexus 9 being shipped with out of the box encryption prior to this new rule.
One final thing worth noting, is that despite full disk encryption being a mandatory requirement for all devices that ship with a lock screen from now on, buyers of said devices will not actually be forced to set up their lock screen feature right out of the box. Anybody who does not want to will instead be asked to set up their phones built-in encryption with a ‘default passcode.’ The upside of that? If a user does later decides to activate the lock screen feature on their device, they will be able to do so without having to re-encrypt the entire disk.
Consumers should also be acutely aware that any Android smartphones or tablets purchased before Marshmallow’s release will not be expected to adhere to this new expectation. Those devices will, therefore, continue to lack encryption of data within the private and public partitions of the device – even if updated to the current and best version of the popular Android operating system. Thankfully, however, it is possible to encrypt your own pre-Marshmallow Android device. If you want to do so, be sure to follow our easy step-by-step guide here.