Google is making encryption standard in the next version of Android


Recommended Posts

Less than a day after Apple detailed new efforts in user privacy for its products, Google now says it plans to encrypt user data on all Android devices. Speaking to The Washington Post, Google says data encryption will now be a part of the activation process instead of an optional feature. The end result is that whatever data is stored on that device, be it a phone or tablet, will be inaccessible unless the person has the correct password.

 

"For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement," a Google spokesperson told The Verge. "As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on."

 

In Apple's case, the company already began encrypting user data for all users as part of iOS 8, a free update that became available yesterday. The company said that not even it can bypass a user passcode to access their data, tying its hands from offering such a service to law enforcement officials.

 

More....

http://www.theverge.com/2014/9/18/6436037/google-is-making-encryption-standard-in-the-next-version-of-android

  Quote

(Android Security Team member here... though these are my own perceptions and opinions, not an official statement.)

Two reasons:

First, because it's not completely trivial to make it work correctly, all the time, every time, on hundreds of different devices. Android uses dm_crypt, so the foundation is solid, well-proven code, but that doesn't mean there aren't tricky corner cases. With the huge number and variety of Android devices out there, you can be certain that if there's a way it can go wrong, it will. So, conservatism suggests it's a good idea to make it optional for a while and shake out any issues. It's been optional for three years now, and is in use on many devices (I don't know how many; I'd guess tens of millions, though), so it's time to take the next step.

Second, performance was a problem. Not run-time performance -- AES is really fast -- but the initial encryption required reading and writing many gigabytes so it took a long time just to do that much I/O. Encrypting by default means that either the device has to be encrypted in the factory, which would be a major production bottleneck, or else users would have to wait 20 minutes for their phone/tablet to start up just after they unbox it. That's a bad user experience. For L this was optimized so it only encrypts blocks that are in use. Since on a new device very little of the data partition is in use, very little has to be encrypted. That makes the initial encryption very fast (a few seconds).

There's actually another device encryption-related improvement coming in L. I'd love to describe it in detail since I worked on parts of it, but the article doesn't mention it so I'll hold off.

 

 

Food for thought....

it's been optional for 3 years.

And ChuckFinley, thanks for the article, it shows that while huge steeps are necessary for a certain feature to be able to work in ALL of the hundreds of devices, Apple clearly has a more "simple" job since they have fewer devices to support.

This topic is now closed to further replies.
  • Posts

    • Don’t care about a wrestling union. No normal person should care. 
    • Limassol, Cyprus. Just south of Turkey. NOT Russia.
    • Hello, Given the reports of Chinese Mini PCs shipping with malware, I would recommend wiping the machine and performing a clean install of Windows on it before use.  From what I can infer from the reports, the Mini PCs that shipped with malware were not the result of targeted purposeful action on the part of the device manufacturers (which is something that has happened with low-cost Android smartphones and TV boxes from China) but rather due to lax security in the manufacturing process.   Getting back to the subject at hand, there are a few steps you will want to go through before wiping the Mini PC: You can start preparing even before the Mini PC arrives.  Once you have ordered it and know the brand and model, go to the manufacturer's website and download all of the latest device drivers, BIOS (UEFI) firmware updates, machine-specific software (if any), and manuals.  Many Mini PC manufacturers do not do a lot of customization of their device drivers, just shipping whatever device drivers the the silicon vendors provide.  I still recommend downloading them, though, just in case there are some customizations or for initial install since those are the drivers you know the manufacturer validated for the Mini PC.  Store these in a safe place, so you have them ready when the Mini PC arrives. Use Microsoft's Windows Media Creation Tool to create an installation USB.  You can also create a directory on installation USB--like C:\DRIVERS\ or whatnot--and store the extracted device drivers there in case you need them while or after installing Windows. Once the Mini PC arrives, and you have your Windows installation USB available, you can proceed with wiping the PC and doing the clean install.  Here's how you do that, step-by-step: Check the computer and make sure you know how to boot it from a USB flash drive (may be a specific key you have to press when the computer is powered on, or a change to the BIOS (UEFI) firmware settings.  The PC may tell you what key combination you need to press to boot from another drive, or the manual for the PC may it. Plug the USB flash drive into the computer and power it up using the means to have it boot from the Windows install USB. Once the computer finishes booting, it should be at a Windows installation screen. Do not agree to any prompts, copyright licenses, or click on any buttons. Press the Shift + F10 keys together to open a Command Prompt. Run DISKPART to start the command-line disk partitioning utility. The command line prompt will change to DISKPART>. At the DISKPART> prompt, type LIST DISK to get the numbers of all drives installed in the system. Make a note of what number is assigned to what drive (if the Mini PC has more than one drive).  At the DISKPART> prompt, type SEL DISK n  where n is the number of the drive containing Windows. At the DISKPART> prompt, type CLEAN and this will erase the GPT/MBR code from the beginning of the drive. *WARNING:* After performing the clean operation, the drive now be blank/erased, and everything on it will be gone (all files, etc.).  You can exit DiskPart and just continue with the Windows installation as you normally would.  If needed, you can install the device drivers you put on the Windows install media to get your network connection up and running, and from there run Windows Update to get the operating system and device drivers up to date Regards, Aryeh Goretsky
    • Why? Amazon has some great shows and Fallout was near perfect.
  • Recent Achievements

    • Week One Done
      cac1lll earned a badge
      Week One Done
    • One Month Later
      Falcon.ai earned a badge
      One Month Later
    • Week One Done
      Falcon.ai earned a badge
      Week One Done
    • Dedicated
      EYEREX earned a badge
      Dedicated
    • First Post
      Electronic Person earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      628
    2. 2
      ATLien_0
      238
    3. 3
      Xenon
      166
    4. 4
      neufuse
      142
    5. 5
      +FloatingFatMan
      123
  • Tell a friend

    Love Neowin? Tell a friend!