Home 3 Loopholes In Android Lollipop Encryption That Could Expose Your Phone Data

3 Loopholes In Android Lollipop Encryption That Could Expose Your Phone Data

Android 5.0 Lollipop, the latest version of Google’s mobile operating software, will indeed shield files, photos and other user information on Android phones from prying eyes. But that protection isn’t quite as all-encompassing as the company’s earlier statements might have led you to think.

A month ago, Google announced that Lollipop would automatically encrypt user data on Android phones, essentially scrambling it so that the police, spies and jealous lovers can’t read your texts and email or snatch up your private pictures. “[E]ncryption will be enabled by default out of the box, so you won’t even have to think about turning it on,” the company’s statement read.

See also: Understanding Encryption: Here’s The Key

On Tuesday, Google provided some more details about how that encryption actually works. New phones that ship with Lollipop will begin encrypting data once they’re turned on, using encryption keys generated internally by Android software and phone hardware (technically, chip-based random-number generators).

Those master keys, according to Adrian Ludwig, Android’s lead security engineer, never leave the device. That means Google has no access to them and can’t provide them to law enforcement or other authorities even if presented with a legal order to do so.

Lollipop’s encryption scheme greatly speeds up the process of protecting users’ stored data, since it starts off with a largely empty phone and then encrypts new data as it’s added. Android has actually allowed users to encrypt their phones for roughly three years, but it didn’t draw attention to the option, which was buried in the settings menu.

See also: Why Google Wants To Padlock The Web

Worse, encryption was irreversible, somewhat clumsy to use (it requires you to enter a decryption password when your phone or tablet starts up, a step Lollipop eliminates) and very slow to initialize. It can take an hour or more to encrypt the data on a typical phone.

But There’s A Catch

Make that three catches, actually.

First, the encryption doesn’t help much if you haven’t set a passcode. Ludwig said studies have shown that roughly half of users don’t set passcodes on their devices, largely because they find it inconvenient to keep entering them dozens of times a day. Lollipop will still encrypt your data, but it will also automatically decrypt it in normal use. So if you don’t have a passcode, much of your information will be available to anyone who picks up your phone.

See also: How Apple Made Its Users Vulnerable To iCloud Theft

Lollipop’s encryption still offers some limited protection even under those circumstances—for instance, by protecting stored data against anyone who tries to read it directly from the phone’s memory. That could shield user passwords and other sensitive data from attackers.

Ludwig said Google is trying hard to address the usability issues with encryption. For instance, Lollipop has another feature that will let you unlock your phone with a trusted device such as a smartwatch. But most users probably aren’t set up to use that sort of feature yet—and it may have drawbacks of its own.

See also: Put Away That Passcode: Android Devices Will Soon Unlock One Another

Second, the encryption process only protects files and photos that are stored in a specific location known as the /data partition. It will not protect anything stored on a removable microSD storage card.

Many Android apps store data directly on the SD card; if you want to protect that, you’ll need to find a separate encryption program. (Some manufacturers such as Samsung include SD-card encryption as an option on their phones.)

Finally, even Lollipop won’t encrypt your data by default if you upgrade to Android 5.0 instead of buying a new phone. That’s by design, since otherwise you could end up waiting 45 minute to an hour or more while the operating system encrypted your files. But it could leave you with a false sense of … well, security, if you upgrade to Lollipop thinking that it will encrypt all your files automatically.

Lead image by Tim RT

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.