Why a Passcode Won’t Protect Most Android Devices

Source: Thinkstock

Source: Thinkstock

When you’re setting up your brand-new Android smartphone, coming up with a strong passcode seems like the best thing you can do to prevent your phone and all of the information on it from prying eyes. But it turns out that even the best passcode can’t always protect you from spying.

As Ben Woods reports for The Next Web, Google can remotely reset your passcode if compelled by a court order, which enables investigators to view the contents of your device. The revelation was made when a document prepared by the New York District Attorney’s office (PDF) came to light. The file reports on the implications of encryption for law enforcement agencies, examining how Apple “changed the way those of us in law enforcement work to keep the public safe and bring justice to victims and their families” when it announced that its devices would employ full-disk encryption by default. Google followed suit shortly thereafter.

The document explains that full-disk encryption, which prevents law enforcement officials from “access[ing] evidence of crimes stored on smartphones, even though the officials have a search warrant issued by a neutral judge,” prevents devices running Android 5.0 or newer from being remotely reset. (That is, of course, if you have full-disk encryption turned on, as it’s not switched on by default on many devices.) But any devices that use an older version of Google’s software are vulnerable to a remote reset. That should make updating your software and enabling full-disk encryption an even bigger priority than they were before.

To outline the “inadequacy of existing technological and legal tools for collecting evidence” — and to further the controversial argument that tech companies have created a big problem for law enforcement by making consumers’ devices more secure — forensic analysts made attempts to unlock both iOS and Android devices. The document explains that “Forensic examiners are able to bypass passcodes on some of those devices using a variety of forensic techniques.” For some kinds of Android devices, “Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device.” The report notes that “this process can be done by Google remotely and allows forensic examiners to view the contents of a device.”

But for devices running Android 5.0 Lollipop or newer versions of the software, Google plans to use full-disk encryption by default, which makes it “impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction.” Full-disk encryption by default hasn’t been implemented on all devices running Lollipop or later, since users generally are given the option to enable full-disk encryption on their devices.

The expansion of full-disk encryption in Android makes the situation for law enforcement agencies similar to the one they face with iOS devices. For Apple devices running iOS 7, a prosecutor can obtain a search warrant and an “unlock order” to compel Apple to extract the data from the device. But for Apple devices running iOS 8, which is equipped with expanded encryption, Apple can’t comply with unlock orders since it can’t extract data. Only 9% of iOS devices use a version of iOS that’s earlier than iOS 8 or iOS 9.

But due to a range of factors — not the least significant of which is the glacial pace at which device manufacturers and wireless carriers get updates to their users — Android’s user base is much slower to update to a new version of the operating system than the iOS user base. As Woods notes for The Next Web, adoption figures from Google’s Android Developer Dashboard indicate that 74.1% of Android devices are currently running a version of the operating system that can be remotely accessed at any time. 15.5% of the Android user base is running Android 5.0, 10.1% is running Android 5.1, and just 0.3% is running Android 6.0

The revelation is yet another cogent argument that if you can update your Android device to the latest version of the operating system, then you should. You should also enable full-disk encryption (find the option in the security or storage section of your phone’s setting). It’s worth noting that enabling full-disk encryption may slow down your hardware a little, but if you’re interested in protecting your privacy, that’s likely a sacrifice that’s worth making (even if you aren’t a bad guy and don’t have anything to hide). In an era when every app and cloud service seems susceptible to hacking or data leaks, it’s always a good idea to keep your communications and information encrypted. The data on your smartphone is no exception.

More from Gear & Style Cheat Sheet: