Google may reset Android passcodes remotely, unless you encrypt your device
One of the first things that I do when I get a new Android phone is to enable encryption on the device. Actually, that is something that I do on every computer I own provided such an option exists.
The main reason for this is security. While I don't have anything spectacular stored on the device, I want to protect the data on the device from unauthorized access.
This can happen for instance when you lose the phone and don't have it protected properly. The finder may be able to access your messages, photos, videos or contacts, as well as online accounts, accounts associated with the phone and so on.
A report by the Manhattan district attorney's office made the rounds this weekend as it revealed information about smartphone encryption, public safety and the means that law enforcement have to gain access to data on iOS and Android devices.
You find the following information under "attempts to unlock Google devices":
For some other types of Android devices, Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device.
What this means is that Google may reset the phone's passcode remotely if the proper legal paperwork is provided.
But, that is only possible of full-disk encryption is not enabled.
For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default full-disk encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction.
Full-disk encryption is only enabled by default on Google Nexus devices running Android Lollipop (5.x), and for devices running Android Marshmallow (6.x).
Most Android owners may enable full-disk encryption on their device however. Since there are many different interfaces, it is impossible to post a guide that works for all devices.
Usually, you find the option to enable full-disk encryption in the Settings under Security or Privacy. Depending on the device and manufacturer, you may find it elsewhere in the Settings.
Once encryption is enabled on a device, Google may no longer reset the passcode on the device remotely.
Closing Words
Encryption may reduce performance on Android devices and while that is the case, I think that the benefits of enabling it outweigh that disadvantage. While it seems rather unlikely that the majority of Android users will ever come in a situation where Google is requested by law to reset the passcode, it is more likely that encryption will help if the phone is stolen or lost.
Martin,
Are there other consequences to whole phone encryption, like issues with rooting or installing custom ROMs afterwards?
I never experienced any issues but I have not really installed lots of mods on Android to be honest.
There are no issues rooting, but if you want to install or even update a rom, you are required to completely wipe the phone.
Which is a major hassle considering how often most ROMs (at least those I use) update.
But I’m wondering, what is it that gives them this ability? The Play Framework? Something else? And now that it’s out, how long till custom ROMs come with that feature disabled? ;)
You don’t have to wipe if you’re using a custom recovery that supports mounting of the encrypted volume. An example is TWRP.
Also, most recovery utils already supports the ability to install ROMs or updates even if your /data is encrypted. The update basically saves the ROM image in the disk volume unencrypted and will instruct the recovery which sectors of the volume contains the unencrypted ROM image. Cool hack, BTW.
This is the same Google that will require OEMs to have secure factory reset protection and secure wipe on Android 6.0 Marshmallow in order to use Google Play Services
unrelated I know
removed.
Doesn’t full-disk encryption slow down the device if it does not have proper hardware support?
Like the old Nexus 6 and I suspect to some extent the recent Nexus 5X.
From personal experience (Nexus 4) I didn’t notice much difference.
Only if the devices dont have 64 bit cpus. Part of the arm v8-a spec is aes Acceleration.