Yes, no, yes! Are you sure this time, Google?
In Google’s new Android Compatibility Definition Document (CDD), the company affirms that it is finally making encryption mandatory, out of the box, for all new devices running Android 6.0 Marshmallow.
Here is what the CDD says:
“For device implementations supporting full-disk encryption and with Advanced Encryption Standard (AES) crypto performance above 50MiB/sec, the full-disk encryption MUST be enabled by default at the time the user has completed the out-of-box setup experience.”
Fortunately, or not, a lockscreen passcode set-up will not be required, but can easily be initiated later, without requiring the disk to be re-encrypted. A default passcode for encryption will be provided by OEMs, and lets hope they do this sensibly, unlike the shockingly poor security practices demonstrated by WiFi router manufacturers in the past.
There are exceptions to the new agreement, as stated in the new CDD:
“If a device implementation is already launched on an earlier Android version with full-disk encryption disabled by default, such a device cannot meet the requirement through a system software update and thus MAY be exempted.”
I don’t anticipate much of a performance hit in newer devices, and now is a good time to make this mandatory, because of the avalanche of mobile malware discovered so far this year - the vast majority of which targets the Android platform.
Surely Google is concerned about their image, and their push for enterprise Bring Your Own Device (BYOD) usage. But this still does not solve the larger issue of fragmentation, and security updates, which leaves the majority of users exposed for months and even years to security threats.
Despite all of the malware being discovered this past year, I am still an Android fan, and love all my Google apps and free services.
And it’s worth remembering that Apple is far, far, from perfect, with an uptick in incidents on the iOS platform this year as well.
But, as Android users, we need to get educated on ways to mitigate the vulnerabilities we all are - and continue to be - exposed to.
Mobile is overtaking desktop in many ways, and in the end, we as users, are always the weakest security link.