Google stands its ground with Android Marshmallow full-disk encryption requirement
Google’s been taking serious steps to make Android a secure computing experience for ages now, and with last year’s release of Android Lollipop, the company took one of its boldest stances to date: devices shipping with Android 5.0 were required to take advantage of the platform’s full-disk encryption, securing user data even in the case of loss or theft. And while that may have been an admirable goal, it wasn’t long before pressure (presumably from OEMs) forced Google to back down: earlier this year we saw the company admit that the performance trade-off inherent in encrypting and decrypting all the data going on and off device storage was sometimes just too severe to make encryption mandatory, and it remained an optional feature … for the time. Now that Marshmallow’s here, Google’s revisiting the topic, and while there are still exceptions, the company’s taking a much firmer stance that will see encryption mandated on most Android hardware.
In the latest version of its Android Compatibility Definition document, Google pulls out the big guns: unless a Marshmallow-running device is specifically exempt due to having low RAM or fails to meet a formally defined encryption throughput target (50MB a second), manufacturers are required to enable encryption, out of the box.
This doesn’t affect phones and tablets which previously launched with Lollipop or earlier, and will only upgrade to Marshmallow, but from the next crop of hardware – devices which will run Marshmallow from day one – manufacturers have no choice but to force users to encrypt.
By and large, that’s very much a good thing, as it can be difficult to convince users to accept trade-offs (however small) to keep their data more secure, and removing user (to say nothing of manufacturer) choice from the equation should help see adoption rates seriously improve.
Then again, there’s also something to be said for giving informed users the choice to opt-out, which sounds like it won’t be happening going forward. If you’ve got an “indoor” tablet that lives in your nightstand or on your coffee table, there’s a fair case to be made for why mandatory encryption is just hurting performance with no tangible security gain. Still, this is the route Google’s going, so we’d better get used to it.