Google follows Apple to lock itself out of devices

Google will follow Apple and rework the encryption on its upcoming "Android L" mobile operating system in order to limit its ability to hand over user data to law enforcement agencies.

Apple yesterday revealed that the encryption in its just-released iOS 8 operating system meant the company could no longer gain access to a user's data protected by the user's passcode in order to act on legal requests for data by law enforcement.

The company had previously kept the encryption keys needed to unlock the devices for law enforcement, but with iOS 8 will no longer do so, meaning police and other agencies will need to approach the device owner directly for access.

Google today said it would follow in Apple's footsteps for the upcoming release of its code-named "Android L" mobile operating system.

A Google spokesperson said in a statement, as first reported by the Washington Post, that encryption was already offered as an option in the current version of Android but would be turned on by default in "Android L".

The automatic encryption will mean only someone with knowledge of a device's passcode will be able to access the data stored within it.

"For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement," the spokesperson said in the statement.

"As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on."

Android L was released in beta in June to select Nexus devices and is forecast to be broadly released later this year.

"Not completely protected"

Despite Apple's "courageous" and "pro-privacy" move, one iOS security expert warned users not to expect their data will be completely inaccessible to law enforcement.

Jonathan Zdziarski - the iPhone hacker and app developer who recently discovered a number of undocumented backdoors in iOS that allow data to be stolen or exploited - yesterday said Apple's move had given the company an ability to deny requests for data on the grounds of technical limitation.

It did not mean the data was beyond law enforcement's reach, however.

He said while Apple had closed off many vulnerabilities able to exploited by commercial forensic tools with iOS 8, others were yet to be fixed. This means forensic tools could still access certain types of user data.

"What’s left are services that iTunes (and Xcode) talk to in order to exchange information with third party applications, or access your media folder. Apple wants you to be able access your photos and other information from your desktop while the phone is locked – for ease of use," Zdziarski wrote.

"This, unfortunately, also opens up the capability for law enforcement to also use this mechanism to dump ... your camera reel, videos, and recordings; podcasts, books, and other iTunes media; [and] all third party application data.

"Existing commercial forensics tools can still acquire these artifacts from your device, even running iOS 8."

Zdziarski added, however, that law enforcement would need to be able to access the desktop or laptop paired with the iPhone, iPad or iPod in order to be able to get to this data, so as to use the backup copy of the key derived from the user's passcode to unlock the phone's encryption.

A number of precautions are available to users to protect their privacy, he said, including shutting down an iPhone when going through airport security or customs to enact the kill switch included in iOS 8, which stops the paired device from unlocking the iPhone when the device is off.

But he warned that the pairing record vulnerability "only works if you’ve used your phone since it was last rebooted".

Users should also make sure strong encryption is used on the paired laptop or desktop, and the devices are turned off when not in use.