Android’s Encryption Woes: Bad For Google, Worse For Everyone Else

Android May Be Un-Encryptable

Apple might generate long lines at its stores every time it releases an iterative iPhone, but there’s no doubt that, when it comes to OS market share, Android has been stealing Apple’s lunch money lately. In May, Kantar Worldpanel confirmed that Q1 2016 sales of Android phones had grown in just about every major market that matters — 7.1 percent in Europe, 7.3 percent in the U.S. and 6 percent in China. One Kantar analyst described Android’s recent dominance as a market-wide phenomenon spurred “not just from one or two players but from different brands and ecosystems, varying from region to region.”

It almost seems like Google and the Android OS are on the precipice of something never before seen in consumer electronics market share — or that would be the case if Android hadn’t just suffered a potentially unrecoverable blow to its encryption credibility.

The tragic flaw was first uncovered by tech security researcher Gal Beniamini on Thursday (June 30) when he posted a detailed breakdown of Android’s less-than-comprehensive Full Disk Encryption (FDE) scheme on devices using chips produced by Qualcomm. At the heart of the matter is the manner in which Android OS generates the 128-bit master Device Encryption Key (DEK) and how it links the DEK to user-generated device passcodes, PINs or gestures. While Beniamini explained that the first half of the encryption process is straightforward enough, the way in which the OS binds the DEK to the device’s hardware through an application known as KeyMaster — ostensibly, a process itself meant to frustrate brute-force attempts to crack the device — actually allows enterprising hackers to reverse-engineer an Android device’s DEK given access to the user’s sign-in method.

What might be the worst of all, though, is that even patches from Qualcomm can be subverted with disk-imaging software, meaning that expensive and logistically unfeasible hardware fixes might be the only foolproof remedy.

“Full disk encryption is used worldwide and can sometimes be instrumental to ensuring the privacy of people’s most intimate pieces of information,” Beniamini wrote. “As such, I believe the encryption scheme should be designed to be as ‘bulletproof’ as possible, against all types of adversaries. As we’ve seen, the current encryption scheme is far from bulletproof and can be hacked by an adversary or even broken by the [original equipment manufacturer] themselves (if they are coerced to comply with law enforcement).”

This isn’t a matter of vulnerabilities in a handful of devices, either. According to Duo Labs, the systemic nature of the flaw means that up to 57 percent of all Android phones are susceptible to the holes in the OS’ encryption process. And going off of Google’s announcement in September of last year that the number of activated Android devices had crested 1.4 billion, that would put just under 800 million phones, tablets and other Android OS devices at risk.

On the surface, the immediate consequences of these security flaws would seem to favor Apple’s mission to regain the market share it’s lost to Google over the past few years. However, for such a widely used OS’ encryption process to rest on a bed of sand, it’s as likely that consumer opinions on smartphone security as a whole could be affected. A January survey by Accenture found that, of 28,000 consumers in 28 countries, 47 percent cited privacy risks and security concerns as roadblocks in the way of their next smartphone or Internet of Things purchase, with certain would-be consumers in nations like Indonesia (60 percent) and China (58 percent) fretting even more about whether their next device will give more access to hackers than to themselves.

This is bad news for anyone with a vested interested in consumer electronics retailing, if only because more consumers are starting to see the value of their smartphones residing not in the hardware itself but in the quality of the experience its digital services provide.

“The slowdown in the consumer technology market is irrefutable, serious and global,” Sami Luukkonen, global managing director of Accenture’s electronics and high-tech group, said in a statement. “The market is not about the glitzy gadgets anymore; rather, it’s about providing secure, innovative and practical digital services and more open collaboration. As device demand tapers off, the industry needs to make a sharp turn toward providing innovative, value-added services that consumers are able to use with confidence.”

Android OS’ FDE process is hardly delivering a value-added service as is, and given the systemic security risks it brings to Google’s ecosystem, it’s hard to imagine users with even the 43 percent of devices safe from this flaw placing sensitive material on their phones with anything resembling confidence. And when the world’s most widely used smartphone OS is no longer perceived as the security bulwark it once was, who can say what consumers will be willing to trust the next company that tries to usurp Google’s mobile place?