Google’s first attempt to make default full-disk encryption mandatory for phone manufacturers was with Android 5.0 but it had to abandon that plan because of poor performance from some of the phones.
The Tame Apple Press has been marketing the fact that Apple is doing better because iOS already encrypts user data making it “unhackable.”
With the release of Android 6.0, the Android Compatibility Definition Document (CDD), which sets guidelines for manufacturers, has also been updated. The document now lists full-disk encryption as a requirement instead of a recommendation.
If the Android phone is not low-memory device — with about 512MB of RAM — and supports a secure lock screen, it must also support full-disk encryption of both the application data and shared storage partitions, the document says.
If the device has an Advanced Encryption Standard (AES) cryptographic operation performance above 50MB/s, the full-disk encryption feature must be enabled by default during the initial set-up.
Google said that the encryption should use 128-bit or greater AES keys. They are not aloowed to write the encryption key to the storage area later. The encryption key should never be transmitted off the device.
Of course coppers are furious because it means that they will have a hell of a job snuffling people’s personal data any more.
In addition to encryption, Google also requires a verified boot for devices with AES performance over 50MB/s. This is a feature that verifies the integrity and authenticity of the software loaded at different stages during the device boot sequence and protects against boot-level attacks that could undermine the encryption.