Android 6.0 full disk encryption and other OEM requirements

Although Google didn't hype it as much, Android 6.0 is deserving of notice for its own fair share of major and substantial changes, like the new app permissions system and power saving doze mode feature that we've seen. But those changes aren't just for end users either. Google has just released the Compatibility Definition Document for Android Marshmallow which OEMs need to adhere to in order to be blessed by Google. And among those requirements is included the somewhat controversial Full Disk Encryption first found in Android 5.0 Lollipop.

Given the rash of privacy and security violations revealed by Edward Snowden, tech companies have been working around the clock to strengthen their software. Following Apple's lead, Google required full disk encryption for all new devices released after Android Lollipop was made generally available. However, that rollout was bumpy and Google had to retract the requirement due to performance issues, promising to reinstate it sometime in the near future.

That future apparently is now. In the Android 6.0 CDD, Google has changed the language again from "strongly RECOMMENDED" to "MUST", therefore requiring full disk encryption for all new devices released after Android 6.0. However, it isn't a blanket requirement and there are a few caveats. The most important is that the hardware must be able to support full disk encryption using AES cryptography with a performance above 50 MiB/s. This bottomline addresses complaints about performance hits when enabling encryption. Devices released prior to Marshmallow with full disk encryption disabled do not qualify.

It is interesting to note that Google requires this kind of encryption by default even when users have not yet set up a passcode or have disabled the use of one, which is required for encryption. Instead, the OEM should provide a passcode to wrap the encryption key. This ensures that devices are encrypted by default instead of relying on the user to set up a passcode, which some find to be tedious. It also means that should users finally do set up a passcode, they won't have to go through the long wait of encrypting the device.

The CCD also details other requirements for device vendors. For example, OEMs are required to ship an unmodified Doze mode on their devices. Those implementing fingerprint sensors must also take note of the requirements for this newly supported sensor. In particular, devices upgrading from a version earlier than Android 6.0 should have the fingerprint data erased if they can't meet the new requirements.

SOURCE: Google