CyberCrimeJusticeLegalmobile OSMobilityRegulationSecuritySecurity ManagementSmartphones

Google Refutes DA’s Smartphone Unlock Claim

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Google + Linkedin Subscribe to our newsletter Write a comment

Search giant can unlock smartphones remotely, according to Manhattan district attorney’s office, but Google disagrees

The Manhattan district attorney’s office continues to put the pressure on technology companies after claiming that both Apple and Google can unlock smartphones when requested by law enforcement.

However, the office admitted the technology giants can only unlock the smartphone passcode if the device is not encrypted.

Remote Unlocking?

smartphone securityThe claims that Google could remotely unlock some Android devices running older Android operating systems if a court demands access to it, were made in a document published last week by the New York District Attorney’s Office.

The document also alleged that Apple can and will unlock smartphones and tablets when ordered to do so by a court, if the devices are not encrypted. However Apple needs to physically access the device. Also, any device using iOS 8 or higher can’t have its passcode bypassed by Apple, and full disk encryption is enabled by default.

But it is the idea that Google can remotely unlock older Android smartphones that is alarming many.

Indeed, the document alleges that 74 percent of Android devices (running older Android operating systems) could be unlocked without user permission. It should be noted that any devices using Android 5.0 and newer cannot be remotely unlocked.

“Forensic examiners are able to bypass passcodes on some of those devices using a variety of forensic techniques,” said the document. “For some other types of Android devices, Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device.”

“For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default full-disk encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction,” it said.

The document was released last week by Manhattan District Attorney Cyrus Vance Jr, who initially called on Apple and Google to use weaker encryption levels on smartphones or indeed backdoors to allow law enforcement to access any information stored on the device.

The document also detailed the difficulty of getting passcodes from defendants in criminal cases.

Inaccurate Assumptions

But Google has hit back and said there were a number of “inaccurate assumptions” that “75 percent of Android devices can be remotely unlocked by Google.”

“I read a few articles today that said ’75 percent of Android devices can be remotely unlocked by Google’ and I immediately thought ‘wait, that doesn’t sound right’, said Adrian Ludwig, from Android Security on a Google Plus posting.

“The articles relied on some inaccurate assumptions,” he said. “Here are the facts. Google has no ability to facilitate unlocking any device that has been protected with a PIN, Password, or fingerprint. This is the case whether or not the device is encrypted,  and for all versions of Android.”

“Google also does not have any mechanism to facilitate access to devices that have been encrypted (whether encrypted by the user, as has been available since Android 3.0 for all Android devices, or encrypted by default, as has been available since Android 5.0 on select devices),” he added. “There are some devices (far fewer than 75 percent, although we don’t have an exact number) that have been configured to use a “pattern” to unlock.”

“Until Android L, “pattern” unlock did provide a recovery option with the Google account. This recovery feature was discontinued with Android L, he said. “Also, the lost pattern recovery feature never applied to PIN or Password so if you are on an earlier model device and don’t want to use the pattern recovery feature, you can switch to a PIN or Password and it will be disabled.”

Are you a security pro? Try our quiz!