What if Syed Rizwan Farook had used an Android device?
Farook, the alleged shooter in the San Bernardino, Calif., terror attacks, the center of what may become the critical tech issue this year, owned an iPhone. And a judge ruled that Apple should aid federal authorities in hacking that phone, which Apple has steadfastly refused to obey.
Odds are, though, that future situations like this may involve an Android device. Four out of five smartphones worldwide — and a majority of those in the U.S. — run Google’s mobile operating system.
If you think this case is thorny now (and it certainly is), it would likely be more convoluted — though perhaps less technically difficult in some cases — if it were Google in the hot seat, given the sprawling nature of the Android handset market.
Thursday afternoon, Android chief Hiroshi Lockheimer told Bloomberg that he thinks Google “would feel the exact same way” under those circumstances. The Google SVP said that the case looked as though it diverged dangerously from the usual terms of data sharing between tech and government, but he clarified that he did not know the specifics of Apple’s situation.
“It’s hard to get into hypotheticals,” Lockheimer said.
The response mirrored the comments from Google CEO Sundar Pichai, who tweeted a quasi-defense of Apple’s full-throated response to the Feds on Wednesday. Pichai noted that the government request could set a “troubling precedent,” but he did not specify how Google would have handled the request. Google’s cautiousness may reflect a reluctance to enter a poisonous political fight.
It may also be because this hypothetical, like the broader Android world, is downright messy.
And it’s a messiness that underscores Google’s pickle with its mobile operating system and its long-simmering jealousy of rival Apple for the soup-to-nuts control of the mobile platform.
How an Android Device Is Secured
How this case might unfold with an Android phone at its center depends very much on which Android phone. And there are many.
First, a refresher on the San Bernardino controversy: It revolves around data the government wants on an iPhone that was not backed up in the cloud. But Apple uses full encryption, a security system that stores the lock and the “keys” to the device — and its data — only on the device. In other words, Apple does not have a copy of the encryption lock, which only the owner has. To tap the phone, the FBI asked Apple to make a tailored OS so that the FBI can crack the passcode-protected phone through brute force.
According to the New York Times, Apple had been assisting, handing over court-ordered data stored in its cloud, until the FBI made this specific request to crack open the device-level data.
Google also uses full encryption. It started with Gmail in 2010, which Google encrypts by default with https, and fields frequent government requests for its user data — almost 40,000 in the first half of 2015, according to Google’s Transparency Report.
Android is such a mess that you have to distinguish between the Google devices and the zoo of others.
Then it went to phones, offering Android owners an encryption option starting in 2011. Public pressure from the Edward Snowden NSA revelations (and, perhaps, jeers from Apple) pushed Google further. In 2014, with its Lollipop software version, Google turned on full encryption by default on Android phones. Then, last year, with its Marshmallow software, it required Android handsets to fully encrypt — as long as they were “high-performing” enough to do so.
With Android, unlike Gmail, Google claims it does not — and cannot — hand over requested data.
In November, Android’s security chief, Adrian Ludwig, wrote that Google is not able to tap open encrypted Androids even if it wanted to. And he said that inability extends to unencrypted phones where the users have entered a passcode — a statement that reads like it’s pushing back on claims from Apple that Google could readily share phone data with authorities.
“Google has no ability to facilitate unlocking any device that has been protected with a PIN, Password, or fingerprint,” Ludwig wrote. “This is the case whether or not the device is encrypted, and for all versions of Android.”
Law-enforcement accounts differ from Ludwig’s position. In a sweeping November report on encryption, Manhattan District Attorney Cy Vance wrote that Google can “reset the passcodes” on some Android phones without full encryption, when served with a search warrant. “This process can be done by Google remotely and allows forensic examiners to view the contents of a device,” according to the report.
Trouble is, we don’t know how many Android phones are fully encrypted. (Google says it doesn’t know, either.) Just 1.3 percent of Android devices run the latest Marshmallow software, many of them the newest Nexus phones, which Google fully controls. For the 34.1 percent of phones running Lollipop software, turning on full device encryption is optional.
Phone makers can add their own security, as Samsung and BlackBerry do, but they are also free to tweak Android’s source code and occasionally inadvertently introduce their own security vulnerabilities along with their custom software.
That means that given a San Bernardino-like scenario with most Android phones, the FBI could likely avoid the complicated back-and-forth it has had with Apple, but could find its job harder or easier depending on the particular phone, phone maker or user-chosen options.
Authorities could crack Android phones that aren’t fully encrypted or passcode-locked themselves. Or it could be forced to turn to whoever makes the phone — Samsung, Lenovo or the umpteen (largely international) other hardware makers, who may have different security systems.
“They would have to go to the specific manufacturers of the device,” said Andrew Blaich, an analyst with Bluebox Security. “It’s such a fragmented market that there’s just no one standard.”
Another security researcher explained: “Android is such a mess that you have to distinguish between the Google devices and the zoo of others.”
That zoo is the source of a nagging headache for Google. The company has tried to force more uniformity across the vast world of Android devices, to little avail. Making wide-scale changes to the operating system takes a long time.
We saw this issue with Stagefright, a security breach that left a majority of Androids vulnerable. Google’s attempt to nip it quickly was stymied by the very nature of Android — Google has to rely on dozens of hardware and telecom partners to implement security updates. Sometimes these updates can drag down a phone’s speed, giving manufacturers a reason not to install them at all.
Therein lies Google’s predicament. It has been the target of frequent fusillades from Apple — the iPhone company wants to protect your data; Google wants to sell it. Even if Google wanted to take a principled stand, like Apple is now, the company’s lack of tight control over its handset world would complicate that.
Usually, there’s plenty of Apple envy to go around in Mountain View. This week may be the exception.
This article originally appeared on Recode.net.