Android 5.0 “Lollipop” release increases Google’s security cred

Update includes some smart changes to boost users’ data hygiene

Google Nexus devices running Android 5.0, known as Lollipop


Google is touting security as a major feature of the latest version of its Android operating system, Lollipop or 5.0, which means one of two things. Either mobile phones have truly jumped the shark in terms of new, sexy functionality, or security itself has become a sexy feature.

Adrian Ludwig, lead engineer for Android security, believes the second of those to be true.

“Security tends to be kind of mundane,” he says. “The things that affect people are not the ones that receive the most attention. But there are a lot of sexy features that depend on security.”

That’s the thinking behind Google’s new three-pronged approach to making Android Lollipop, currently being rolled out to phones and tablets, more secure.

Perhaps the most noticeable change is happening on the device level, with data encryption now coming as a default. Encryption—or encoding the files on your phone so that they can’t be read by third parties without your password—has been an optional feature in previous versions of the operating system, but now it comes turned on automatically in Android Lollipop.


Many users weren’t enabling encryption in the past because it had a tendency to slow down their devices, as well as their use of those devices. With the typical person unlocking their phone dozens of times a day, inputting a password or swipe pattern repeatedly didn’t seem worth it.

Google has made improvements in both of those areas, Ludwig says. On the one hand, the processing power of devices and the software running on it have improved to the point where encrypting data no longer results in noticeable slowdowns. “We’re comfortable turning it on all the time,” he says.

As far as the actual user experience goes, Android Lollipop features “Smart Lock,” which automatically unlocks a phone or tablet if there’s another trusted Bluetooth or NFC device nearby. If the Lollipop-running device detects, say, your Bluetooth-connected smartwatch or car nearby, it deactivates the password prompt on the lock screen for as long as it’s in range.

Burrowing deeper into the operating system itself, Android 5.0 requires full SELinux enforcing from all application developers. The rules that app makers must follow are now fully transparent and uniform, with any third party able to look at them. That will cut out the possibility of backdoors, like how one app can exploit another to steal a user’s information.

“These things have no knowledge whatsoever of what’s going on in other applications,” Ludwig says.

The security improvements in Android Lollipop are intended to let users breathe easier if their devices are lost or stolen, but privacy advocates are cheering them—as well as similar recent improvements from Apple—because they will likely throw veritable wrenches into the snooping efforts of over-zealous law enforcement agencies.

There has been speculation that the U.S. National Security Agency has cracked—or is trying to crack—industry standard security protocols such as AES, which is what Google is using, but there isn’t any proof yet that it has succeeded.

“We’re not aware of anyone being able to read the data off of it,” Ludwig says.