Some Android devices running older versions of the software can be remotely reset by Google if a court demands access to it, according toa document prepared by the New York District Attorney’s Office.
In other words, Google could technically reset user-generated passwords on many Android devices if it needed to.
First spotted by The Next Web‘s Ben Woods, the report concludes that owners of new Android phones don’t need to worry about Google being able to reset their password remotely – since phones running at least Android 5.0 feature full disk encryption.
The majority of people -about 74% of Android users according to the Android Developer Dashboard – have old versions of Android running on their phones, and depending on their settings could be at risk for these remote password changes.
Not all older Android smartphones will be vulnerable, however: Only (older) devices using a pattern unlock method can be unlocked by Google.
In a post published early on Tuesday morning, Android security lead Adrian Ludwig clarified that “Google has no ability to facilitate unlocking any device that has been protected with a PIN, Password, or fingerprint.”
Additionally, some older devices will be encrypted (which has been available as an option since Android 3.0), preventing Google from accessing them.
Ludwig says the total number of older Android devices that use a pattern to unlock and are vulnerable is “far fewer than 75% [of total active Android smartphones], although we don’t have an exact number.”
If you own an iPhone and worry about the same thing happening when a court orders Apple to assist it in accessing a device, most iPhones nowadays feature full disk encryption. The NY District Attorney document found that devices running on iOS 8 or higher employ full disk encryption that cannot be penetrated by Apple, which the company turns on by default.And with the rapid adoption rate of updates among Apple fans, it’s safe to say this will be a headache for any law enforcement that wants to see what’s on an iPhone or iPad.
This post has been updated to clarify that not all smartphones running versions of Android older than 5.0 are vulnerable – just those that are unencrypted and use a pattern lock.