Google just announced a new version of Android, Lollipop 5.1, which it says includes some “tasty additions” along with improved stability.
One of the major new features, called Device Protection, fulfills a pledge Google made to the law enforcement group Secure Our Smartphones last year to add a kill switch to Android devices.
Device Protection lets you remotely lock and delete all the data from a lost or stolen device, and even freeze the device completely.
You can get the device back into working order, but a simple “factory reset” is not enough, so even crooks who steal your phone for the phone alone, and don’t care if it’s wiped, are out of luck.
It’s the Android version of what’s known on the iPhone as Activation Lock or Find My iPhone.
According to Secure Our Smartphones, the addition of the kill switch in iPhones running iOS 7 and iOS 8 has cut iPhone thefts dramatically in cities like San Francisco, New York and London – because, they say, would-be thieves have learned they can’t resell them.
Although a remote lock-and-wipe feature is available on most Androids already, Device Protection promises to go beyond the Android Device Manager feature available on older versions.
In Android 5.1, Device Protection is enabled automatically when you set a screen lock and link the device to your Google account.
With Device Protection turned on, your lost or stolen device can only be unlocked with your Google account login, and it will remain inoperable even if a thief resets the device to factory settings.
A Google account username and password are required to complete the setup process after a factory reset – without the login, the device is essentially “frozen” for anyone but the rightful owner.
Google’s remote-wiping technology didn’t previously meet the definition of a kill switch established by the state of California, which passed a law requiring such a feature in smartphones sold in the state after July 1, 2015.
Android Device Protection appears to meet the requirements of the California law, at least as it is interpreted by the Save Our Smartphones coalition, which called Google’s new technology a kill switch in a press release in February.
Android’s chief security engineer, Adrian Ludwig, said last October that Lollipop 5.0 would include the kill switch (which he referred to then as Factory Reset Protection), according to CNET – but Android Device Protection wasn’t made available until Lollipop 5.1.
Google also promised last September that all Lollipop devices would come with encryption enabled by default, but has since pulled back due to “performance issues” on many devices.
According to Google’s announcement on the Android Official Blog, Device Protection “will be available on most Android phones and tablets shipped with Android 5.1 in addition to Nexus 6 and Nexus 9.”
As for other Android devices, it could be months before they get brought up to Lollipop.
Unlike iPhones, which are all built by Apple, Android devices come from multiple manufacturers who need to make the software work with their hardware – and even then wireless carriers may wait months to push the updates out on their networks.
While any iPhone user who wants to upgrade to the newest version of iOS can do so at any time (version 8.2 just came out), Android users usually have to wait – or buy a new phone with the new version installed.
Android 5.1 is the third update to Android since Lollipop was introduced in October 2014, but many users of Google’s own Nexus smartphones aren’t up to date yet, and only about 3% of all Android devices are currently running Lollipop.
Image of computer key kill switch courtesy of Mega Pixel / Shutterstock.com.
Batmang
OK, a factory reset doesn’t work, but what about reflashing the firmware?
Either way, it’s good news for people who can get their hands on it.
Paul Ducklin
Reflashing the firmware is implemented by invoking a special part of the firmware…so it can be regulated, too, assuming that you are using an Android build that includes the relevant Reset Protection.
I presume that’s how it works. I’d love to try it, but I only recently got 5.0 for my device :-)
Carlos Paixao
Ya, but if you unlock bootloader and flash a different custom rom its gone, unfortunately.
Paul Ducklin
Isn’t the bootloader locked on some of the more, ah, regulated devices? (I have a Nexus 7 3G. It’s totally open…not that that means anything about how quickly you get new versions of Android :-)
Sudman
Device Protection doesn’t work on the Nexus 5 which is disappointing.
A Schneider
Kill switch is great for end customers but what about the millions of units in service / repair? Particularly the well over 50% devices returned without any true defect as industry insider say: without being able to unlock the units there is no possible analysis and the devices can only be swapped – unless there is a specific workaround temporarily opening service-relevant functionality? Can manufacturers accept that impact for units under warranty?
Nagesh
Is the memory just superficially deleted? i.e. deleting entries in File Allocation Table (FAT) or does it perform a deep-delete which would require a cryptographic random number to be written to the entire flash storage space at-least a couple of dozen times over?
Not sure what the Kill Switch implements
It would be trivial to restore flash storage contents with a superficial delete : )
Does anyone here got their hands on the detailed specification of the ‘kill switch’; pls do share a link
/ – Nagesh
India
slick1
If government really wanted to address the stolen phone issue, they would track the phones n catch the thief. Who’s kiddin who? Like they don’t do it now when they want to. More n more phones have non removable batteries, which means it can’t b hidden.
Hagrinas Mivali
This isn’t quite accurate. As you say, Google promised it would be in 5.0. My 5.02 phone promised it. You (and everybody else apparently) then say “but Android Device Protection wasn’t made available until Lollipop 5.1.” What’s missing is that it is available on some 5.0 devices, although it isn’t a standard feature on all of them.
So Google was correct when they said it would be in 5.0, since it is in some 5.0 devices. It’s also correct that it will be in 5.1 and presumably all 5.1 devices. It’s also obviously not a standard 5.0 feature. But users with 5.0 devices should check under Security to see if there’s an “Enable Anti-Theft” item that’s set to On by default if there’s a Google ID and a lock screen was set up.
somnath sharma
i forgot the paasword which i used in anti theft feature in lolipop version.i hve also log in my google account on my computer but not getting how to unlock my phone.please help me out.
Anonymous
how to unlock bootloader
Paul Ducklin
The answer is, “It depends.” (And different vendors have different legalistic views on what happens to your rights if you do, which you might want to read first.)
In other words, a search engine is your friend.
Ian Macdonald
“In Android 5.1, Device Protection is enabled automatically when you set a screen lock and link the device to your Google account.”
Sounds like a good reason never to set a screen lock. A screen lock is useful to prevent tampering. So, the addition of this feature has, effectively, taken away the utility of having a screen lock.
A bit like the cartoon character suspending an anvil over the door, as a guaranteed way to stop intruders. Danger to owner exceeds any security advantage.
Tom Thomas
This is horribly designed feature for any use case outside the average home consumer. In fact, for any use case where the owner would loan a phone to someone else for day to day use (such as in virtually every company) this is a massive PITA. Your only option in these cases would be to use some flavor of mobile device management (at a cost) to obfuscate the reset process enough that it becomes a deterrent. Of course, since any android user can manually remove MDM software, and since phones can be factory imaged in many other ways, this is not a perfect solution. Android has never been a really attractive option for business phones, and this new feature might just break the camels back.
Kristin
So, apparently my husband’s, droid turbo 2 has this. His phone died last night and shortly after it dies, we see a screen with the Android bot that says, “erasing”. Get it charged up and turned on to find out, it did an unannounced, non asked for factory reset. And when going through the setup wizard, it gets to the Google login screen, and asks for us to enter a, ” previously synced Gmail account ”
Only having one account, and double checking the pass code on a different device, we enter the correct info and nothing. It keeps telling us that we must enter a previously synced email account. Call Verizon, they do a hard reset. After 3 hours of nothing.. They call Motorola and he tells me, “you have to wait 73 hours and then try again”
So, I’m stuck with a useless device that I just got over a month ago brand new.. Any explanation? Because no one knows how or why this happened? I might also add, when I type in the password and email the phone is rejecting, I’ll get an email on my computer from Gmail stating that, “someone has logged into your email account using a droid turbo 2” then have the exact time it happened? I think this is crazy!