The FBI, currently engaged in a privacy battle with Apple over a terrorist’s iPhone, would have an easier time breaking into the average Android smartphone.
That’s according to Android and Apple security manuals, cybersecurity professionals, mobile software developers and one investigator who helps police crack smartphones.
The whole reason the FBI is having a hard time entering San Bernardino shooter Syed Farook’s locked iPhone 5C is because Apple’s smartphones are encrypted by default.
But only a fraction of Android devices are encrypted.
Without encryption, police would be able to extract data from a phone — even if it were locked with a passcode.
Google introduced encryption on Android in 2011, but it was buried deep within a phone’s settings. Not until late 2014 did Google begin offering default encryption on Android devices — but only on a small fraction of them.
Although 97% of Android phones have encryption as an option, less than 35% of them actually got prompted to turn it on when they first activated the phone. Even then, not everybody chooses that extra layer of security.
A Google spokesman said that encryption is now required for all “high-performing devices” — like the Galaxy S7 — running the latest version of Android, Marshmallow. But only 1.2% of Android phones even have that version, according to Google.
By comparison, most Apple products are uniformly secure: 94% of iPhones run iOS 8 or 9, which encrypt all data. Apple makes its devices, designs the software, and retains full control of the phone’s operating system.
“If a person walks into a Best Buy and walks out with an iPhone, it’s encrypted by default. If they walk out with an Android phone, it’s largely vulnerable to surveillance,” said Christopher Soghoian, the principal technologist at the American Civil Liberties Union.
New York City’s top prosecutor, Cyrus Vance, has noted that Android phones have been easier to crack in the past, especially because Google can reset passcodes on older models.
Android is running on 105 million Americans’ smartphones — slightly more than the number of iPhones in the United States, according to industry trackers at comScore.
But there are ways in which an Android phone could actually be made more secure than an iPhone.
Android software can be tweaked to add all sorts of security features, like a password for a particular messaging app.
Google’s operating system also starts up only after the phone’s owner enters a passcode. That’s not true for the iPhone, which starts up as soon as you hit the power button.
That’s an important detail: When confronted with a locked iPhone, police can take it to a trusted Wi-Fi connection and potentially copy the phone’s contents to iCloud on Apple’s computer servers, where investigators can then comb through the data.
Android phones won’t back up to the cloud until they’re unlocked.
However, law enforcement can pressure device manufacturers to develop a weakness they can use to break into the phone.
Like Apple, Android devices have self-destruct passcode lock systems. On iPhone, try the wrong passcode 10 times, and the device remains encrypted forever. The latest Android system limits it to 30 attempts.
To prevent that from happening in the San Bernardino case, a federal magistrate-judge has ordered Apple to redesign its proprietary computer code and kill off the very defenses it designed.
If it’s an Android phone, the FBI can approach each manufacturer — Huawei, Lenovo, LG, Samsung — and demand the company key to alter the code that first boots up the phone.
It’s unclear if those companies would comply. CNNMoney asked Samsung, which supplies the vast majority of Android phones, if it has provided this kind of help to law enforcement in the past. The company did not respond.
In the end, it really comes down to the phone’s owner.
“If the user chooses a good password, Android is as safe as iPhone. If not, then Apple is only better if they win the legal fight against the FBI,” said Rolf Weber, a network engineer.
A previous version of this story said Google offered encryption at device setup in 2014. A Google spokesman has clarified that Google began offering default encryption on some devices in 2014.