A common recommendation for securing a mobile device is to set up a passcode. Having a PIN or password will make it harder for a third-party to have access to personal information, which lowers the chances of data theft or loss but also incrimination or blackmail.
But, when that third-party is a government agency looking to retrieve data from someone's Android device, it might be easier than you think to get in. On top of all the resources they have at their disposal, government agencies can also turn to Google to have the passcode remotely reset.
According to the Manhattan District Attorney's office, "Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device".
This affects every version of Android older than Android 5.0 Lollipop which does not have full disk encryption enabled. "For Android devices running operating systems Lollipop 5.0 and above, however, Google plans to use default full-disk encryption, like that being used by Apple, that will make it impossible for Google to comply with search warrants and orders instructing them to assist with device data extraction".
However, as the Manhattan District Attorney's office points out, only a handful of devices currently have full-disk encryption as a default setting, out-of-the-box. Manufacturers are only required to have the feature turned on for new devices that ship with Android 6.0 Marshmallow, and so far we haven't seen many of those.
As I reported earlier this month, Lollipop and Marshmallow have a combined market share of 25.9 percent in the Android world. This means that government agencies can basically ask Google to remotely unlock the passcode on (at least) 74.1 percent of all Android devices in use, and that includes handsets running KitKat, which is the most-popular distribution with a 37.8 percent share.
But, fact of the matter is, for most people this is not and should not be a reason for concern. For certain individuals it might be, but even if they switch to the latest version of Android (or move to an iPhone running iOS 8 or iOS 9) there is no guarantee that the government will not find a way to get around it.
How secure a passcode is depends on how difficult it is to crack, and for some people "1234" or "password" will not do the trick. There are many other things to keep in mind as well, like whether the government can exploit a known vulnerability to get in, trick the user into unlocking their device, or access cloud accounts to retrieve data in a different way.