Google Encrypted Cloud Backup for Android 9.0 Pie Publicly Released
Android has a cloud backup of its apps and settings for quite a while, connecting to the Google servers to sync data and apps across devices using a similar Google account. This automatic backup facility has received a new functionality with the roll-out of Android Pie (v9.0). This new facility is the inclusion of a built-in encryption during the backup phase of the cloud sync, making the data from the apps not readable by Google itself, preserving the privacy of the Android device users.
The new functionality has been revealed by Google in their regular Google Security Blog, which the search giant has baked the encryption of app data by a randomly generated unique key produced by the device itself. The lock screen (which, in turn, is protected by either passcode, pattern, pin, password or biometric key) will be tagged as the decryption code for the encryption key, producing a more secure platform for the mobile users.
“This passcode-protected key material is encrypted to a Titan security chip on our data center floor. The Titan chip is configured to only release the backup decryption key when presented with a correct claim derived from the user’s passcode. Because the Titan chip must authorize every access to the decryption key, it can permanently block access after too many incorrect attempts at guessing the user’s passcode, thus mitigating brute force attacks. The limited number of incorrect attempts is strictly enforced by a custom Titan firmware that cannot be updated without erasing the contents of the chip. By design, this means that no one (including Google) can access a user’s backed-up application data without specifically knowing their passcode,” explained Google in their official blog.
To facilitate tight device integration, Google has listed the NCC Group as the official auditor for the updated Android Cloud-Backup Infrastructure. NCC already published the results of their audit, which Google has complied to fix before Pie gets pushed to the qualified devices.
There is no official list of devices that support this feature, but it is expected that devices released with Android 9.0 from the factory get to pass the requirements to implement the project.
“Getting external reviews of our security efforts is one of many ways that Google and Android maintain transparency and openness which in turn helps users feel safe when it comes to their data. Whether it’s 100s of hours of gaming data or your personalized preferences in your favorite Google apps, our users’ information is protected. We want to acknowledge contributions from Shabsi Walfish, Software Engineering Lead, Identity and Authentication to this effort,” concluded Google.
It is not yet confirmed if Pie Custom Roms will exhibit the same cloud backup encryption, but from the perspective of Android enthusiast, the infrastructure change in Android Pie is the only requirement for the encrypted cloud backup. Any old device that receives a custom Android Pie Rom is expected to have the safety feature, as the cloud backup infrastructure is the one performing the actual encryption and not the processing power of the device itself.