Analysis: What If The San Bernardino Shooters Had Been Using A Samsung Galaxy Phone?


As Apple continues to battle with the FBI over whether it should help unlock an iPhone used by Syed Rizwan Farook, a gunman in the mass shooting in San Bernardino, Calif., in December, some people following the debate have raised this question: Would this issue have played out any differently if the phone were an Android, such as a Samsung Galaxy S6?

It’s a logical thing to ask, given that Samsung is the most popular smartphone maker after Apple, according to comScore. Although Apple and Samsung are close rivals, there is a key difference between them. Apple controls both the hardware and the software of its iPhones. Samsung, however, like most smartphone makers, does not make Android, its operating system. Android is primarily developed by Google, and smartphone makers such as Samsung and HTC then customize the Android operating system to fit their preferences.

So would things have played out differently if an Android phone were the one in question? It’s a little hard to say, but here’s what we’ve gathered:

Apple’s latest devices are encrypted. Are the latest Android devices encrypted as well?

Well, no. Google has supported encryption, but its beliefs on this issue may not trickle down to the smartphones in most consumers’ hands. Although Google has offered the option for a few years for data on Android phones to be encrypted, until very recently implementation has been up to manufacturers.

With its latest operating system, Marshmallow, Google requires companies to offer encryption by default — if the phone meets the technical requirements and can encrypt data without hurting its performance. Phones that don’t fall into this camp or that run an older OS would have encryption only if users decided to turn it on. If a user upgrades to Marshmallow from a previous system, they also have to turn on encryption themselves.

That means most Android devices probably are not encrypted. Only 1.2 percent of Android smartphones on the market are running Marshmallow. And keep in mind that Google has very little control over how and when phones get updated to the latest system; smartphone manufacturers and mobile carriers control that.

Let’s say our hypothetical Samsung Galaxy S6 was encrypted. How would the FBI get into it?

According to a Samsung spokeswoman, the encryption option is turned on by default for the Galaxy S6 – and the forthcoming Marshmallow-powered Galaxy S7. But the government would be unlikely to go to Google for help getting into a phone, said Chris Soghoian, principal technologist at the American Civil Liberties Union. Not only is the Android landscape complicated, but manufacturers, not Google, are in charge of signing the security certificates that prove their software is authentic, he said.

And Google wouldn’t be able to get past security measures on other company’s devices. According to Google, it generally can’t update the firmware – code that controls a phone’s chips, processors and other hardware – on phones it doesn’t make, meaning it can’t modify a phone to accept new software.

So it all comes down to the phone’s manufacturer?

It seems like it, particularly if the government wanted to have a company make new software specifically to defeat security measures, as it does in the Apple case. Here’s Soghoian again: “If the government wanted the type of help it’s asking from Apple, it would go to Samsung rather than Google.” It would be up to Samsung, as a phone manufacturer, to determine how much help it would give and whether to put up the same fight as Apple.

Yet because Android is set up the way it is, law enforcement may have a few more avenues of entry, said Tyler Shields, vice president for strategy at web application security firm Signal Sciences. He said that “the update chain ends up going from Android, to the hardware provider and to the service provider – everyone has their hand in the process.” And that means, in theory, the government may be able to turn to more than one actor in that chain if they wanted to deliver software changes to a device — which the government wants Apple to do in the case of the iPhone used by one of the San Bernardino shooters.

But with Apple, the options are limited.

“Apple has chosen to take a hard line on ownership from chip all the way up to software,” Shields said. “And by doing that, they don’t have to let people in – they don’t have to let people have the ability to modify the product if they don’t want them to.”

Where do Samsung and other phone manufacturers fall in this debate?

A Samsung spokeswoman sent us the following statement, noting specifically that the creation of back doors — changes to software that allow government access — could be bad for its reputation:

“Ensuring trust in our products and services is our top priority. Our phones are embedded with encryption that protects privacy and content, and they do not have backdoors. When required to do so, and within the law, we work with law enforcement agencies. However, any requirement to create a backdoor could undermine consumers’ trust.”

Generally speaking, Samsung says in its terms of service that it will turn over user information to law enforcement in certain cases, such as “when we are required to do so or to protect Samsung and its users.” Another part of its terms and conditions specifically says that it may turn over information “to comply with the law or respond to compulsory legal process (such as a search warrant or other court order).” In other words – like nearly every tech company – Samsung seems to evaluate these things case by case.

Samsung itself has an encryption system called Knox, which helped it get approval to be used in government work. According to the spokeswoman: “Samsung cannot decrypt the user’s encrypted phones. The encryption key is randomly generated for each user and the key is protected with the user’s password.” What we don’t know is whether Samsung would create new technology to circumvent its own security measures. Samsung did not directly respond to questions on that topic.

We also don’t know that of HTC, LG, Lenovo or most other phone manufacturers. The only other phone makers to date who have lent their explicit support to Apple are Microsoft – which makes Windows Phones – and Google.

(C) 2016, The Washington Post · Hayley Tsukayama, Andrea Peterson