Home » Amazon, Tablets/Ereaders » Amazon removed device encryption from Fire OS 5 because no one was using it

Amazon removed device encryption from Fire OS 5 because no one was using it

4 March 2016

From Ars Technica:

In the wake of Apple’s high-profile fight with the FBI, more users and journalists have been paying attention to encryption of local storage in phones and tablets. Apple strengthened the encryption on all iDevices in iOS 8, making it so that no one could decrypt the storage without knowing the user’s passcode. Google made encryption a requirement for all Google-approved Android phones that ship with Marshmallow(after a false start in Lollipop), and it has been available as an optional Android security feature for years.

Amazon’s Fire OS is a fork of Android, based on the Android Open Source Project (AOSP) code but without Google’s apps and services or guaranteed compatibility with apps developed for Google-approved Android. Amazon has heavily customized the UI and provides its own app store, but it typically leans on AOSP code for under-the-hood, foundational features—in older Fire OS versions, the optional device encryption was handled the same way it was on any Android device. However, according to user David Scovetta and others on Amazon’s support forums, that encryption support has been deprecated and removed in recent releases of Fire OS 5, both for new Fire tablets and for older devices that have been upgraded.

We contacted Amazon for comment, and the company told us that local device encryption support was removed in FireOS 5 because the feature wasn’t being used:

“In the fall when we released Fire OS 5, we removed some enterprise features that we found customers weren’t using,” Amazon told Ars. “All Fire tablets’ communication with Amazon’s cloud meet our high standards for privacy and security including appropriate use of encryption.”

In short, encrypted connections between the Fire tablets and external servers are safe (or, as safe as the server involved and the method of encryption being used will allow for), but thieves and law enforcement officials will be able to grab user data stored locally without much trouble.

Link to the rest at Ars Technica and thanks to Chris for the tip.

Amazon, Tablets/Ereaders

15 Comments to “Amazon removed device encryption from Fire OS 5 because no one was using it”

  1. I believe Android 6 made encryption mandatory. Obviously most people won’t turn it on if they actually have to go through the trouble of doing so… they probably don’t even know it’s there.

    But not encrypting a mobile device that can easily be lost seems crazy to me.

  2. This does, unfortunately, make a certain amount of sense. The vast majority of ordinary people probably neither know nor care about encrypting their devices for greater security. Amazon in particular caters to just that sort of person—someone who can manage something just about as complicated as buying an e-book by tapping a button on their screen, but couldn’t figure out how to sideload a book bought elsewhere if their life depended on it. However, device security is important enough that it simply shouldn’t be tailored to the needs of the lowest common denominator.

    • Felix J. Torres

      From a business point of view it makes perfect sense: they lose the sales of the few people who care about device-level encryption (would-be terrorists included. 😉 ) and don’t have to worry about the FBI dragging them into court.

      They’re comfortable with the trade-off and odds are 99% of their customers will be, too.

      • 99% of their customers will be happy… until they lose their tablet and find someone just ordered thousands of dollars of stuff from their Amazon account.

        • They won’t be charged for it, though. In fact, the order probably won’t even ship out. Amazon has a spectacularly good anti-fraud watch program. Take it from someone who’s had to use it more than once. 🙁

          • Just because the bank will likely reverse the charges at some point doesn’t mean it isn’t a month or six (or more) of fighting with the bank, Amazon, possibly even law enforcement.

            Encryption is sort of like a seat belt in that you really miss it the one time you really should have been using it. Sure a hack won’t kill you, but it can cripple you financially and even legally.

            But the more important thing to consider is just how much information we keep on our mobile devices. Most people are like me and have their Google account (or Apple account) tied to the device, which means any credit cards or paypal accounts tied to it are vulnerable (ie: stolen tablet, login automatically to accounts, then lock everyone else out with a password change and two-factor authentication since hacker has the physical device). Any other website or service that uses identifying information and financial accounts are at risk of both being abused as well as having the actual owner locked out.

            Then there’s the most troubling aspect, which is identification theft. If a user has a device that has easily been compromised (and devices that don’t have encryption enabled are incredibly easy to break into while encrypted devices are almost impossible unless the hacker is a true pro with good tools), it is nothing to gain the owner’s name, birth date, SSN, employer, address, etc.

            This is when the real trouble begins. Google the nightmares victims have gone through just to prove they are really them. You’ll also see the destruction of their credit ratings, draining of accounts, conversion of stocks and such to liquid assets and siphoned off, even the commission of crimes using the stolen identification.

            I’ve been in high tech for two decades. It’s true that most consumers are absolute morons when it comes to personal safety in the digital world. Too many persons on my FB feed complain about this “apple thing” without understanding any of it, especially the implications of both allowing a back door into unbreakable security systems as well as the damage not using encryption can do.

            Worse, everyone assumes they’ll never have anything bad happen to them. They believe that they’ll never accidentally leave their phone on a table at a restaurant (or that if they do, some good samaritan will immediately secure it and not look at it or hand it off to someone who can break into it). This is good ol’ American wisdom: “that would never happen to me for X-reason.”

            Then it happens. My wife, who has lived under my tyrant rule of digital security and knows how to spot spam, phishing, and fraud with nearly as good an eye as me… she got nailed once a few years ago by not being careful. Next thing you know, a bunch of purchases based out of France start showing up and the bank is on the horn bugging us. It was only $57 before the bank shut it down, and of course we didn’t have to pay, but it took SIX FRIGGIN WEEKS to get all the cards changed out, accounts secured, etc. Imagine the nightmare if we’d been nabbed for $5000 or some amount we didn’t have to cover it.

            Amazon’s anti-fraud program IS good, but it cannot detect compromised devices. Please never believe that Amazon is going to be the one-stop security barrier that will protect you. Only YOU can protect you.

            You can protect you and not just you by turning on your device’s encryption and spending the next decade complaining about having to put in a 6+ digit PIN (use 6+ digits, not just 4, DON’T BE LAZY, the difference between 4 and 6 or more characters is almost astronomical).

            Right. Sorry about the rant. But this laissez fair attitude about encryption and the ignorance over the implications of the FBI vs Apple case will only serve to make it easier for you and others to compromise your devices, in turn compromising your life and possibly safety.

            • Felix J. Torres

              And the devil would advocate: why is it any company’s obligation (or the government’s) to protect people from the consequences of their own choices? Or carelessness?

              Companies make these kinds of decisions all the time. Auto companies even factor in potential deaths and lawsuits before deciding to make expensive design changes. Doesn’t make it right or wrong, just common sense practice: People misuse gear. Then they go looking for someone to blame.

              • Felix J. Torres

                To be clear: I’m not saying it’s a vood thing. Or a bad thing.
                Just that companies and governments do this all the time: balance out costs and benefits. And that expecting either to take care of you at the expense of their interests and agendas is just asking for trouble.

        • Then Amazon could split the difference and do what credit cards do, and let you freeze your account if you report it lost or stolen.

          • Felix J. Torres

            Which they do.
            You can go online and deauthorize devices, change passwords, etc, on the fly.

  3. Amazon is being very clever! These devices will now be mandatory for the FBI, NSA, and all government personnel who know that security just gets in the way of getting things done (like our soon to be first female president using her own email server for top secret information).

    I understand they’re also arming the military and police forces with those ID-guns that will only fire for the person with the proper RFID tag on their arm.

  4. According to Engadget, Amazon has done an about-face.


  5. //the proper RFID tag on their arm.//


    Heh, nope. It’ll be a GPS flat metallic disc about the size of a 10 cent piece embedded under the skin and attached to the occipital.

    Nota Bene. While you might think I’m joking, I’m not.

    It will start with parents putting them on their kids, fearing kidnap, wanting to know where they are-then it will creep. Asymmetric warfare/MOUT isn’t going away any time soon.


    • Heh, and a momentary microwave pulse will destroy it …

      My (bad) joke was that the government will never want these things for/on themselves, but for/on the sheeple to better control them.

      Na, embedded in the skull at birth (and it will be illegal to wear tinfoil hats!) 😉

Sorry, the comment form is closed at this time.