Skip to content

Privacy and Android – Device Encryption

Published by dbof on May 13, 2017

With the uprise of smart phones in general, and more specific Android phones, we as users give our most personal data to private companies like Google. Also, we carry our data with us, risking the theft of what is most precious to us: intimate photos, banking information, passwords and more.

But there are a few measures one can take to minimize the damage of theft and protect your personal data from naughty apps.

This post is Part 2 of a series on privacy tips for Android devices.

Why encryption?

Encrypting your devices is no standard procedure. There are a few phones that are encrypted by default, but it still takes a conscious decision to make.
Deciding if you should encrypt your device depends on the following factors:

  • The Android version

    • Android offers encryption since 4.4 KitKat, but only with version 5.0 Lollipop, Android encryption is really usable. Also, Android 7 Nougat added a lot more functionality.

  • The processing power (mainly processor)

    • With encryption enabled, your device can take a few seconds more to boot. The number and power of the processors (CPU) can be decisive.

  • How secure do you want your data to be?

    • Encryption can have a few drawbacks. You can not retrieve any sensitive data without a password, so if you forget the password, your data is lost. But if your device is stolen and the thief tries to get any personal information, he also gets nothing. For the average user, emails, home addresses and any saved contacts are safe.

Encrypting your device

Device encryption in Android exists since version 4 (Ice Cream Sandwich). It is usually located in the settings, under Security. The encryption requires a PIN or a password, which needs to be entered when you start your device. I have personally never liked the encryption, as it leads to a very slow boot on my Samsung devices.

But things have improved dramatically since version 5.0 Lollipop. Android now features full-disk encryption, which is awesome. Full-disk encryption uses a single cryptographic key to encrypt the user data partition on the device. This key itself is protected by a user-provided password. As before, you need to enter a password to access any user data.

How it works

When you enable full-disk encryption, the device needs a little bit of time to encrypt the internal storage. Note that external SD cards usually do not get encrypted.
Before 5.0, Android decrypts the full internal storage on boot time. This can extend the boot time.
Since Lollipop, only the data partition is decrypted at boot time. The remaining data is decrypted after you unlock the device.

The encryption uses dm-crypt, a Linux kernel feature. The encryption algorithm is AES-128 with cipher-block chaining (CBC).
The website to Full-Disk Encryption describes the process:

Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a default password and stored salt. The default password is: “default_password” However, the resultant hash is also signed through a TEE (such as TrustZone), which uses a hash of the signature to encrypt the master key.

With your personal PIN or pattern, you basically only encrypt the master key, not the data itself.

Advantages

+ The full-disk encryption is fast at boot time. The decryption only runs after starting the device.

+ You can use a pattern, a password, a PIN or no passphrase at all.

+ The encryption procedure is only needed once

Disadvantages

– On some older devices, the encryption procedure could slow down the device. This is mostly based on personal experience, so you need to try it out yourself.

– With full-disk encryption, you can only access your data after you unlock the device. This means that alarm apps do not work as long as you do not unlock the device after reboot. This is not a problem in most cases, as long as your devices do not crash and reboot randomly at night. This is partly solved later in Android 7.0 (see below)

Explaining Direct Boot (Android v7.0)

With Android 7 (Nougat), there is a new so-called Direct Boot mode, which adds functionality for apps on encrypted devices. Basically, you now have file-based encryption. Apps can be configured so they can run even when the device is not unlocked.

This is useful for the following use cases (taken from the Android website):

  • Apps that have scheduled notifications, such as alarm clock apps.
  • Apps that provide important user notifications, like SMS apps.
  • Apps that provide accessibility services, like Talkback.

There are basically two different storages an application can use:

  • Credential encrypted storage is the default storage location and only available after the user has unlocked the device.
  • Device encrypted storage is a storage location available both during Direct Boot mode and after the user has unlocked the device.

Conclusion

Device encryption is great for additional security in case of device loss. Anyone can access your files on an unencrypted device, even when the device is off or protected by a PIN. For a full guide, you can check out this guide.

If you have an older device, without hardware support for encryption or a version < 5.0, it is usually not worth it.

Make sure to stay tuned for Part 3!

Published inAndroidIT-Security

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *