android encryption

Probably about the same in terms of being without the password renders you unable to access the encrypted data. You can use the device by wiping the data, but you can't just access the data directly.

That said, there are other factors to consider:

1. iOS will automatically wipe the device after too many failed password attempts. This is part of what the FBI is asking of Apple to bypass so they can try to brute-force their way into the iPhone in question. I don't believe Android universally has this feature enabled, even when the device is encrypted.

2. I'm not an encryption expert, but I've read that the encryption on the iPhone is at a hardware level and on Android it's at a software level (at least for the Nexus 6p and 5x). May have no bearing on how secure it is. That may be more about performance than security.

3. Android is open source and modifiable, so "Android" isn't implemented the same way all across the board. It's possible for manufacturers to modify Android before releasing it (including modifying the way encryption is implemented). iOS is always deployed the same way, because it's all under Apple's control.

In this particular case, it's a very specific phone from a very specific mass-shooting incident, and that very specific phone happens to be an iPhone.

Right now, only the latest Android (Marshmallow) mandates (sans root) encryption, so it's possible in Lollipop and KitKat to not enable encryption, and I think in Jelly Bean and Ice Cream (not sure which), encryption wasn't even available as an option (I may be wrong on that last one—not sure at which point encryption for Android was introduced). Edit: Did some Googling, and apparently encryption became available as an option as of Gingerbread (not Froyo).

The other thing to consider is that a lot of Android phones allow for SD card storage (iPhones do not), so the SD card may not be (and probably isn't) encrypted.

 

Maybe the bad guys in Manhattan prefer iPhones? Other than that, this tells us nothing.

The users's Google credentials (username/password) are used if the pattern/PIN lock attempts are exceeded. Access to encrypted data is only allowed once the device has been unlocked.

Well, that's kind of the point... the user gives the app (Lookout) permission to perform as admin.

 

I don't think it points to a weakness in the encryption protocol. Apple has had mandatory encryption since iOS 8, and they're now on iOS 9.2.1. More importantly, more iPhone users actually do the upgrade because Apple allows them to do the upgrade themselves and actually pesters users to do upgrades.

Android upgrades are notoriously slow (we're up to 1.2% adoption for Marshmallow, which is the first Android release that mandates encryption). So if only 1.2% Android devices are definitely encrypted (maybe some of the other Lollipop and KitKat ones are encrypted, but they aren't necessarily) then it's no small wonder there isn't a large a pile of unbreakable devices with law enforcement.

Well, I guess you could consider that a "less secure" implementation than iOS, since iOS gives you only 10 attempts, but as far as brute-forcing practicality is concerned, 30 attempts isn't significantly more than 10 attempts, especially if your passcode is 4 or more characters long.

I'm not sure about this. If this is correct, yes, it would put Google in an unfortunate position of having access to all its users' phones, which means law enforcement would pester them more for unlocks, and they wouldn't have a good excuse not to comply. If that is the case, I would think Google would take simple measures like "If the password is changed, then the override no longer works," which appears to be the case for the iCloud backup on the iPhone from the San Bernardino shooting. I don't know, because the press doesn't cover Android stuff as much as it does iPhone stuff.

What do you mean by "administrator privileges"? Is your phone rooted? If your phone is rooted, this discussion is moot. The vast majority of Android users do not root their phones.

That said, even root access doesn't give you the ability to bypass encryption. For example, if you do disk-level encryption on your laptop, it doesn't matter if you are a Windows administrator or Mac administrator account—the operating itself won't boot up until you have entered the encryption password.

You can analogize it however you want. That's not how security works. If your question is "Is it encrypted or not?" then, yes, you're correct—it's either encrypted or it's not. But not all encryption implementations are the same, not by a long shot. Encryption relies on keys and passwords, and who has access to those keys and passwords changes how locked down the encryption is, but regardless... it's still encrypted.

Just as you can lock up your valuables in a safe. Anyone with the combination can unlock it, but it's locked either way. Whom you choose to share the combination with changes the overall security, but it doesn't change the fact that the safe is locked.

Yes, it's the real thing. Unless you can take an encrypted Android phone and break into it, don't spread FUD.

 

This will change in the coming years, of course, but Android new-version adoption is very slow, so we're talking probably 2019 before the majority of Android users are using encryption.

Nor am I. I'm an Android user on an Android forum, but I fully recognize there are pros and cons to both phones. I just don't know that there's any evidence that Android phone encryption is lacking in some way.

I think you have to figure out some practical scenarios and what you're worried about happening. Are you concerned about some random person just swiping your phone and getting into your stuff? Are you worried about professional thieves? Are you worried about the government snooping?

I'll tell you now in the first two scenarios, if the thieves see your phone is encrypted, it's way too much effort on their part to even try to bypass that, and their primary concern is the phone itself and being able to re-sell it at a 100% profit margin (they paid you nothing for the phone they stole, and they get to sell it for something, even if it's below market rate).

The government already knows anything that want to about your professional, financial, and health life. They have your social security number. They have your tax information. They know it all. They don't need your phone to get that information.

With the kind of information I have on my phone, I'm fully confident that the encryption on it offers the level of protection I need for my email account, my Candy Crush games, and my Facebook account.

Well, as I mentioned before, Android is open source, so manufacturers have their own implementations of Android. Android isn't one thing. It is a basic thing that other things can be based on. It's possible, if Lookout was preinstalled on your phone, that your phone manufacturer somehow tailored Android's encryption and authentication to be tied to Lookout somehow. That's different from a Nexus user downloading Lookout as a separate application.

 

Of course Google monetizes its customers. The huge bulk of Google's revenue comes from advertisements. That said, they don't "s[ell] ... customer data," at least not individual customer data. They sell in aggregate. If you have ever worked for an organization that uses Google Adwords, you'll know exactly what information you get from Google. It isn't "fields12, living in blah-blah-blah, searched for this exact term and has this kind of job and likes to order blah off Amazon."

This has nothing to do with encryption, though. Once your phone is on and unlocked, it's essentially unencrypted (at least for that session, until it's locked again). If you install third-party apps that ask for totally unnecessary permissions, you are granting those third-party apps your information. They don't have to "hack" anything. You've just given them everything.

I don't see accessing bank accounts through a mobile phone as any riskier than accessing them through a computer, unless you're also arguing (totally legit to do so) that you should never access banking information from a computer, either—go only in person; don't even use an ATM.

 

Yes. Once you log in and start using the device, it is in a temporarily decrypted state. The main benefit to encryption is the prevention of random thieves (or the government, should it seize your phone) randomly poking around on your phone. This also assumes that the thief or other third party can't somehow get the password (or your fingerprint) from you:
https://xkcd.com/538/

In my seven years of using Android phones, I've seen zero evidence of "anti-malware software" improving security for Android users. If anything, it makes a subset of users complacent about real security best practices.

Absolutely this. This 100%.

As far as I can tell, yes.

Every user has to balance security and convenience. There is a good deal of security in mobile banking. It isn't impervious and it's obviously far safer to bank in person, but the added convenience, for a lot of people, is worth the very slight diminishing in security from in-person transactions. In fact, if you want to be way more secure, don't do anything online. Do everything in person. It will be extremely inconvenient, but it will be far more secure.

 

There are a couple different issues at play, encryption, firmware, and where/how one stores and backs-up data.

Practically anybody or any company can implement ridiculously secure encryption of data. You don't need any special hardware (iPhone or Android) to encrypt data. You can get cheap/free encryption programs that will run on Macs, PCs, Linux, etc. that will encrypt data on a hard drive or flash drives such that it would take a massive effort by NSA supercomputers to decrypt the data. So it's not that Apple or Google has better encryption-- it's whether the phone makers force everyone to use encryption. Apparently Apple does on newer phones.

The real problem for law enforcement is that the firmware for recent models of iPhones (5 and up?) only allows 10 wrong password attempts before it wipes the data. That would be a problem even if the iPhone used weak encryption.

Most of us backup our data to the cloud and we willingly give Google/Gmail, Apple, Microsoft (Hotmail), Yahoo, Facebook, etc. the names, numbers, addresses, email addresses, birthdays, job titles, photos, employers, etc. for everybody we know in what is an amazing violation of our friends and family members' privacy. And many people use really easy passwords on their cloud accounts. So I find it amusing that people get worried that the government or terrorists might gain access to their personal information if their phone isn't securely encrypted. If the government or terrorists want your data and they don't already have it, they're not going to steal your phone. They'll just hack into your cloud accounts (probably with a password attack) for Gmail, iCloud, Hotmail, Box, Dropbox, health insurance company, IRS, etc. I wonder if the San Bernadino terrorist set their phones such that they didn't backup to the iCloud.

I don't even put a password on my phone and I would never buy a phone based on its encryption because there about 100 features that are more important to me when purchasing a phone.

I don't think Google sells our personal data. They use our personal data to better target us with ads. Apparently Apple isn't so pure in that regard either.

The reason why criminals in NYC use iPhones more than Android is simple. Criminals are stupid.

 

I fully agree with you, but it's not a matter of opinion. If you've ever worked at an organization or company that uses Google AdWords, you know exactly what data Google gives you, and you are indeed paying to just get better targeted ads—you aren't paying to get personal data (and most advertisers don't really want personal individual non-aggregate data).

 

I'm not sure but I think that the 30-attempts thing is a phone-maker-specific feature, not an Android global feature. I'd guess that your data (whether or not you've chosen to encrypt it) gets deleted after 30 attempts. Not sure.

Encrypting data is an option on Android 4+. I don't think Google would ever make it mandatory because encrypting/decrypting data requires processing horsepower that may cause noticeable performance decreases-- especially on less-powerful phones. You may find the following articles illuminating.
http://bgr.com/2015/03/25/android-lollipop-encryption/
http://www.androidcentral.com/what-full-disk-encryption-android-lollipop

I have no idea if criminals and terrorists commonly avoid cloud backups. Not being able to backup my data would be an absolute deal-breaker for my recruitment.

 

There is an android app named locker that will give you the wipe after too many unsuccessful attempts.

I'm pretty sure my oldest Samsung (Infuse) had something similar built in, because there was a separate password ( puk = on unlock key) , different from your pin, then you could set up ahead of time in order to be able recover after too many unsuccessful pin attempts. I think if you had unsuccessful puk attempts on that second round, then it would wipe

Android Encryption doesn't buy you much if someone can keep guessing until he guesses your pin (10,000 guesses for four digit pin). I'm surprised that's possible. (Am i missing something) . I'm surprised some kind of lock after unsuccessfull attempts is not built into android by default.

 

haha, I wouldn't go that far myself. But if you're willing to "take one for the team" I'd be interested to see what you find. (No pressure).

 

I think Apple has storage encryption by default on all their recent products now. A Macbook Air I bought late last year.


Not sure if it's set to destroy data after X number of attempts with wrong password though, will have to look into that.

 

For a good description of how apple encryption works on the iPhone... Have a look through the past episodes of Security Now a podcast by Steve Gibson on The TWIT network... They went through it in incredible detail over the course of two or three episodes.

There are also written transcripts of them on Steve's GRC.Com website

 

Suspect that the answer is that if your dealing with Apple , you can deal with one organisation once and then get access to all of their devices...

If you try this on Android you have to send the legal team to Google.. Samsung... Huawei... HTC... And all of them as they have different implementations of hardware and firmware.

Once you've beaten apple though it's a lot easier to win against everyone else (which is why non of us should be feeling smug here... Whichever side you sit on in the terms of FBI vs apple we all have a lot riding on this)

So it's as much about tactics as technology