1. Download our Official Android App: Forums for Android!

android encryption

Discussion in 'Android Apps & Games' started by fields12, Feb 20, 2016.

  1. mikedt

    mikedt 你好
    Rank:
     #6
    Points:
    3,238
    Posts:
    27,520
    Joined:
    Sep 22, 2010

    Sep 22, 2010
    27,520
    17,011
    3,238
    Teachaaa
    Jinan, China
    Probably because most Android devices out there are not encrypted by default, Apple devices are. But I believe that Marshmallow 6.0 does change that.
     

    Advertisement

  2. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    good point;

    once the precedent sets for the big gorilla apple ... the rest of the smaller dominoes will fall ....
     
  3. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,638
    Posts:
    9,116
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    9,116
    10,779
    1,638
    Male
    SysAdmin
    Huntsville, AL
    I don't believe that it's an "all on" or "all off" kind of thing. Data is decrypted on the fly as it is accessed. If the phone is on, only the data currently stored in the device's RAM is not encrypted - all of the "at rest" data on the phone's internal storage remains fully encrypted. That's why you typically see a small I/O performance hit when encryption is enabled - the kernel takes a little bit more time to decrypt data as it is accessed.
     
    scary alien and psionandy like this.
  4. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    that's a good point, codesplice ...

    this is "above my pay grade," but if:

    a. i request the device to access my contacts list;

    b. and my contacts list along with all of the rest of my data is at rest and encrypted;

    c. does not the device processor, in that event, need to decrypt the entire hard drive or decrypt all of the encrypted data first; and then second, after decryption, look for and retrieve and place into RAM ... the contact list?

    d. in other words, if all of the data on my device is jumbled by encryption, how can the processor know where the requested data to retrieve is located, without decrypting all of the data first?
     
    codesplice likes this.
  5. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,638
    Posts:
    9,116
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    9,116
    10,779
    1,638
    Male
    SysAdmin
    Huntsville, AL
    That's a very good question, and the short answer is I don't fully know. I did some digging, and what I found (specific to Android 5.x / Lollipop, rather than Android 6.0 / Marshmallow on my encrypted 6P) has me kind of second-guessing my statement.

    Some interesting bits from Google's Full Disk Encryption AOSP page (again, written for Lollipop) :
    That last bit kind of makes it sounds like it supports my "decrypt on the fly" statement.

    But...
    So that makes it sound like it is decrypting the whole shebang at once. :-/

    And that kind of falls in line with what I remembered on pre-Marshmallow devices. There would be a false boot which loaded just enough of the framework to prompt for the pin/pattern/password before decrypting /data and continuing the boot.

    With Marshmallow, though, there doesn't seem to be that false boot - it boots straight to the main lockscreen. Enter my PIN/pattern/password and I'm instantly in. I haven't yet found a good resource to explain how/why that might have changed.

    I'll try and do some more reading today if I have time to make both of us smarter. :D
     
  6. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    thanks for your informative research and comments.

    once i encrypted my android 5.1.1. device, i no longer had the option of using a pattern, but rather only a password to unlock the screen. ... i think that "encryption" once enabled, and "lock screen" features, merge.
     
    codesplice likes this.
  7. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,638
    Posts:
    9,116
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    9,116
    10,779
    1,638
    Male
    SysAdmin
    Huntsville, AL
    That's interesting. What device?

     
  8. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
  9. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    2/23/16 test results of encryption on android 5.1.1., lg k7 device.

    1. begin test with device "on," "screen off."

    2. tap twice and screen illuminates with normal screen lock message: "enter password."

    3. enter wrong password approximately ten times, and screen message appears: "wrong password entered five times, try again in 30 seconds;"

    4. after 30 seconds; enter wrong password approximately twenty times, and screen message appears: "wrong password entered ten times, try again in 30 seconds;"

    5. after 30 seconds; enter wrong password approximately thirty times and screen message appears: "wrong password entered twenty times, try again in 30 seconds.

    6. after 30 seconds, enter wrong password again a few times and new screen message appears: "account unlock; to unlock, sign in with google account."

    7. enter wrong google account, and screen locks with message "6."

    8. turn off power to phone; and turn power back on; the normal message appears: "type password to decrypt storage; 30/30 attempts remaining."

    9. enter wrong password 29 times; and new message appears: "Final attempt. if you do not enter the correct password your phone will automatically factory data reset, and all files will be erased."

    10. enter wrong password again; and the factory reset begins.

    11. midway through "10" however, new message arrives "This device was reset. To continue sign in with google account that was previously synced on this device." ....

    12. attempt entry of different account; unsuccessful.

    13. enter correct google account email, and reset accomplishes successfully, albeit with no user data surviving from prior usage.

    14. it appears that android 5.1.1., and lg k7 has a fairly robust encryption system in place at the moment and somewhat comparable with the apple alleged "gold standard."

    15. for this user anyhow, it appears more than enough ....; whether it will survive the coming legal challenge, no one knows.
     
    #34 fields12, Feb 23, 2016
    Last edited: Feb 23, 2016
    scary alien, MLSS, codesplice and 2 others like this.
  10. RazzMaTazz

    RazzMaTazz Android Expert
    Rank:
    None
    Points:
    173
    Posts:
    1,392
    Joined:
    Jan 28, 2011

    Jan 28, 2011
    1,392
    498
    173
    Fields12: Wow! Thanks for doing this and posting the results! Great to know!

    It's good to know that I could put a password-lock on my phone and thwart potential evildoers who might steal my phone or find my lost phone. I'd consider implementing a password if I traveled abroad.

    It's nice that if you backup your data to the (Gmail/Hotmail, etc.) cloud(s), as most of us do, you could quickly restore any data.

    However, if one has a cloud-backup then the cloud account is subject to attack by evildoers through (in many cases) a relatively simple dictionary password attack on the specific account, or a general attack on the cloud servers. (Though I'd say that's only a concern for those who are paranoid about governments or terrorists getting their personal information, but not paranoid about giving their personal information to corporations like Google, Microsoft, Facebook, Yahoo, et al).

    Did your SD-card get wiped? (I assume just the internal storage is wiped, thereby leaving SD-card-based music files, playlists, and selfies dangerously exposed to terrorists.)
     
  11. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    you're quite welcome.

    i was happy to see the results also.

    * * *

    one parameter of the test that i missed, i have now performed after the reset; and that is:

    1. turn off phone;

    2. turn on phone;

    3. message appears: "type password to decrypt storage. 30/30 attempts."

    4. enter wrong password ten times; and new message appears "type password to decrypt storage 20/30 attempts remaining."

    5. turn off phone to gain or regain 30 attempts at decryption,

    6. turn power back onto phone and new message arrives: "type password to decrypt storage. 20/30 attempts remaining.

    7. so, powering off the device does not restore 30 attempts at password decryption.


    * * *

    I do not have an sd card.


    * * *

    i do not use, and I have turned off back up and cloud storage ... both on the android operating system; and in the google account.
     
    RazzMaTazz and codesplice like this.
  12. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,638
    Posts:
    9,116
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    9,116
    10,779
    1,638
    Male
    SysAdmin
    Huntsville, AL
    Thanks for the thorough testing, @fields12!
     
  13. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    you're quite welcome.

    i am happy to see that android has excellent encryption for myself and 99.9 percent? of android users whose data will not subject them to nsa scrutiny.
     
    codesplice and MLSS like this.
  14. scary alien

    scary alien not really so scary
    Moderator
    Rank:
     #10
    Points:
    2,138
    Posts:
    22,319
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,319
    23,814
    2,138
    Male
    space alien ;)
    Indy
    @codesplice, I think the text you quoted:


    contains the significant part regarding how to know where/how to retrieve the data (i.e., there might be un-encrypted meta data pointing to the user data).

    Although it's likely much simpler that this: some encryption key is used to encrypt/decrypt the data at the highest (lowest? I might have that backwards :p) necessary point in the access chain.

    Don't know for sure, though :p.

    ~ ~ ~

    Also, FYI, rooted devices (or rather ones with unlocked bootloaders) do allow (or provide a way, at least ;)) of not being forced to encrypt a device. That's why I like the Nexus line :). A minority of devices overall, to be sure :).

    Very interesting discussion / thread--our esteemed and good friend @EarlyMon should weigh-in on all of this...

    Cheers!
     
    MLSS and codesplice like this.
  15. psionandy

    Moderator
    Rank:
     #19
    Points:
    1,138
    Posts:
    5,862
    Joined:
    Dec 5, 2009

    Dec 5, 2009
    5,862
    8,727
    1,138
    Male
    Gizmonic Institute - mug in a yellow jumpsuit
    liverpool
    electricpete, mikedt and scary alien like this.
  16. scary alien

    scary alien not really so scary
    Moderator
    Rank:
     #10
    Points:
    2,138
    Posts:
    22,319
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,319
    23,814
    2,138
    Male
    space alien ;)
    Indy
    ^^^ Steve Gibson rules!

    I forgot about that guy (anyone remember wizmo? ;) :p)...can't wait to read those PDFs!

    Thanks, @psionandy!
     
    mikedt and psionandy like this.
  17. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    razzmatazz;

    you previously inquired about what happened to my sd card stored files on reset; and i responded i did not have an sd card.

    i have a lot to learn about mobile phones.

    i now have learned that i do have an sd card; and that i previously confused "microSD card" with "SD card."

    when i performed the factory reset, or more precisely when lg/android performed the factory reset, .... i discovered newly downloaded applications (firefox, speed test, evernote) now residing on the sd card.

    i assumed all mobile phone applications including operating system and others resided on a single "hard disk," like a personal computer, but apparently, smartphones enjoy a variety of "hard drives."

    when the factory reset occurred, the previously downloaded speed test application disappeared, so i assume that the factory reset ... wiped the sd card .... along with other hard drives containing user data.

    i also am not sure what user data means, since segregating emails, for example, from email application .... seems difficult to achieve.
     
  18. codesplice

    codesplice Elite Recognized Moderator
    Moderator
    Rank:
     #14
    Points:
    1,638
    Posts:
    9,116
    Joined:
    Oct 29, 2013

    Oct 29, 2013
    9,116
    10,779
    1,638
    Male
    SysAdmin
    Huntsville, AL
    Turns out I'm a dummy.

    At Settings > Security > Screen lock:
    screenshot_20160226-162851_1024.png

    A clue! So I went and disabled all my Accessibility-having apps (Tasker, Anticipate, Dashlane, Clip Stack, Inputting+, AutoMate... wow I've got a lot of those), and hopped back in to the same menu.

    I tapped on my existing lock screen method (Pattern) and found this option:
    screenshot_20160226-162959_1024.png

    Enabled that and rebooted. ~15 seconds later:
    IMG_20160226_163224.jpg

    So the encryption in Marshmallow works pretty much the same as it did in Lollipop - except now the user has the option to disable the requirement to enter their passcode before the OS boots fully. I'm guessing that means that the encryption process uses the default password to unlock the master encryption key and allow the OS to boot unless that "require XXX to start device" option is configured.

    Good to know - though a bit aggravating that I can't have a fully-protected securely-encrypted device while still having the convenience of those accessibility-enabled apps. Oh well. There's pretty much always a tradeoff between security and convenience.

    [​IMG]

    PS: Thanks to @EarlyMon for talking it through with me!
     
    #43 codesplice, Feb 26, 2016
    Last edited: Feb 26, 2016
    scary alien likes this.
  19. scary alien

    scary alien not really so scary
    Moderator
    Rank:
     #10
    Points:
    2,138
    Posts:
    22,319
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,319
    23,814
    2,138
    Male
    space alien ;)
    Indy
    Ah, thanks, @codesplice--I get that pattern confirmation prompt when I boot-up--it must be a default setting since I don't believe I enabled it initially.

    :)
     
    codesplice likes this.

Share This Page

Loading...