• Home
  •  > 
  • News
  •  > 
  • Android and data encryption. About how bad everything is and why it’s unlikely to get better

Android and data encryption. About how bad everything is and why it’s unlikely to get better

The recent debate in the US between law enforcement and tech giants over smartphone encryption has once again brought this issue into the spotlight. No one will argue that protecting your personal data is an important topic, so we're happy to tell you that Android offers the necessary tools to encrypt your smartphone right out of the box. If you're interested and want to know where to start, this guide will tell you how to encrypt your Android smartphone or tablet.

Device encryption and what does it do?
Before you encrypt your device, it makes sense to understand what encryption is and what the pros and cons of this solution are.

Device encryption is not a one-size-fits-all solution for protecting all of your data or information from prying eyes, especially when sent over the Internet. Instead, device encryption converts all data stored on the phone into a form that can only be read by the correct credentials. This solution provides better security than a password lock because data can be obtained without going through the lock screen using recovery programs, bootloaders or Android Debug Bridge.

Encrypted music, photos, apps, and credentials cannot be read without first decrypting the information, which requires a unique key. Thus, part of the procedure happens behind the scenes, where the user's password is converted into a key, which is stored in the "Trusted Environment" to remain inaccessible to third-party users in the event of a software attack. This key will be required to encrypt and decrypt files.

In Android, encryption is implemented simply from the user's point of view, since you enter your secret code whenever you unlock your device, making your files accessible. This means that if your phone falls into the wrong hands, no one else will be able to figure out the data on your phone without knowing the password.

And before you dive headfirst into encryption, there are a few things you should consider. First, opening encrypted files requires additional computing power, so encryption will impact your phone's performance. Memory read speeds may become significantly slower on older devices, but the performance hit for the vast majority of regular tasks remains very small, if noticeable at all.

Secondly, only some smartphones will offer the option to remove encryption from your smartphone. Encryption is a one-way solution for most smartphones and tablets. If your phone does not offer the ability to decrypt your phone data, the only option to perform a full rollback is to return to factory settings, which will erase all of your personal data. Check this point in advance.
Having understood the situation, let's see how to enable encryption.

Encrypting my device

Device encryption works the same on all Android devices, although the methods used to implement it may change slightly over time. Some devices come with active encryption out of the box, such as the Nexus 6 and Nexus 9, and if your device is not encrypted, do so with using Android very simple.

Android 5.0 or higher...

For Android smartphones and tablets under Android control 5.0 or later, you can go to the Security menu under Settings. The path here may vary slightly depending on your OEM, but with pure Android You will find encryption in the Settings > Personal > Security section.


Here you should see an option to Encrypt Phone or Encrypt Tablet. You'll be prompted to plug your device into a charger while encryption is happening to make sure your phone doesn't turn off during the process, causing errors. If you haven't already done so, you'll be prompted to set a screen lock PIN or password, which you'll need to enter when you turn on your smartphone to access your encrypted files. Be sure to remember your password!

Android 4.4 and older...

If you are using a smartphone running Android 4.4 KitKat or older, you must set a PIN or password before starting the encryption process. Fortunately, this is not difficult, go to Settings - Security - Screen Lock. Here you can either choose a pattern, enter a PIN or a mixed password to lock the screen. You will use the same password after encryption, so pay attention to it.

Once you're done with this, you can return to the Security menu and click "Encrypt phone." You will need to connect the device to a charger and read warning messages, you will almost always have to confirm the PIN or password in last time for the encryption process to begin.


Encrypting your phone may take an hour or more, depending on how powerful your smartphone is and the large amount of data stored on the device. Once the process is finally completed, you can enter your PIN and continue working with your encrypted device as if nothing had happened.

Returning to the Security menu, you will also likely learn about the ability to encrypt files on the card MicroSD memory. This is a recommended step if you want to keep all your data safe, but not really necessary if you only use MicroSD to store music or movies that have no personal value.

With this decision comes several caveats. Firstly, you will no longer be able to use MicroSD cards with other devices without complete removal encrypted data since other computers/devices will not know the encryption key. And while an encrypted MicroSD card can still be used to move files, this will only last as long as you access the encrypted files from the phone used to encrypt them. Additionally, if you reset your device before decrypting your files, the key will be lost and you will not be able to access the protected files on your MicroSD card. So think through the situation carefully.

When you've finished...

That's all you really need to encrypt your Android device. This is a great way to protect your data much more securely. There is a minor trade-off in terms of performance, but any differences should be very difficult to notice on modern mobile phones.


Additional options with third party applications

If you don't want to go through a heavy-duty encryption process on all of your device's data, there are a small number of Android apps available. Google store Play, which offer a variety of selective features, including encryption of a single file, text, or folder.

SSE - Universal application encryption
version: 1.7.0 (Pro) (downloads: 163)
SSE exists in this market quite for a long time and still seems to get it small updates. Instead of implementing bulk encryption of your phone, SSE can be used to protect and decrypt individual files or directories that you need if you want to protect a few items selectively. You can set a password that will serve as a decryption key, and you can also create encrypted copies of files or completely replace them.

The app also has a text encryptor and password storage. Text editor can be used to store encrypted notes that can be shared across platforms. The vault is designed to store and manage all your passwords, PINs, and notes in one secure place, protected by a master password. The feature works similar to LastPass.

Final Thoughts
Considering the amount of sensitive personal information we contain on our mobile devices today, including banking details, encrypting Android devices becomes a smart decision. There are quite a few options that provide different levels of security, from a wide system Android encryption to applications dedicated to encryption specific files. Please note, encryption is not provided full protection from everything, but offers excellent protection in case the device is stolen.

One of the innovations in the fifth version of Android is the ability to completely encrypt the contents of the device's memory. Theoretically, it completely eliminates unauthorized access to files on a lost or stolen smartphone or tablet if logging into the operating system password protected. In addition, encryption prevents virus apps and Trojans from stealing your data. Even if an attacker steals any information, he will not be able to read it, since the encryption key is generated every time the device is turned on.

Google initially required manufacturers to enable full encryption on all Lollipop devices, but in early March it made changes to the Android Compatibility program. It now states that manufacturers recommended enable full encryption, but this is not required. It is known that on Google Nexus 6 and Nexus 9 have this protection, and Motorola Moto E and Samsung Galaxy S6 it is disabled by default.

Full encryption helps protect personal data from strangers, but has a negative impact on device performance. For example, the Galaxy S6 and Galaxy S6 Edge with encryption enabled show only 48 thousand points in AnTuTu, and about 70 thousand without it.


Benchmark readings are one thing, but how fast a device works in real life is another. Some people can get used to a little lag, while others can't, so whether or not to enable full encryption is a personal choice for each user. If data privacy is more important to you, it's better to turn it on. And if you don't store anything on your smartphone or tablet that could embarrass you, you don't have to turn it on (or turn it off) - in which case you may notice an increase in the device's performance.

You can check whether encryption is enabled in system settings. If you decide to encrypt your data, find the appropriate item in the settings and specify a password that will subsequently be used to cancel encryption. The device will restart, begin encryption, and turn on in a few minutes. How long this will take depends on the amount of data being processed. The contents of a memory card can also be encrypted, but after that it will no longer be readable by other devices.


You can cancel encryption in the same menu item. You will need to enter the password you specified earlier, after which the device will reboot, remove the encryption and turn on again. Please be aware that all personal information and installed applications in this case they will be erased.

Disabling encryption on the Nexus 6 and Nexus 9 is not recommended because this process triggers the bootloader unlocking, which in rare cases can cause the device to crash.

Data encryption in the Android OS is closely related to two problems: controlling access to memory cards and transferring applications to them. Many programs contain activation data, payment information, and confidential information. Its protection requires management of access rights, which are not supported by the typical FAT32 file system for cards. Therefore, in each version of Android, approaches to encryption changed dramatically - from the complete absence of cryptographic protection of removable media to their deep integration into a single section with on-the-fly encryption.

The special role of the memory card

Initially, Android developers intended to use the memory card only as a separate storage for user files. It was just a multimedia warehouse without any requirements for its protection and reliability. microSD(HC) cards with FAT32 coped well with the role of simple storage, freeing the internal memory from photos, videos and music.

The ability to transfer not only multimedia files, but also applications to a memory card first appeared in Android 2.2 Froyo. It was implemented using the concept of encrypted containers for each application, but this exclusively protected against the card falling into the wrong hands - but not the smartphone.

Moreover, it was a half-measure: many programs were transferred partially, leaving some of the data in internal memory, and some (for example, system ones or containing widgets) were not transferred to the card at all. The very possibility of transferring applications depended on their type (pre-installed or third-party) and internal structure. For some, the directory with user data was immediately located separately, while for others it was located in a subdirectory of the program itself.

If applications intensively used read/write operations, then the reliability and speed of the cards could no longer satisfy the developers. They deliberately made it so that the transfer of programs regular means was becoming impossible. Thanks to this trick, their creation was guaranteed to be registered in the internal memory with a large rewriting resource and high performance.

With the fourth version of Android, it became possible to choose where to place the application. It was possible to designate a memory card as a disk for installing programs by default, but not all firmware correctly supported this function. How does it work in specific device- it was possible to find out only experimentally.

In the fifth Android Google I again decided to return to the original concept and did everything to make it as difficult as possible to transfer applications to a memory card. Large manufacturers caught the signal and added it to the firmware native functions monitoring that detects user attempts to forcefully move applications to the card using root. Only the option of creating hard or symbolic links worked more or less. In this case, the application was determined by the standard address in the built-in memory, but was actually located on the card. However, confusion was caused by file managers, many of which did not process links correctly. They showed the wrong volume free space, because they believed that the application supposedly takes up space both in the built-in memory and on the card at the same time.

Adapt it!

Android Marshmallow introduces a compromise called "Adaptive Storage" - Adoptable Storage. This is Google's attempt to keep the sheep safe and the soldiers happy.

The Adoptable Storage function allows you to combine a user partition in the built-in memory with a partition on the card into one logical volume. In fact, it creates an ext4 or F2FS partition on the card and adds it to the user partition of the internal memory. It's clean logical operation association, vaguely reminiscent of the creation composite volume from multiple physical disks in Windows.

During the process of combining with internal memory, the card is reformatted. By default, its entire capacity will be used in the merged volume. In this case, the files on the card can no longer be read on another device - they will be encrypted with a unique device key, which is stored inside the trusted execution environment.

As an alternative, you can reserve space on the card for a second partition with FAT32. The files stored on it will be visible on all devices, as before.

The method for dividing the card is set either through the Adoptable Storage menu or through the Android Debug Bridge (ADB). Last option used in cases where the manufacturer has hidden Adoptable Storage from the menu, but has not removed this function from the firmware. For example, it is hidden in the Samsung Galaxy S7 and top smartphones LG. IN lately In general, there has been a tendency to remove Adoptable Storage from flagship devices. It is considered a crutch for budget smartphones and tablets that do not have enough built-in Flash memory.

However, it is not up to marketers to decide how we use our devices. Via ADB on a computer with Windows function Adoptable Storage is enabled as follows.

  1. We make a backup of all data on the card - it will be reformatted.
  2. Java SE Development kit from Oracle website.
  3. Installing the latest version of Android SDK Manager.
  4. Enable USB debugging on your smartphone.
  5. Launch SDK Manager and write on the command line:

    Where x:y is the memory card number.

  6. If you want to leave a part for the FAT32 volume, then change the command from step 7 to this:

    $ sm partition disk: x: y mixed nn

    where nn is the remaining volume as a percentage for a FAT32 volume.

For example, the command sm partition disk:179:32 mixed 20 will add 80% of the card’s capacity to the built-in memory and leave a FAT32 volume on it with 1/5 of its capacity.

On some smartphones, this method “as is” no longer works and requires additional tricks. Manufacturers are doing everything to artificially divide their products into market niches. Top models are produced with different amounts of built-in memory, and there are fewer and fewer people willing to overpay for it.

Some smartphones do not have a memory card slot (for example, the Nexus series), but support connecting USB-Flash drives in OTG mode. In this case, the flash drive can also be used to expand the internal memory. This is done with the following command:

$ adb shell sm set - force - adoptable true

By default, the ability to use USB-OTG to create custom storage is disabled because unexpected removal could result in data loss. Probability sudden shutdown Memory cards are much lower due to their physical placement inside the device.

If problems arise with adding the volume of removable media or dividing it into partitions, then first remove all information about the previous logical layout from it. This can be done reliably using the Linux utility gparted, which on a Windows computer runs with boot disk or in a virtual machine.

According to official Google policy, applications can be directly installed or moved to a custom store if the developer has specified this in the android:installLocation attribute. The irony is that not all of Google's own apps allow this yet. There are no practical limits to “adapted storage” in Android. The theoretical limit for Adoptable Storage is nine zettabytes. There are not so many even in data centers, and even more so memory cards of larger capacity will not appear in the coming years.

The encryption procedure itself when creating an adapted storage is performed using dm-crypt - the same Linux kernel module that performs full-disk encryption of the built-in memory of a smartphone (see the previous article “”). The AES algorithm is used in ciphertext block chaining (CBC) mode. A separate initialization vector with salt (ESSIV) is generated for each sector. The convolution length of the SHA hash function is 256 bits, and the key itself is 128 bits.

This implementation, although inferior in reliability to AES-XTS-256, is much faster and is considered reliable enough for consumer devices. A nosy neighbor is unlikely to open an encrypted adapted storage in a reasonable time, but intelligence agencies have long learned to exploit the shortcomings of the CBC scheme. In addition, in reality, not all 128 bits of the key are completely random. Unintentional or intentional weakening of the built-in pseudo-random number generator is the most common problem in cryptography. It affects not only Android gadgets, but all consumer devices in general. Therefore the most reliable way ensure privacy - do not store confidential data on your smartphone at all.

If you perform a factory reset after merging the memory using Adoptable Storage, the data on the card will also be lost. Therefore, you should first make a backup of them, or better yet, immediately assign cloud synchronization.

Alternative encryption of data on a memory card

Now that we have dealt with the peculiarities of storing files on a memory card in different versions of Android, let’s move on directly to encrypting them. If you have a device with Android 6 or newer, then with a high probability you can activate the Adoptable Storage function in it one way or another. Then all data on the card will be encrypted, just like in the built-in memory. Only the files on additional section FAT32, if you wanted to create it when reformatting the card.

In earlier releases of Android, things are much more complicated, since before version 5.0 cryptographic protection did not affect the memory cards at all (except for data from transferred applications, of course). “Regular” files on the card remained open. To close them from prying eyes, you will need third-party utilities (which often turn out to be only graphical shell for built-in tools). With all the variety of existing methods, four are fundamentally different:

  • use of a universal cryptocontainer - a file with an image of an encrypted volume in a popular format that applications for different OSes can work with;
  • transparent encryption of files in a specified directory via the FUSE driver and a third-party utility for creating/mounting an encrypted partition as a file;
  • encryption of the entire memory card via dm-crypt;
  • using a “black box” - a separate application that stores encrypted data in its own format and does not provide access to it for third-party programs.

The first option is familiar to anyone who uses TrueCrypt or one of its forks on a computer. There are applications for Android that support TrueCrypt containers, but their limitations are different.

The second option allows you to organize “transparent encryption”, that is, store all data encrypted and decrypt it when accessed from any application. To do this, all data from the selected directory is represented as the contents of a virtual file system with support for on-the-fly encryption. EncFS is usually used, which we will talk about in more detail below.

The third option is built-in dm-crypt. You can use it, for example, through LUKS Manager. The application requires root and BusyBox installed. Its interface is not for everyone.

LUKS Manager creates a crypto container on the card as a file. This container can be connected to an arbitrary directory and worked with it as with a regular one. The advantage is that this solution has cross-platform support. You can work with the container not only on an Android gadget, but also on a desktop: on Linux - through cryptsetup, and on Windows - through the program or its fork LibreCrypt. The downside is the inconvenience of using it in conjunction with cloud services. Every time in the cloud you have to re-save the entire container, even if one byte has changed.

The fourth option is generally of little interest, since it greatly limits the scenarios for using encrypted files. They can only be opened by some specialized application and trust that its developer has succeeded in studying cryptography. Unfortunately, most of these applications do not stand up to criticism. Many of them have nothing to do with cryptography at all, since they simply mask files instead of encrypting them. In this case, the description may mention strong algorithms (AES, 3DES...) and quotes from Schneier’s “Applied Cryptography”. At best, such programs will have very bad implementation encryption, or at worst there will be no encryption at all.

There is no official client for Android for VeraCrypt and is not planned, but its authors recommend using the EDS (Encrypted Data Store) application. This is a Russian development, existing in a fully functional and lightweight version. Full version EDS costs 329 rubles. It supports crypto containers of the TrueCrypt, VeraCrypt, CyberSafe format, as well as LUKS and EncFS. Can work with local, network and cloud storage, providing other applications with transparent encryption. On-the-fly encryption requires OS kernel support for the FUSE framework and root rights. Regular work with crypto containers is possible on any firmware.

The EDS Lite version is distributed free of charge and has functional limitations. For example, it can work exclusively with containers containing a volume with the FAT file system, encrypted using the AES algorithm with a key length of 256 bits and using the SHA-512 hash function. It does not support other options. Therefore, it is worth focusing on the paid version.

Crypto container is the most reliable and universal way. It can be stored in any file system (even FAT32) and used on any device. All data that you encrypted on your desktop will become available on your smartphone, and vice versa.

EncFS

In 2003, Valient Gough (a software engineer from Seattle who wrote software for NASA and later worked for Google and Amazon) released the first release of a free file system with a built-in transparent encryption mechanism - EncFS. It interacts with the OS kernel thanks to the layer callback, receiving requests through the libfuse interface of the FUSE framework. At the user's choice, EncFS uses one of the symmetric algorithms implemented in the OpenSSL library - AES and Blowfish.

Since EncFS uses the principle of creating a virtual file system, it does not require a separate partition. On Android OS, you just need to install an application that supports EncFS and just point it to a couple of directories. One of them will store the encrypted content (let it be called vault), and the second - temporarily decrypted files (let's call it open).

After entering the password, the files are read from the directory vault and are stored decrypted in open(as in new point mount), where they are available to all applications. After finishing work, click the Forget Decryption button (or its equivalent) in the application. Catalog open will be unmounted, and all decrypted files from it will disappear.

Disadvantages: EncFS does not support hard links, since the data is bound not to the inode, but to the file name. For the same reason, file names up to 190 bytes in length are supported. In the catalog vault file names and contents will be hidden, but metadata will remain available. You can find out the number of encrypted files, their permissions, and the last time they were accessed or modified. There is also a clear sign of using EncFS - this is a settings file with the encfs prefix and the version number in its name. The file contains encryption parameters, including the algorithm, key length, and block size.

A paid audit of EncFS was performed in February 2014. It concludes that "EncFS is likely to be secure as long as the attacker has only one set of encrypted files and nothing more." If more data is available to the attacker (for example, two snapshots of the file system taken at different times), then EncFS cannot be considered reliable.

After installation, EncFS will be visible as a separate one file system user space via the FUSE driver. Access to it will be realized through some third-party application - for example, file manager Encdroid or Cryptonite. The latter is based on the EncFS source code, so we will focus on it.

Cryptonite

The latest version of the Cryptonite application is 0.7.17 beta dated March 15, 2015. It can be installed on any device with Android 4.1 and higher, but some functions work more stably in Android 4.3 and later versions.

Most operations in Cryptonite do not require root or any specific components. Creating EncFS volumes and synchronizing with Dropbox can be performed on both official and custom firmware.

Cloud synchronization of encrypted files

However, a number of operations will require mounting EncFS volumes, which requires root rights and support for the FUSE framework by the OS kernel. The use of FUSE is necessary to organize “transparent encryption”, that is, so that other applications can access encrypted data and receive it already decrypted. Most older firmwares do not support FUSE, but it is available in CyanogenMod, MIUI, AOKP and other custom ones. Starting with Android 4.4, FUSE is standardly used to emulate an SD card in the built-in memory.

Disadvantages: When you click “Decrypt” and successfully enter the password, Cryptonite creates a temporary copy of the decrypted file in /data/data/csh.cryptonite/app_open/. A copy of the file is marked as world readable (readable and executable for everyone). You can delete decrypted files by clicking the Forget Decryption button.


Conclusions

The method of encrypting data on a memory card should be chosen based on two main criteria: the usage scenario and the Android version. On modern gadgets with Android 6.0 and higher, the easiest option is to use Adoptable Storage, attach the card to the internal memory and transparently encrypt the entire logical volume. If you need to make files available on other devices or add encryption of data on a card in older devices, crypto containers of proven formats are suitable. It is better to avoid third-party “thing-in-itself” utilities altogether, because instead real protection data, they often only imitate it.

Last updated by at February 18, 2017.

Google introduced full data encryption on Android phones running Gingerbread (2.3.x), but it has undergone some dramatic changes since then. like on some more expensive phones running under Lollipop control(5.x) and above, it is enabled out of the box, while on some older or earlier devices you must enable it yourself. You can read how to encrypt flash drives.

Why you might need phone encryption

Encryption stores your phone's data in an unreadable, almost encrypted form. (In order to actually perform encryption functions low level Android uses DM-crypt, which is the standard disk encryption system in the Linux kernel. This is the same technology used by various Linux distributions.) When you enter a PIN, password, or pattern on the lock screen, the phone decrypts the data, making it readable. If someone doesn't know the PIN or password, they won't be able to access the data. (On Android 5.1 and above, encryption does not require you to set a PIN or password, but is highly recommended because without a PIN or password, the effectiveness of the encryption is reduced.)

Data encryption protects sensitive data on your phone. For example, corporations with sensitive business data on their phones will need to use encryption (with screen locking) to protect that data from corporate espionage. An attacker will not be able to access the data without the encryption key, although there are more advanced hacking methods that make this possible.

If you regular user, you may think that you don't have sensitive data on your phone, but you're probably wrong. If your phone is stolen, the thief now has access to your email inbox, knows your home address, and a large amount of other personal information. Most thieves will not access data using a standard unlock code, regardless of whether the device is encrypted or not. Most thieves are more interested in selling your phone (resetting data) than in accessing your personal data. But this does not mean that you do not need to protect your data.

Things to consider before enabling encryption

Select a pattern, PIN or password to set up your security.

You will be offered a choice: protection using a PIN code, password or pattern at startup. The choice is up to you, but we recommend choosing some kind of protection as it increases the security of your device.

Note that even with a fingerprint reader, you can't use your fingerprint to unlock the device the first time you boot—you'll have to enter a password, PIN, or pattern. Once the device has been decrypted using the correct method, the fingerprint scanner can already be used to unlock the screen.

From now on, your device will be encrypted, but if you want to disable encryption, you can do so by performing a factory reset. If you have a new device that automatically has encryption enabled, there is no way to disable it, not even through a factory reset.

Hello friends! Today's article will look at programs for encrypting files, more precisely for working with cryptocontainers in Android. For those who do not know what a crypto container is, we talked about it in this article.

We will not consider highly specialized items, photographs, etc. We have already talked about all this in previous publications(use the site search form). In this article, we will not study each application separately. This is a superficial overview of all popular data encryption programs for Android. In the future, following this article, there will be separate instructions for each application.

You may also be interested in the article “”, in which we talked about how to securely encrypt correspondence using the application and K-9 Mail.

Currently available the following programs for encryption:

  • LUKS Manager;
  • EDS Lite;
  • Cryptonite;
  • CyberSafe Mobile.

In addition, the application allows you to share encrypted files with other users and allows you to encrypt arbitrary folders on Google Drive. However, for every barrel of honey there is a fly in the ointment. The application is paid. And his free version limits the maximum password length to only 2 characters, which, as you understand, is very small. On the other hand, the application is very inexpensive (less than $3) and it does not restrict the password when opening the container, but only when creating it. That is, if you need to use an application with the same set of data on different devices, then you can create a container on one device and copy it to another, and buy the program only on one device (on which you will create the container).

Data encryption application for Android

Which app should you choose?

The answer is simple. If you are on personal computer If you use TrueCrypt, then the choice is obvious - EDS Lite. If you want cloud encryption, it looks like you'll have to upgrade to CyberSafe on your computer.

Briefly: If you use a graphic key to access your phone, then 99% of the time this is enough to ensure that no one can access the information on your phone without your knowledge. If the data on your phone is very sensitive, then you should use the phone's built-in full encryption feature.

Today, almost all smartphones have become carriers of important personal or corporate data. Also, through the owner's phone, you can easily access his accounts, such as Gmail, DropBox, FaceBook and even corporate services. Therefore, to one degree or another, it is worth worrying about the confidentiality of this data and using special means to protect your phone from unauthorized access in case of theft or loss.

  1. From whom should you protect your phone data?
  2. Built-in data protection in Android.
  3. Full phone memory encryption
  4. Results

What information is stored on the phone and why protect it?

A smartphone or tablet often serves as a mobile secretary, freeing the owner’s head from storing a large amount of important information. The phone book contains numbers of friends, co-workers, and family members. Credit card numbers, access codes, passwords to social networks, email and payment systems are often written in the notebook.
The list of recent calls is also very important.
Losing your phone can be a real disaster. Sometimes they are stolen specifically to penetrate personal life or to share profits with the owner.
Sometimes they are not stolen at all, but are used for a short time, unnoticed, but a few minutes is quite enough for an experienced malicious user to find out all the details.

Loss confidential information can result in financial ruin, the collapse of your personal life, and the breakup of your family.
I wish I didn't have it! - the former owner will say. - It’s so good that you had him! - the attacker will say.

And so what needs to be protected on the phone:

  1. Accounts. This includes, for example, access to your email gmail mailbox. If you have set up synchronization with facebook, dropbox, twitter. Logins and passwords for these systems are stored in open form in the phone profile folder /data/system/accounts.db.
  2. History of SMS correspondence and phone book also contain confidential information.
  3. Web browser program. The entire browser profile must be protected. It is known that Web Browser(built-in or third-party) remembers all passwords and logins for you. This is all stored in open form in the program profile folder in the phone’s memory. Moreover, usually the sites themselves (using cookies) remember you and leave access to your account open, even if you did not specify to remember the password.
    If you are using sync mobile browser(Chrome, FireFox, Maxthon, etc.) with a desktop version of the browser to transfer bookmarks and passwords between devices, then we can assume that you can access all passwords from other sites from your phone.
  4. Memory Card. If you store confidential files on your memory card or download documents from the Internet. Typically, photos and videos taken are stored on a memory card.
  5. Photo album.

Who should you protect your phone data from:

  1. From a random person who finds your lost phonel because from “accidental” theft of the phone.
    It is unlikely that the data on the phone will be of value to the new owner in this case. Therefore, even simple graphic key protection will ensure data safety. Most likely, the phone will simply be reformatted for reuse.
  2. From prying eyes(co-workers/children/wives), who can access your phone without your knowledge by taking advantage of your absence. Simple protection will ensure the safety of your data.
  3. Providing forced access
    It happens that you are voluntarily forced to provide a phone number and open access to the system (information). For example, when your wife, a government official, or an employee of the service center where you took the phone for repair asks you to look at your phone. In this case, any defense is useless. Although it is possible, with the help of additional programs, to hide the fact of the presence of some information: hide part of the SMS correspondence, part of the contacts, some files.
  4. From targeted theft of your phone.
    For example, someone really wanted to know what was on your phone and made an effort to get it.
    In this case, only full encryption of the phone and SD card helps.

Built-in data protection on Android devices .

1. Lock screen with Pattern Key.
This method is very effective in the first and second cases (protection against accidental loss of the phone and protection from prying eyes). If you accidentally lose your phone or forget it at work, no one will be able to use it. But if your phone purposefully fell into the wrong hands, then this is unlikely to save you. Hacking can even occur at the hardware level.

The screen can be locked with a password, PIN code and Pattern Key. You can select the locking method by launching the settings and selecting the Security -> Screen lock section.

Graphic Key(Pattern) - c The most convenient and at the same time reliable way to protect your phone.


None- lack of protection,
Slide- To unlock, you need to swipe your finger across the screen in a certain direction.

Pattern- this is a Graphic Key, it looks something like this:


You can improve security in two ways.
1. Enlarge the Graphic key input field. It can vary from 3x3 dots on the screen to 6x6 (Android 4.2 is found in some models, depending on the Android version and phone model).
2. Hide the display of the points and “path” of the graphic key on the smartphone screen so that it is impossible to peek at the key.

3. Install automatic blocking screen after 1 minute of phone inactivity.

Attention!!! What happens if you forgot your pattern key:

  1. The number of incorrect attempts to draw a Graphic Key is limited to 5 times (in different phone models the number of attempts can be up to 10 times).
  2. After you have tried all your attempts but still have not drawn the Pattern Key correctly, the phone is locked for 30 seconds. After this, you will most likely have a couple of attempts again, depending on your phone model and Android version.
  3. Next, the phone asks for the login and password of your Gmail account, which is registered in the phone’s Accounts settings.
    This method will only work if your phone or tablet is connected to the Internet. Otherwise deadlock or reboot to manufacturer settings.

It happens that the phone falls into the hands of a child - he starts playing, draws the key many times and this leads to the key being blocked.

PIN- this is a password consisting of several numbers.

And finally, Password- the most reliable protection, with the ability to use letters and numbers. If you decide to use a password, then you can enable the Phone encryption option.

Encryption of phone memory.

The function is included in Android version 4.0* and higher. for tablets. But this feature may be missing in many budget phones.
Allows you to encrypt your phone's internal memory so that it can only be accessed with a password or PIN code. Encryption helps protect the information on your phone in the event ts targeted theft. There is no way that attackers will be able to access your data from your phone.

A prerequisite for using encryption is to set a screen lock using a password.
This method achieves saving user data located in the phone's memory, such as phone book, browser settings, passwords used on the Internet, photos and videos that the user received using the camera and did not copy to the SD card.


SD card encryption is enabled as a separate option.
- Memory encryption may take up to an hour depending on the memory capacity of the device. The phone cannot be used during encryption.

What if you forgot your password?

Password recovery is not provided in this case. Can be done on a phone or tablet full RESET, i.e. reinstall Android, but user data from the phone or tablet will be erased. Thus, if an attacker does not know the password to unlock the phone, he will not be able to use it. It will also be impossible to see data from the phone’s memory using other programs by connecting the phone to a computer, because all internal memory is encrypted. The only way to get your phone working again is to reformat it.

Attention, the full encryption function is present only starting from Android OS 4.0 - 4.1 and may simply not be available on some phone models. Most often found in phones from Samsung, HTC, LG, Sony. Some Chinese models also have an encryption function. On some phones this function is located in the “Memory” section.

Flaws:

  1. You will need to constantly enter quite complex password(6-10 characters) even if you just want to call. Although it is possible to set a long time interval (30 minutes) during which the password will not be requested when you turn on the phone screen. On some phone models, the minimum password length can be 3 characters.
  2. On some phone models, it is not possible to disable encryption if you want to avoid having to constantly enter a password. Encryption can only be disabled by returning the phone to factory settings and erasing all data.

Encrypting an external SD memory card

The function is included in standard package Android 4.1.1 for tablets. Missing from many budget builds.
The function provides reliable protection data on an external SD card. Personal photographs, text files with commercial and personal information can be stored here.
Allows you to encrypt files on the SD card without changing their names, file structure, with saving preview graphic files (icons). The function requires setting a display lock password of at least 6 characters.

It is possible to cancel encryption. When changing the password, automatic re-encryption occurs.
If the user has lost the memory card, the encrypted files cannot be read through the card-reader. If you put it on another tablet with a different password, then the encrypted data also cannot be read.
Other Encryption Properties:

  • Transparent encryption. If the card is inserted into the tablet and the user has unlocked the screen with a password, any application sees the files in decrypted form.
  • If you connect the tablet via a USB cable to a computer, encrypted files can also be read on the computer by first unlocking the card from the screen of the mobile device.
  • If you write some other unencrypted files onto the card via the card-reader, they will also be encrypted after inserting the card into the tablet.
  • If you have an encrypted card, you cannot cancel the lock password.
  • Data is encrypted at the file level (the file names are visible, but the contents of the file are encrypted).

Disadvantage of the program:O missing from most Android builds.

It should be emphasized that the best safety of data is a complete copy of it on your Computer in A smartphone is a fairly fragile, small device, which means there is always the possibility of it breaking or being lost.

Improving the usability of a secure smartphone

Full phone encryption provides the strongest level of protection, but constantly entering a 6-digit password makes it difficult to use. But there is a solution.

In the Android system from version 4.2*, it is possible to move some applications\widgets to the lock screen, and thus you can perform simple steps without constantly unlocking the phone (without entering a 6-digit password).

Results:

  • Built-in and free features to protect the phone are very reliable. They are able to protect the user’s contacts, correspondence and calls, accounts in various programs and networks, as well as files and folders located both in the phone’s memory and on a removable SD card from prying eyes.
  • Before purchasing a phone, you should make sure how the required protection works in this particular phone model: the requirement to use an overly complex PIN code or password on the lock screen (Pattern Key is not suitable), irreversible encryption of the phone’s internal memory, i.e. The only way to refuse encryption is to completely reset your phone.
  • Important! Make sure that if you forget your password or pattern key, you can restore access to your phone or you can easily restore your phone settings and information if you have to hard reset(resetting the phone to factory settings with loss of all data).
    • http://www..png lyuda 2013-06-19 19:13:07 2015-06-24 17:54:26 Protect data on Android phones and tablets.

The FBI tried to twist their hands through the court Apple, unwilling to create code to bypass own system security. A critical vulnerability has been discovered in the Android kernel, allowing superuser access to bypass all security mechanisms. These two events, although unrelated, coincided in time, clearly demonstrating the differences in the security system of the two popular mobile operating systems. Let's put aside for a moment the issue of a critical vulnerability in the Android kernel, which is unlikely to ever be fixed by most manufacturers in already released models, and consider the data encryption mechanisms in Android and Apple iOS. But first, let’s talk about why encryption is needed in mobile devices at all.

Why encrypt your phone?

An honest person has nothing to hide - the most popular leitmotif that sounds after every publication on the topic of data protection. “I have nothing to hide,” many users say. Alas, much more often this only means the confidence that no one will bother to get into the data of a particular Vasya Pupkin, because who is interested in them at all? Practice shows that this is not so. We won’t go far: just last week, the career of a school teacher who left her phone on the table for a moment ended with her dismissal. The students instantly unlocked the device and took out photographs of the teacher in a form that is condemned by the puritanical morality of American society. The incident served as sufficient grounds for the teacher's dismissal. Stories like this happen almost every day.

How unencrypted phones are hacked

We won't go into details, just keep in mind: data from unencrypted phone can be extracted in almost one hundred percent of cases. “Almost” here refers rather to cases where the phone was attempted to be physically damaged or destroyed immediately before the data was removed. Many Android and Windows Phone devices have a service mode that allows you to drain all data from the device’s memory via a regular USB cable. This applies to most devices on the Qualcomm platform (HS-USB mode, which works even when the bootloader is locked), on Chinese smartphones with MediaTek processors(MTK), Spreadtrum and Allwinner (if the bootloader is unlocked), as well as all smartphones manufactured by LG (there is generally a convenient service mode that allows you to merge data even from a “bricked” device).

But even if the phone does not have a service “back door”, data from the device can still be obtained by disassembling the device and connecting to the JTAG test port. In the most advanced cases, the eMMC chip is removed from the device, which is inserted into a simple and very cheap adapter and operates using the same protocol as the most common SD card. If the data was not encrypted, everything can be easily extracted from the phone, down to the authentication tokens that provide access to your cloud storage.

What if encryption was enabled? In old Android versions(up to 4.4 inclusive) and this could be bypassed (with the exception, however, of devices made by Samsung). But in Android 5.0, a strong encryption mode finally appeared. But is it as useful as Google thinks it is? Let's try to figure it out.

Android 5.0–6.0

The first device running Android 5.0 was the Google Nexus 6, released in 2014 by Motorola. At that time, 64-bit mobile processors with the ARMv8 architecture were already actively promoted, but Qualcomm did not have a ready-made solution on this platform. As a result, the Nexus 6 used a Snapdragon 805 chipset based on 32-bit cores own development Qualcomm.

Why is this important? The fact is that processors based on the ARMv8 architecture have a built-in set of commands to speed up stream data encryption, but 32-bit ARMv7 processors do not have such commands.

So watch your hands. There are no instructions for accelerating crypto in the processor, so Qualcomm has built a dedicated hardware module into the system logic set to perform the same functions. But something didn’t work out for Google. Either the drivers were not completed at the time of release, or Qualcomm did not provide the source codes (or did not allow them to be published in AOSP). The details are unknown to the public, but the result is known: Nexus 6 shocked observers extremely slow speed reading data. How slow? Something like this:

The reason for the eightfold lag behind the “little brother” Motorola smartphone Moto X 2014, simple: forced encryption implemented by the company on program level. In real life, Nexus 6 users on the original firmware version complained about numerous lags and freezes, noticeable heating of the device and relatively poor battery life. Installing a kernel that disables forced encryption immediately solved these problems.

However, firmware is such a thing, you can finish it, right? Especially if you are Google, have unlimited finances and have the most qualified developers on your staff. Well, let's see what happened next.

And then there was Android 5.1 (six months later), in which the necessary drivers for working with the hardware accelerator were first added in the preliminary version of the firmware, and then removed again in the final version due to serious problems with sleep mode. Then there was Android 6.0, at the time of its release users had already lost interest in this game and began to disable encryption by any means, using third-party kernels. Or don’t disable it if a read speed of 25–30 MB/s is enough.

Android 7.0

Okay, but could Android 7 fix a serious problem with a flagship device that is almost two years old? It’s possible, and it’s been fixed! The ElcomSoft lab compared the performance of two identical Nexus 6s, one running Android 6.0.1 with the ElementalX kernel (and encryption disabled), while the other was running the first preview version of Android 7 with default settings ( encryption enabled). The result is clear:

Data encryption in the Android OS is closely related to two problems: controlling access to memory cards and transferring applications to them. Many programs contain activation data, payment and...

The fight between Apple and the FBI has brought renewed attention to the importance of encryption. Regardless of the fact that everyone may have their own opinion on this matter, there is no need to explain the importance of protecting your personal data, and it all starts with a smartphone.

These devices store personal photos, private messages, messages email, and sometimes even sensitive health information. If this data falls into the wrong hands, it can have devastating consequences. Using an alphanumeric password is a step in the right direction, but you should also consider encrypting the device.

iPhones, iPads and most Android devices can be encrypted. Here's what you need to know.

iOS.

Apple introduced device encryption starting with iOS 8 in 2014. Turning on an encrypted device requires entering a password or fingerprint. While a basic four-digit PIN will work here, for better security I recommend using a longer numeric passcode or alphanumeric password.
  • Enter "Settings".
  • Select Touch ID & Passcode (or Passcode for older devices without a fingerprint sensor).
  • Click on the "Enable Password" option.
  • Enter a complex password or security code (Be sure to write it down somewhere, don’t rely on your memory. If you forget the password, you will no longer be able to log into the phone; you will have to reset it to its factory state and lose all data.)

Android.

On Android this process is a little more complicated. Nexus phones and tablets come with encryption turned on by default. Most new devices that ship with Android 6.0, such as the Galaxy S7 and Galaxy S7 Edge, are also sold with encryption enabled. Similar to the iPhone, all you need to do is add a password or fingerprint to enable encryption directly.
  • Enter "Settings".
  • Go to the "Security" page.
  • Select Screen Lock.
  • Create a password.

For older devices, however, such as the Moto X Pure and Galaxy S6, you will need to manually encrypt it. Before you begin, make sure your phone is plugged in, as the process can take up to an hour depending on the amount of data on your device. Next, create a password using the steps mentioned above and follow these steps:

  • Open Settings.
  • Select "Security".
  • Click on "Encrypt phone".
The method is slightly different on Galaxy S6. Here you need to enter the “Settings” menu, selecting “Screen lock” and “Security”, and then “Other security options”, and click on “Encrypt phone”.


You can also encrypt your SD card to keep your data secure and prevent the card from being read by another device (unless erased first). Go to Settings, select Security, then External SD Card Encryption and click Enable. Unlike device encryption (which requires you to completely wipe your phone to disable this encryption), SD card encryption can be easily accessed in the Settings menu.

Reasons for not encrypting an Android device.

There are several reasons why you might want to hold off on encryption. The encryption method is different for each device. Motorola, for example, allows you to continue using a pin code and security pattern after the phone has been encrypted, but Samsung only allows you to use a password or fingerprint.

Samsung also requires you to enter a password after every reboot. While this makes it less likely for an attacker to gain access to your data, it may cause too much inconvenience for you.

The device will also show a slight performance hit when encrypting it. This drop is barely noticeable latest phones high class, but older models and weak devices may get hurt. I recommend using encryption only on the latest high-end devices such as Galaxy S6, LG G4, HTC One M10, and their new models (Galaxy S7, LG G5, etc...).

Today, every user has to think about protecting confidential information from unauthorized persons. Mobile device manufacturers care about future customers and their right to privacy, so they are paying more and more attention to preserving personal data. Tablets can also be classified as personal devices, so let's talk about protecting them.

Is it possible to disable encryption on a tablet?

The system functions of modern tablets support encryption mode for information stored both on the internal memory of the device and on external map SD. It should be remembered that working encryption has negative impact on the performance of the device. Those who value computing power over the safety of personal data should definitely read this article.

If you're lucky enough to own an Android tablet that originally runs a version of the operating system, you won't be able to disable the encryption feature. The developers decided to introduce forced encryption of information on the latest versions of the OS, but don’t despair, because hackers don’t sleep either. There is no doubt that these workers will soon offer their own solution to this problem. At the same time, tablets whose operating system has been updated to the latest version from earlier ones are not limited by such prohibitions, so the option to disable encryption is available. However, we recommend that you think about whether you really need this?

For more earlier versions Android, up to 2.3.4., encryption must be started manually. This option is in the settings menu: Security->Encryption->Encrypt device. It must be borne in mind that after this it is impossible to decrypt the encrypted data, since the developer did not provide such a possibility. Thus, if you need to decrypt information, its loss is inevitable. To do this, you will need to reset the device to factory settings from "recovery" mode.

To perform such a reset, you need to hold down the volume up and down keys, as well as the power key, while the tablet is turned off. It will download to engineering menu, where using the volume buttons you need to find the “wipe data/factory reset” menu item and, having selected it, press the power key. When the reset operation is completed, you need to reboot by selecting "reboot". After booting into work mode on the tablet, you should restore your personal data, and then no longer run encryption.