Revisiting Android disk encryption (opens in new tab)

The dreadful "you must enable Javascript for this plain website" layout strikes again. So here is the summary of the article for the fellow plain HTML lovers:

> Android has included full disk encryption (FDE) support since version 3.0, but versions prior to 4.4 used a fairly easy to bruteforce key derivation function (PBKDF2 with 2000 iterations). Additionally, because the disk encryption password is the same as the lockscreen one, most users tend to use simple PINs or passwords (unless a device administrator enforces password complexity rules), which further facilitates bruteforcing. Android 4.4 replaced the disk encryption KDF with scrypt, which is much harder to crack and cannot be implemented efficiently on off-the-shelf GPU hardware. In addition to enabling FDE out of the box, Android L is expected to include hardware protection for disk encryption keys, as well as hardware acceleration for encrypted disk access. These two features should make FDE on Android both more secure and much faster.

I wonder if full disk encryption by default will render Android unusable to blind people such as my self? When I encrypted my Nexus 7 2012 running 4.4 it turns out that you are prompted to enter your password before the talkback screen reader starts talking. Needless to say this is a major issue and no one from Google appears to be interested in fixing it as far as I can tell. With my iPhone Voiceover comes up talking and allows me to enter my password while still having the device encrypted.

Coming from iOS, one thing that I didn't really like about Android was how clumsy the decryption process was. The process is detailed here [1] and it involves the framework being put in a special mode that only handles password entry. In this mode, none of the regular services are running, so I'm not sure how incoming calls & SMSes are handled (or if they are even handled). It's like getting stuck at the boot screen with a password prompt.

In iOS, encryption is not performed at the block layer but at the filesystem level, and some files are encrypted with hardware-derived keys (thanks to a unique 256-bit AES key burned into the processor), allowing the OS to be booted normally, but not having access to certain files until the user enters his/her passcode (full details here [2]). Even if you don't immediately enter the passcode after boot, the phone is still in a somewhat functional state.

I'm glad that Android is taking steps to at least implement by-default disk encryption by relying on a hardware-backed key store.

[1] https://source.android.com/devices/tech/encryption/android_c...

[2] https://www.apple.com/privacy/docs/iOS_Security_Guide_Sept_2...

Obviously, a strong passcode is a must.

But that's a big ask not just for the obvious reason, but also because the Nexus 5 is the first phone I've ever owned which demands that I unlock it first before I can access the UI to cancel an alarm.

And even then, it's a game of chance (especially when the phone is upside down while you're asleep) whether your swipe is in the correct direction (apparently UI designs actually removed the visual cues which would normally guide the user toward the correct action).

> In iOS 8, Apple has expanded the scope of data encryption and now mixes in the user's passcode when deriving an encryption key, making it harder to extract data from iOS 8 devices.

Not fully correct. In iOS8, the scope of DP (data protection) was enhanced to cover additional data with specific respect to the builtin Apple applications (SMS, photos, call logs, etc.). DP, since its introduction in iOS4, has always used the user's passcode as part of the encryption secret, and there are APIs available to create files and/or keychain items with data protection on.

Notice that there is an interaction between the multitasking/background system and data protection, as applications running background services will need access to a (part of) filesystem and (part of) keychain to operate. This is why the APIs have a very granular set of ACLs.

If you don't have a hardware bound key as part of the KDF then you will be subject to extraction and parallel breaking. It may take more computing power with scrypt but it will be doable. KDFs enforce round constraints relative to the hardware they run on. Being able to extract from that hardware means being able to apply orders of magnitude greater processing and parallelization of that process. Hardware keys like Apple's are the only way to go.

Hadn't internalized how essentially trivial it was to brute-force a PIN once you'd copied off the file system blocks.

With Android-L moving key material to trusted execution environments, expect interesting attacks on those. I am curious about state-mandated security holes in TEEs as well, since it's much easier to hide backdoors in chips than in publically reviewable software (I would much prefer to see a dedicated security processor than a "secure mode" of what is essentially the whole SOC).

Very interesting. I've always been wary of PBKDF2 for these applications simply because most people will have a 4 digit PIN (although I don't), which is essentially useless against an offline brute force attack, and possibly worse than useless if it gives people a false sense of security.

At least CM11 allows a dedicated FDE password though - Google is really doing its users a disservice by not implementing this in stock Android.