Slashdot Mirror
Google Backs Off Default Encryption on New Android Lollilop Devices
An anonymous reader writes: Although Google announced in September 2014 that Android 5.0 Lollipop would require full-disk encryption by default in new cell phones, Ars Technica has found otherwise in recently-released 2nd-gen Moto E and Galaxy S6. It turns out, according to the latest version of the Android Compatibility Definition document (PDF), full-disk encryption is currently only "very strongly recommended" in anticipation of mandatory encryption requirements in the future. The moral of the story is: don't be lazy — check that your full-disk encryption is actually enabled.
Learn to spell Lollipop.
The real issue is the extra battery drain it creates and the extra delay it takes to read/write encrypted data. In other words, this is an acceptable tradeoff for an employer and this is an acceptable tradeoff for some people who really care about security, but it's really not acceptable for most consumers.
If it ever becomes the default on consumer phones, for liability reasons or for whatever, the first thing people will learn is how to disable it so they can save battery power.
The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock. Who wants to type in a 20+ password every time they open their screen lock?
Are you sure?
For my Android phone I activated FDE. On boot I have to enter the FDE password, which is independent from the lock screen password/pattern/face unlock.
So on boot I enter the complex password once, and later I use the less complex pattern to unlock my running phone.
My phone is Running Android 4.4.4 (Cyanogen CM11S).
Or at the very least it would need to come with a significant enough processor jump that no one notices the drop in responsiveness from any earlier device.
Depends on whether the SoC can do AES-encryption/-decryption in hardware or not. Your Nexus 5 does it in software, ARMv8 (ARM64) includes optional support for H/W-accelerated AES. It's unlikely that low-to-mid-end phones will be sporting ARMv8 SoCs anytime soon, but it'll happen eventually, and higher-end phones are already starting to move to it.
So the protection is only effective if someone steals my phone while it's turned off, which is, like, 0.1% of the time?
Yes, that's exactly what it was designed for. If the system required you to enter the FDE-password whenever you open up the screen then how would background-processes, like e.g. SMS-receiving, chat and such stuff work? They'd only be able to access the disk when you have the display open and that'd obviously make the whole thing unuseable as a smartphone in the first place. No full-disk encryption scheme has been designed to withstand attacks originating from an already-running system since you need to keep the key in memory to do anything with the disk in the first place!
No latency for hw crypty.
A hardware crypto device can en-/decrypt faster than the disk transfers. Therefore, no latency at all. Of course it require power, but a crypto circuit is a lot smaller than a cpu, and doesn't need to run at the full cpu clock frequency either. Phones are custom chips anyway, so making one with fast low-power crypto device is not a problem. The only reason for not doing crypto by default is that not all current phones have such HW. And then they rack up latency & power use as you describe.
Cyanogenmod 11 (Android 4.4.4) indeed has an option to set the encryption password separately. With stock Android this only possible on a rooted device (vdc cryptfs changepw [secretpassword1]), but the encryption password will be reset if you change the screen unlock code.
Avantslash: low-bandwidth mobile slashdot.
What is lame is people posting ignorant comments as Anon Cowards.
Apple has control of both the hardware & the software & has optimized both to make use of FDE as painless as possible. This is clearly not the case in Android.
Stealing from Seillac's comments on ARS:
"Apparently, Google has not merged the various drivers that optimize Qualcomm's QCE module for encryption and decryption into AOSP. The generally-assumed reason is that this code is proprietary. Without these optimizations, the Nexus 6's hardware decryption module on the Snapdragon 805 is essentially hamstrung."
From: http://www.androidpolice.com/2...
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
(I'm a member Android Security team who worked on bits of Lollipop FDE)
The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.
This isn't completely true on Lollipop devices that have hardware-backed credential storage. (Well, it's not really "hardware-backed", but it's in a Trusted Execution Environment, typically ARM TrustZone.)
For Lollipop, a big change to FDE was the inclusion of a hardware-backed key in the key derivation function (KDF) for the FDE master key encryption key. This provides two benefits:
1) It means that a dump of the contents of your encrypted flash is useless without the device.
2) It means that brute force search of your PIN/pattern/password space is serialized and rate-limited by the performance of the device. In a way this means that faster devices are less secure, though we also apply a device-tuned scrypt function as part of the KDF, which compensates in the case of an attacker who tries to perform the entire attack on-device.
The best attack against Lollipop FDE, on a device with HW-backed credentials, is to dump the data from the device flash, then flash a custom OS which makes calls into the HW crypto to create an oracle, processing a stream of requests and returning the responses. Then you do a brute force attack with a mixture of on-device and off-device resources, computing the first scrypt function offline, then performing the on-device crypto operation, then taking the results of that and performing the second scrypt function offline, which you then use to try to decrypt the FDE master key, offline.
The fastest devices on the market today will perform the HW-backed crypto operation in about 50 ms. Assuming everything is pipelined properly, this is the brute force attempt rate: 20 attempts per second. With a four-digit PIN, this is negligible: the entire space can be searched in 8 minutes. However, a six-character alphanumeric password (random, all lowercase) would take 630 days, on average, to break. That's pretty reasonable security.
In theory. In practice it would take much longer than that. I tried running this test on a Nexus 9 and found the device kept throttling itself because it got too hot, plus even with a 2A charger it consumed more power than was being provided to it, so I had to stop when the battery died and wait for it to recharge.
Pre-Lollipop, and even on Lollipop devices that lack HW-backed crypto, you can conduct the entire attack off-line, parallelized, on however much hardware you care to throw at it. I can't make any promises about the future, but I will say that I, personally, really want to significantly improve Android FDE in the future. I have changes in mind that will make brute force essentially impossible, unless you can break into the Trusted Execution Environment.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.
No, it doesn't. At least in Lollipop FDE-password is separate and you enter it at boot.
It's not separate. In stock Lollipop there is only one password, and it's used both for FDE and for screen unlock. Some customized ROMs (e.g. CM) have separated it, which allows you to choose a strong boot password and a more convenient unlock password. Stock Android didn't go that direction because too many users would set a strong boot password which they only use once every few weeks and therefore forget, losing all of their data.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.