Google Backs Off Default Encryption on New Android Lollilop Devices

An anonymous reader writes: Although Google announced in September 2014 that Android 5.0 Lollipop would require full-disk encryption by default in new cell phones, Ars Technica has found otherwise in recently-released 2nd-gen Moto E and Galaxy S6. It turns out, according to the latest version of the Android Compatibility Definition document (PDF), full-disk encryption is currently only "very strongly recommended" in anticipation of mandatory encryption requirements in the future. The moral of the story is: don't be lazy — check that your full-disk encryption is actually enabled.

FDE on Android doesn't work as of yet

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock. Who wants to type in a 20+ password every time they open their screen lock? Who even bothers with FDE if the key will be no stronger than what, six numeric characters?

There has been some dirty hacks you could do to combine FDE with e.g. pattern lock for the screen, but these have had the tendency to break the whole thing eventually.

Re:FDE on Android doesn't work as of yet

[stephanruby]

The real issue is the extra battery drain it creates and the extra delay it takes to read/write encrypted data. In other words, this is an acceptable tradeoff for an employer and this is an acceptable tradeoff for some people who really care about security, but it's really not acceptable for most consumers.

If it ever becomes the default on consumer phones, for liability reasons or for whatever, the first thing people will learn is how to disable it so they can save battery power.

Re:FDE on Android doesn't work as of yet

[moronoxyd]

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock. Who wants to type in a 20+ password every time they open their screen lock?

Are you sure?
For my Android phone I activated FDE. On boot I have to enter the FDE password, which is independent from the lock screen password/pattern/face unlock.
So on boot I enter the complex password once, and later I use the less complex pattern to unlock my running phone.
My phone is Running Android 4.4.4 (Cyanogen CM11S).

Re:FDE on Android doesn't work as of yet

[PriyanPhoenix]

Or at the very least it would need to come with a significant enough processor jump that no one notices the drop in responsiveness from any earlier device. I briefly switched on FDE on a Nexus 5 and it only took a few days to decide the trade-off was (for me) unacceptable. Had I jumped to the Nexus 6 at the same time, however, that may not have been an issue.

Re:FDE on Android doesn't work as of yet

[Gaygirlie]

Or at the very least it would need to come with a significant enough processor jump that no one notices the drop in responsiveness from any earlier device.

Depends on whether the SoC can do AES-encryption/-decryption in hardware or not. Your Nexus 5 does it in software, ARMv8 (ARM64) includes optional support for H/W-accelerated AES. It's unlikely that low-to-mid-end phones will be sporting ARMv8 SoCs anytime soon, but it'll happen eventually, and higher-end phones are already starting to move to it.

Re:FDE on Android doesn't work as of yet

[fph+il+quozientatore]

So the protection is only effective if someone steals my phone while it's turned off, which is, like, 0.1% of the time?

Re:FDE on Android doesn't work as of yet

[phayes]

What is lame is people posting ignorant comments as Anon Cowards.

Apple has control of both the hardware & the software & has optimized both to make use of FDE as painless as possible. This is clearly not the case in Android.

Stealing from Seillac's comments on ARS:
"Apparently, Google has not merged the various drivers that optimize Qualcomm's QCE module for encryption and decryption into AOSP. The generally-assumed reason is that this code is proprietary. Without these optimizations, the Nexus 6's hardware decryption module on the Snapdragon 805 is essentially hamstrung."

From: http://www.androidpolice.com/2...

Re:FDE on Android doesn't work as of yet

[swillden]

(I'm a member Android Security team who worked on bits of Lollipop FDE)

The issue with FDE in Android has for long been the lack of combining strong passwords with a pattern lock or pin lock for unlocking the screen. In other words, your encryption key is only as strong as the pin code or password you are willing to put in every time you open your screen lock.

This isn't completely true on Lollipop devices that have hardware-backed credential storage. (Well, it's not really "hardware-backed", but it's in a Trusted Execution Environment, typically ARM TrustZone.)

For Lollipop, a big change to FDE was the inclusion of a hardware-backed key in the key derivation function (KDF) for the FDE master key encryption key. This provides two benefits:

1) It means that a dump of the contents of your encrypted flash is useless without the device.

2) It means that brute force search of your PIN/pattern/password space is serialized and rate-limited by the performance of the device. In a way this means that faster devices are less secure, though we also apply a device-tuned scrypt function as part of the KDF, which compensates in the case of an attacker who tries to perform the entire attack on-device.

The best attack against Lollipop FDE, on a device with HW-backed credentials, is to dump the data from the device flash, then flash a custom OS which makes calls into the HW crypto to create an oracle, processing a stream of requests and returning the responses. Then you do a brute force attack with a mixture of on-device and off-device resources, computing the first scrypt function offline, then performing the on-device crypto operation, then taking the results of that and performing the second scrypt function offline, which you then use to try to decrypt the FDE master key, offline.

The fastest devices on the market today will perform the HW-backed crypto operation in about 50 ms. Assuming everything is pipelined properly, this is the brute force attempt rate: 20 attempts per second. With a four-digit PIN, this is negligible: the entire space can be searched in 8 minutes. However, a six-character alphanumeric password (random, all lowercase) would take 630 days, on average, to break. That's pretty reasonable security.

In theory. In practice it would take much longer than that. I tried running this test on a Nexus 9 and found the device kept throttling itself because it got too hot, plus even with a 2A charger it consumed more power than was being provided to it, so I had to stop when the battery died and wait for it to recharge.

Pre-Lollipop, and even on Lollipop devices that lack HW-backed crypto, you can conduct the entire attack off-line, parallelized, on however much hardware you care to throw at it. I can't make any promises about the future, but I will say that I, personally, really want to significantly improve Android FDE in the future. I have changes in mind that will make brute force essentially impossible, unless you can break into the Trusted Execution Environment.

Android privacy guard app

Do you remember back in Android 4.3 where Google added a feature similar to Cyanogenmod's "Privacy Guard"? That let you withhold rights to your contacts, Wifi, camera, microphone, GPS etc. from Apps selectively? Regardless of what the App demanded?

Then later they withdrew the app, and it never appeared again, they claimed it broke applications, yet the one in Cyanogenmod and Paranoid Android distributions work fine. Yet Google withdrew their privacy feature.

http://www.pixeldynamo.com/editorial/2013/12/14/1869/google-withdraws-android-privacy-tools/

"It was a surprise therefore, to find that Android 4.3 contained an undocumented feature, the Android Permissions Manager, or AppOps. Pictured below, AppOps groups applications based upon the type of permissions requested (Location, Personal, Messaging), ordering them by how recently they used that feature."

"Tapping on any app then shows all permissions granted to the application in question, allowing you to toggle them at will. iOS includes a similar feature, albeit with less granularity, listing applications under broad categories such as location, contacts, photos, and calendar access, again allowing users to see what has requested access, and, if they prefer, disable it."

"In the second point release of Android 4.4, Google has now withdrawn AppOps, claiming it was never intended to be accessed by end users."

-------
Do you know you handed Google your wifi password?
You did that when you handed your wife or brother your Wifi password, and when Google asked them to 'back up to their server', and they clicked yes, they handed that password to Google and to NSA via PRISM.

There are some serious issue in Android, and encryption is just the latest of them.

Re:Don't be lazy

[cyber-vandal]

The title is Google Backs Off Default Encryption on New Android Lollilop Devices. That is a spelling mistake.