Encryption of mobile devices. What does it mean to encrypt a device on Samsung. Android and data encryption. About how bad everything is and why it’s unlikely to get better

The recent debate in the US between law enforcement and tech giants over smartphone encryption is once again bringing this issue into the spotlight. No one will argue that protecting your personal data is an important topic, so we're happy to tell you that Android offers the necessary tools to encrypt your smartphone right out of the box. If you're interested and want to know where to start, this guide will tell you how to encrypt your Android smartphone or tablet.

Device encryption and what does it do?
Before you encrypt your device, it makes sense to understand what encryption is and what the pros and cons of this solution are.

Device encryption is not a one-size-fits-all solution for protecting all of your data or information from prying eyes, especially when sent over the Internet. Instead, device encryption converts all data stored on the phone into a form that can only be read by the correct credentials. This solution provides better security than a password lock because data can be obtained without going through the lock screen using recovery programs, bootloaders or Android Debug Bridge.

Encrypted music, photos, apps, and credentials cannot be read without first decrypting the information, which requires a unique key. Thus, part of the procedure happens behind the scenes, where the user's password is converted into a key, which is stored in the "Trusted Environment" to remain inaccessible to third-party users in the event of a software attack. This key will be required to encrypt and decrypt files.

Android makes encryption simple from a user's perspective, as you enter your passcode whenever you unlock your device, making your files accessible. This means that if your phone falls into the wrong hands, no one else will be able to figure out the data on your phone without knowing the password.

And before you dive headfirst into encryption, there are a few things you should consider. First, opening encrypted files requires additional processing power, so encryption will impact your phone's performance. Memory read speeds may become significantly slower on older devices, but the performance hit for the vast majority of regular tasks remains very small, if noticeable at all.

Secondly, only some smartphones will offer the option to remove encryption from your smartphone. Encryption is a one-way solution for most smartphones and tablets. If your phone does not offer the ability to decrypt your phone data, the only option to perform a full rollback is to return to factory settings, which will erase all of your personal data. Check this point in advance.
Having understood the situation, let's see how to enable encryption.

Encrypting my device

Device encryption works the same on all Android devices, although the methods used to implement it may change slightly over time. Some devices come with active encryption out of the box, including the Nexus 6 and Nexus 9, and if your device isn't encrypted, it's very easy to do so using Android.

Android 5.0 or higher...

For Android smartphones and tablets running Android 5.0 or later, you can go to the Security menu under Settings. The path here may vary slightly depending on your OEM, but with stock Android you'll find encryption under Settings > Personal > Security.

Here you should see an option to Encrypt Phone or Encrypt Tablet. You'll be prompted to plug your device into a charger while encryption is happening to make sure your phone doesn't turn off during the process, causing errors. If you haven't already done so, you'll be prompted to set a screen lock PIN or password, which you'll need to enter when you turn on your smartphone to access your encrypted files. Be sure to remember your password!

Android 4.4 and older...

If you are using a smartphone running Android 4.4 KitKat or older, you must set a PIN or password before starting the encryption process. Fortunately, this is not difficult, go to Settings - Security - Screen Lock. Here you can either choose a pattern, enter a PIN or a mixed password to lock the screen. You will use the same password after encryption, so pay attention to it.

Once you're done with this, you can return to the Security menu and click "Encrypt phone." You'll need to plug your device into a charger and read warning messages, and you'll almost always have to confirm your PIN or password one last time for the encryption process to begin.

Encrypting your phone may take an hour or more, depending on how powerful your smartphone is and the large amount of data stored on the device. Once the process is finally completed, you can enter your PIN and continue working with your encrypted device as if nothing had happened.

Once you return to the Security menu, you'll also likely learn about the ability to encrypt files on your MicroSD card. This is a recommended step if you want to keep all your data safe, but not really necessary if you only use MicroSD to store music or movies that have no personal value.

With this decision comes several caveats. Firstly, you will no longer be able to use MicroSD cards with other devices without completely deleting the encrypted data, since other computers/devices will not know the encryption key. And while an encrypted MicroSD card can still be used to move files, this will only last as long as you access the encrypted files from the phone used to encrypt them. Additionally, if you reset your device before decrypting your files, the key will be lost and you will not be able to access the protected files on your MicroSD card. So think through the situation carefully.

When you've finished...

That's all you really need to encrypt your Android device. This is a great way to protect your data much more securely. There is a minor trade-off in terms of performance, but any differences should be very difficult to notice on modern mobile phones.

Additional options with third party applications

If you don't want to go through the encryption wringer on all of your device's data, there are a small number of Android apps in the Google Play store that offer a variety of selective features, including encrypting a single file, text, or folder.

SSE – Universal Encryption Application
version: 1.7.0 (Pro) (downloads: 163)
SSE has been in this market for quite a long time and still seems to be receiving small updates. Instead of implementing bulk encryption of your phone, SSE can be used to protect and decrypt individual files or directories that you need if you want to protect a few items selectively. You can set a password that will serve as a decryption key, and you can also create encrypted copies of files or completely replace them.

The app also has a text encryptor and password storage. A text editor can be used to store encrypted notes that can be shared across platforms. The vault is designed to store and manage all your passwords, PINs, and notes in one secure place, protected by a master password. The feature works similar to LastPass.

Final Thoughts
Considering the amount of sensitive personal information we contain on our mobile devices today, including banking details, encrypting Android devices becomes a smart decision. There are quite a few options that provide varying levels of security, from Android's broad encryption system to apps dedicated to encrypting specific files. Keep in mind, encryption doesn't provide complete protection against everything, but it does offer excellent protection in case your device is stolen.

Today, every user has to think about protecting confidential information from unauthorized persons. Mobile device manufacturers care about future customers and their right to privacy, so they are paying more and more attention to preserving personal data. Tablets can also be classified as personal devices, so let's talk about protecting them.

Is it possible to disable encryption on a tablet?

The system functions of modern tablets support encryption mode for information stored both on the internal memory of the device and on an external SD card. It should be remembered that running encryption has a negative impact on the performance of the device. Those who value computing power over the safety of personal data should definitely read this article.

If you're lucky enough to own an Android tablet that originally runs a version of the operating system, you won't be able to disable the encryption feature. The developers decided to introduce forced encryption of information on the latest versions of the OS, but don’t despair, because hackers don’t sleep either. There is no doubt that these workers will soon offer their own solution to this problem. At the same time, tablets whose operating system has been updated to the latest version from earlier ones are not limited by such prohibitions, so the option to disable encryption is available. However, we recommend that you think about whether you really need this?

On earlier versions of Android, up to 2.3.4., encryption must be started manually. This option is in the settings menu: Security->Encryption->Encrypt device. It must be borne in mind that after this it is impossible to decrypt the encrypted data, since the developer did not provide such a possibility. Thus, if you need to decrypt information, its loss is inevitable. To do this, you will need to reset the device to factory settings from "recovery" mode.

To perform such a reset, you need to hold down the volume up and down keys, as well as the power key, while the tablet is turned off. You will be loaded into the engineering menu, where using the volume buttons you need to find the “wipe data/factory reset” menu item and, having selected it, press the power key. When the reset operation is completed, you need to reboot by selecting "reboot". After booting into operating mode on the tablet, you should restore your personal data, and then no longer run encryption.

If you look at it from a security perspective, your Android smartphone is a compact box overflowing with important personal information, and you would hardly want it to fall into the wrong hands of others. To get a more realistic picture of the situation, think about your email, SMS messages, saved credit card numbers, personal photos and other sensitive data.

I think no one would want to be in a situation where a stranger took possession of this data, because it’s scary to even think about the consequences of this. And this is the main reason why we come to different methods for organizing the protection of our phone or tablet, and data encryption is the main means of protecting data.

What is encryption?

Encryption is the reversible process of converting data into an unreadable form for all persons except those who know how to decrypt it. The only way to get the data back into readable form is to decrypt it back using the correct key.

It’s easier to understand such things using simple examples, let’s say you lost your diary, and someone who finds it and knows Russian can easily read and find out your innermost secrets, but if you kept a diary in some kind of secret code, or a language that only you understand, then no one else could read it.

A similar approach can be applied to data stored on your Android device. A thief can take over your smartphone or tablet and gain access to personal data, but if the data is encrypted, then it will be just a bunch of useless gobbledygook that he cannot read.

We encrypt your Android

Android encryption is a very simple procedure. Please note that the menus for data encryption may be located in different places on different devices. In addition, custom firmware and UI, for example Samsung TouchWiz UX, may have different requirements.

First of all, set a password or PIN code to lock the screen. This password or PIN will form part of the key to decrypt the data, so it is important to set it before you begin encryption.

Some device manufacturers impose additional security requirements, such as the Galaxy S3 and Galaxy S4.

After setting a PIN or password, go to the “Security” subsection of the main menu and select “Encrypt Phone” or “Encrypt Tablet”. On different devices, the menu for data encryption may be located in different places; for example, on HTC One it is located in the “Memory” section in the main menu.

The encryption menu will look something like this:

The encryption process takes a long time, so it is important that your battery is fully charged. If there is insufficient battery power, you will receive a notification before encryption begins.

If everything is ready, click the button at the bottom of the “Encrypt Phone” or “Encrypt Tablet” screen. Here your phone will ask for a password or PIN code, enter it to confirm. A warning message will appear again, click the “Encrypt phone” button.

Your device will reboot and only after that the encryption will begin. You will see an encryption progress indicator on the screen. While the encryption process is running, do not play with your phone or try to perform any actions; if you interrupt the encryption process, you may lose all or part of the data.

Once encryption is complete, the phone (tablet) will reboot and you will have to enter your password or PIN to decrypt all data. After entering the password, all data will be decrypted and normal Android will boot.

Encrypting an external SD card

Some devices, such as the Galaxy S3 and Galaxy S4, allow you to encrypt data even on external storage devices - SD memory cards.

Typically, you have the option of choosing which files on the memory card to encrypt. You have the following encryption options: the entire SD card, include/exclude multimedia files, or encrypt only new files.

The data that you encrypted on the SD card will be impossible to read on another Android device. Some devices will report that the memory card is empty, or has an unknown file system.

Unlike encryption of the built-in memory, encryption of data on the SD card can be canceled. On the Galaxy S3 and Galaxy S4, you can decode data on an external microSD card using the Encrypt External SD Card menu. Be careful with encryption on SD cards, as some Android devices may destroy all data during encryption or decoding.

Briefly: If you use a graphic key to access your phone, then 99% of the time this is enough to ensure that no one can access the information on your phone without your knowledge. If the data on your phone is very sensitive, then you should use the phone's built-in full encryption feature.

Today, almost all smartphones have become carriers of important personal or corporate data. Also, through the owner's phone, you can easily access his accounts, such as Gmail, DropBox, FaceBook and even corporate services. Therefore, to one degree or another, it is worth worrying about the confidentiality of this data and using special means to protect the phone from unauthorized access in the event of its theft or loss.

From whom should you protect your phone data?
Built-in data protection in Android.
Full phone memory encryption
Results

What information is stored on the phone and why protect it?

A smartphone or tablet often serves as a mobile secretary, freeing the owner’s head from storing a large amount of important information. The phone book contains numbers of friends, co-workers, and family members. Credit card numbers, access codes, passwords to social networks, email and payment systems are often written in the notebook.
The list of recent calls is also very important.
Losing your phone can be a real disaster. Sometimes they are stolen specifically to penetrate personal life or to share profits with the owner.
Sometimes they are not stolen at all, but are used for a short time, unnoticed, but a few minutes is quite enough for an experienced malicious user to find out all the details.

The loss of confidential information can result in financial ruin, the collapse of your personal life, and the breakup of your family.
I wish I didn't have it! - the former owner will say. - It’s so good that you had him! - the attacker will say.

And so what needs to be protected on the phone:

Accounts. This includes, for example, access to your gmail inbox. If you have set up synchronization with facebook, dropbox, twitter. Logins and passwords for these systems are stored in clear text in the phone profile folder /data/system/accounts.db.
History of SMS correspondence and phone book also contain confidential information.
Web browser program. The entire browser profile must be protected. It is known that the Web Browser (built-in or third-party) remembers all passwords and logins for you. This is all stored in open form in the program profile folder in the phone’s memory. Moreover, usually the sites themselves (using cookies) remember you and leave access to your account open, even if you did not specify to remember the password.
If you use synchronization of a mobile browser (Chrome, FireFox, Maxthon, etc.) with a desktop version of the browser to transfer bookmarks and passwords between devices, then you can assume that you can access all passwords from other sites from your phone.
Memory card. If you store confidential files on your memory card or download documents from the Internet. Typically, photos and videos taken are stored on a memory card.
Photo album.

Who should you protect your phone data from:

From a random person who finds your lost phonel because from “accidental” theft of the phone.
It is unlikely that the data on the phone will be of value to the new owner in this case. Therefore, even simple graphic key protection will ensure data safety. Most likely, the phone will simply be reformatted for reuse.
From prying eyes(co-workers/children/wives), who can gain access to your phone without your knowledge, taking advantage of your absence. Simple protection will ensure the safety of your data.
Providing forced access
It happens that you are voluntarily forced to provide a phone number and open access to the system (information). For example, when your wife, a government official, or an employee of the service center where you took the phone for repair asks you to look at your phone. In this case, any defense is useless. Although it is possible, using additional programs, to hide the fact of the presence of some information: hide part of the SMS correspondence, part of the contacts, some files.
From targeted theft of your phone.
For example, someone really wanted to know what was on your phone and made an effort to get it.
In this case, only full encryption of the phone and SD card helps.

Built-in data protection on Android devices .

1. Lock screen with Pattern Key.
This method is very effective in the first and second cases (protection against accidental loss of the phone and protection from prying eyes). If you accidentally lose your phone or forget it at work, no one will be able to use it. But if your phone purposefully fell into the wrong hands, then this is unlikely to save you. Hacking can even occur at the hardware level.

The screen can be locked with a password, PIN code and Pattern Key. You can select the locking method by launching the settings and selecting the Security -> Screen lock section.

Graphic Key (Pattern) - c The most convenient and at the same time reliable way to protect your phone.

None- lack of protection,
Slide- To unlock, you need to swipe your finger across the screen in a certain direction.

Pattern- this is a Graphic Key, it looks something like this:

You can improve security in two ways.
1. Enlarge the Graphic key input field. It can vary from 3x3 dots on the screen to 6x6 (Android 4.2 is found in some models, depending on the Android version and phone model).
2. Hide the display of the points and “path” of the graphic key on the smartphone screen so that it is impossible to peek at the key.

3. Set the screen to automatically lock after 1 minute of inactivity on the phone.

Attention!!! What happens if you forgot your pattern key:

The number of incorrect attempts to draw a Graphic Key is limited to 5 times (in different phone models the number of attempts can be up to 10 times).
After you have tried all your attempts but have not drawn the Pattern correctly, the phone is locked for 30 seconds. After this, you will most likely have a couple of attempts again, depending on your phone model and Android version.
Next, the phone requests the login and password of your Gmail account, which is registered in the phone Accounts settings.
This method will only work if your phone or tablet is connected to the Internet. Otherwise deadlock or reboot to manufacturer settings.

It happens that the phone falls into the hands of a child - he starts playing, draws the key many times and this leads to the key being blocked.

PIN- this is a password consisting of several numbers.

And finally, Password- the most reliable protection, with the ability to use letters and numbers. If you decide to use a password, then you can enable the Phone encryption option.

Encryption of phone memory.

The function is included in Android version 4.0* and higher. for tablets. But this feature may be missing in many budget phones.
Allows you to encrypt your phone's internal memory so that it can only be accessed with a password or PIN code. Encryption helps protect the information on your phone in the event ts targeted theft. There is no way that attackers will be able to access your data from your phone.

A prerequisite for using encryption is to set a screen lock using a password.
This method achieves saving user data located in the phone's memory, such as phone book, browser settings, passwords used on the Internet, photos and videos that the user received using the camera and did not copy to the SD card.

SD card encryption is enabled as a separate option.
- Memory encryption may take up to an hour depending on the amount of memory on the device. The phone cannot be used during encryption.

What if you forgot your password?

Password recovery is not provided in this case. You can do a full RESET on your phone or tablet, i.e. reinstall Android, but user data from the phone or tablet will be erased. Thus, if an attacker does not know the password to unlock the phone, he will not be able to use it. It will also be impossible to see data from the phone’s memory using other programs by connecting the phone to a computer, because all internal memory is encrypted. The only way to get your phone working again is to reformat it.

Attention, the full encryption function is present only starting from Android OS 4.0 - 4.1 and may simply not be available on some phone models. Most often found in phones from Samsung, HTC, LG, Sony. Some Chinese models also have an encryption function. On some phones this function is located in the “Memory” section.

Flaws:

You will need to constantly enter a fairly complex password (6-10 characters) even if you just want to make a call. Although it is possible to set a long time interval (30 minutes) during which the password will not be requested when you turn on the phone screen. On some phone models, the minimum password length can be 3 characters.
On some phone models, it is not possible to disable encryption if you want to avoid having to constantly enter a password. Encryption can only be disabled by returning the phone to factory settings and deleting all data.

Encrypting an external SD memory card

The function is included in the standard Android 4.1.1 package for tablets. Missing from many budget builds.
The function provides reliable data protection on an external SD card. Personal photographs, text files with commercial and personal information can be stored here.
Allows you to encrypt files on an SD card without changing their names or file structure, while maintaining a preview of graphic files (icons). The function requires setting a display lock password of at least 6 characters.

It is possible to cancel encryption. When changing the password, automatic re-encryption occurs.
If the user has lost the memory card, the encrypted files cannot be read through the card-reader. If you put it on another tablet with a different password, then the encrypted data also cannot be read.
Other Encryption Properties:

Transparent encryption. If the card is inserted into the tablet and the user has unlocked the screen with a password, any application sees the files in decrypted form.
If you connect the tablet via a USB cable to a computer, encrypted files can also be read on the computer by first unlocking the card from the screen of the mobile device.
If you write some other unencrypted files onto the card via the card-reader, they will also be encrypted after inserting the card into the tablet.
If you have an encrypted card, you cannot cancel the lock password.
Data is encrypted at the file level (the file names are visible, but the contents of the file are encrypted).

Disadvantage of the program:O missing from most Android builds.

It should be emphasized that the best safety of data is a complete copy of it on your Computer in A smartphone is a fairly fragile small device, which means there is always a possibility of it breaking or being lost.

Improving the usability of a secure smartphone

Full phone encryption provides the strongest level of protection, but constantly entering a 6-digit password makes it difficult to use. But there is a solution.

Select a pattern, PIN or password to set up your security.

You will be offered a choice: protection using a PIN code, password or pattern at startup. The choice is up to you, but we recommend choosing some kind of protection as it increases the security of your device.

Note that even with a fingerprint reader, you can't use your fingerprint to unlock the device the first time you boot—you'll have to enter a password, PIN, or pattern. Once the device has been decrypted using the correct method, the fingerprint scanner can already be used to unlock the screen.

From now on, your device will be encrypted, but if you want to disable encryption, you can do so by performing a factory reset. If you have a new device that automatically has encryption enabled, there is no way to disable it, not even through a factory reset.

Data encryption in the Android OS is closely related to two problems: controlling access to memory cards and transferring applications to them. Many programs contain activation data, payment information, and confidential information. Its protection requires management of access rights, which are not supported by the typical FAT32 file system for cards. Therefore, in each version of Android, approaches to encryption changed dramatically - from the complete absence of cryptographic protection of removable media to their deep integration into a single section with on-the-fly encryption.

The special role of the memory card

Initially, Android developers intended to use the memory card only as a separate storage for user files. It was just a multimedia warehouse without any requirements for its protection and reliability. microSD(HC) cards with FAT32 coped well with the role of simple storage, freeing the internal memory from photos, videos and music.

The ability to transfer not only multimedia files, but also applications to a memory card first appeared in Android 2.2 Froyo. It was implemented using the concept of encrypted containers for each application, but this exclusively protected against the card falling into the wrong hands - but not the smartphone.

In addition, this was a half-measure: many programs were transferred partially, leaving some of the data in the internal memory, and some (for example, system ones or containing widgets) were not transferred to the card at all. The very possibility of transferring applications depended on their type (pre-installed or third-party) and internal structure. For some, the directory with user data was immediately located separately, while for others it was located in a subdirectory of the program itself.

If applications intensively used read/write operations, then the reliability and speed of the cards could no longer satisfy the developers. They deliberately made it impossible to transfer programs using standard means. Thanks to this trick, their creation was guaranteed to be registered in the internal memory with a large rewriting resource and high performance.

With the fourth version of Android, it became possible to choose where to place the application. It was possible to designate a memory card as a disk for installing programs by default, but not all firmware correctly supported this function. How it works in a specific device could only be determined experimentally.

In the fifth Android, Google again decided to return to the original concept and did everything to make it as difficult as possible to transfer applications to a memory card. Major manufacturers caught the signal and added their own monitoring functions to the firmware, detecting user attempts to force applications onto the card using root. Only the option of creating hard or symbolic links worked more or less. In this case, the application was determined by the standard address in the built-in memory, but was actually located on the card. However, confusion was caused by file managers, many of which did not process links correctly. They showed the wrong amount of free space because they believed that the application supposedly took up space in both the built-in memory and the card at the same time.

Adapt it!

Android Marshmallow introduced a compromise called Adoptable Storage. This is Google's attempt to keep the sheep safe and the soldiers happy.

The Adoptable Storage function allows you to combine a user partition in the built-in memory with a partition on the card into one logical volume. In fact, it creates an ext4 or F2FS partition on the card and adds it to the user partition of the internal memory. This is a purely logical merge operation, vaguely reminiscent of creating a spanned volume from several physical disks in Windows.

During the process of combining with internal memory, the card is reformatted. By default, its entire capacity will be used in the merged volume. In this case, the files on the card can no longer be read on another device - they will be encrypted with a unique device key, which is stored inside the trusted execution environment.

As an alternative, you can reserve space on the card for a second partition with FAT32. The files stored on it will be visible on all devices, as before.

The method for dividing the card is set either through the Adoptable Storage menu or through the Android Debug Bridge (ADB). The last option is used in cases where the manufacturer has hidden Adoptable Storage from the menu, but has not removed this function from the firmware. For example, it is hidden in the Samsung Galaxy S7 and top LG smartphones. Recently, there has been a general tendency to remove Adoptable Storage from flagship devices. It is considered a crutch for budget smartphones and tablets that do not come with a sufficient amount of built-in Flash memory.

However, it is not up to marketers to decide how we use our devices. Through ADB on a Windows computer, the Adoptable Storage function is enabled as follows.

We make a backup of all data on the card - it will be reformatted.
Java SE Development kit from Oracle website.
Install the latest version of Android SDK Manager.
Enable USB debugging on your smartphone.
Launch SDK Manager and write on the command line:
Where x:y is the memory card number.
If you want to leave a part for the FAT32 volume, then change the command from step 7 to this:

$ sm partition disk: x: y mixed nn

where nn is the remaining volume as a percentage for a FAT32 volume.

For example, the command sm partition disk:179:32 mixed 20 will add 80% of the card’s capacity to the built-in memory and leave a FAT32 volume on it with 1/5 of its capacity.

On some smartphones, this method “as is” no longer works and requires additional tricks. Manufacturers are doing everything to artificially divide their products into market niches. Top models are available with different amounts of built-in memory, and there are fewer and fewer people willing to overpay for it.

Some smartphones do not have a memory card slot (for example, the Nexus series), but support connecting USB-Flash drives in OTG mode. In this case, the flash drive can also be used to expand the internal memory. This is done with the following command:

$ adb shell sm set - force - adoptable true

By default, the ability to use USB-OTG to create custom storage is disabled because unexpected removal could result in data loss. The likelihood of a memory card suddenly disconnecting is much lower due to its physical placement inside the device.

If problems arise with adding the volume of removable media or dividing it into partitions, then first remove all information about the previous logical layout from it. This can be done reliably using the Linux utility gparted, which on a Windows computer is launched from a boot disk or in a virtual machine.

According to official Google policy, applications can be directly installed or moved to a custom store if the developer has specified this in the android:installLocation attribute. The irony is that not all of Google's own apps allow this yet. There are no practical limits to “adapted storage” in Android. The theoretical limit for Adoptable Storage is nine zettabytes. There are not so many even in data centers, and even more so, memory cards of larger capacity will not appear in the coming years.

The encryption procedure itself when creating an adapted storage is performed using dm-crypt - the same Linux kernel module that performs full-disk encryption of the built-in memory of a smartphone (see the previous article “”). The AES algorithm is used in ciphertext block chaining (CBC) mode. A separate initialization vector with salt (ESSIV) is generated for each sector. The length of the SHA hash function is 256 bits, and the key itself is 128 bits.

This implementation, although inferior in reliability to AES-XTS-256, is much faster and is considered reliable enough for consumer devices. A nosy neighbor is unlikely to open an encrypted adapted storage in a reasonable time, but intelligence agencies have long learned to exploit the shortcomings of the CBC scheme. In addition, in reality, not all 128 bits of the key are completely random. Unintentional or intentional weakening of the built-in pseudo-random number generator is the most common problem in cryptography. It affects not only Android gadgets, but all consumer devices in general. Therefore, the most reliable way to ensure privacy is not to store confidential data on your smartphone at all.

If you perform a factory reset after merging the memory using Adoptable Storage, the data on the card will also be lost. Therefore, it’s worth making a backup of them first, or better yet, immediately assigning cloud synchronization.

Alternative encryption of data on a memory card

Now that we have dealt with the peculiarities of storing files on a memory card in different versions of Android, let’s move on directly to encrypting them. If you have a device with Android 6 or newer, then with a high probability you can activate the Adoptable Storage function in it one way or another. Then all data on the card will be encrypted, just like in the built-in memory. Only the files on the additional FAT32 partition will remain open if you wanted to create it when reformatting the card.

In earlier releases of Android, things are much more complicated, since before version 5.0, cryptographic protection did not affect memory cards at all (except for data from ported applications, of course). “Regular” files on the card remained open. To close them from prying eyes, you will need third-party utilities (which often turn out to be just a graphical shell for built-in tools). With all the variety of existing methods, four are fundamentally different:

use of a universal cryptocontainer - a file with an image of an encrypted volume in a popular format that applications for different OSes can work with;
transparent encryption of files in a specified directory via the FUSE driver and a third-party utility for creating/mounting an encrypted partition as a file;
encryption of the entire memory card via dm-crypt;
using a “black box” - a separate application that stores encrypted data in its own format and does not provide access to it for third-party programs.

The first option is familiar to anyone who uses TrueCrypt or one of its forks on a computer. There are applications for Android that support TrueCrypt containers, but their limitations are different.

The second option allows you to organize “transparent encryption”, that is, store all data encrypted and decrypt it when accessed from any application. To do this, all data from the selected directory is represented as the contents of a virtual file system with support for on-the-fly encryption. EncFS is usually used, which we will talk about in more detail below.

The third option is built-in dm-crypt. You can use it, for example, through LUKS Manager. The application requires root and BusyBox installed. Its interface is not for everyone.

LUKS Manager creates a crypto container on the card as a file. This container can be connected to an arbitrary directory and worked with it as with a regular one. The advantage is that this solution has cross-platform support. You can work with the container not only on an Android gadget, but also on a desktop: on Linux - through cryptsetup, and on Windows - through the program or its fork LibreCrypt. The downside is the inconvenience of using it in conjunction with cloud services. Every time in the cloud you have to resave the entire container, even if one byte has changed.

The fourth option is generally of little interest, since it greatly limits the scenarios for using encrypted files. They can only be opened by some specialized application and trust that its developer has succeeded in studying cryptography. Unfortunately, most of these applications do not stand up to criticism. Many of them have nothing to do with cryptography at all, since they simply mask files instead of encrypting them. In this case, the description may mention strong algorithms (AES, 3DES...) and quotes from Schneier’s “Applied Cryptography”. At best, such programs will have very poor encryption implementation, and at worst, there will be no encryption at all.

There is no official client for Android for VeraCrypt and is not planned, but its authors recommend using the EDS (Encrypted Data Store) application. This is a Russian development, existing in a fully functional and lightweight version. The full version of EDS costs 329 rubles. It supports crypto containers of the TrueCrypt, VeraCrypt, CyberSafe format, as well as LUKS and EncFS. Can work with local, network and cloud storage, providing other applications with transparent encryption. On-the-fly encryption requires OS kernel support for the FUSE framework and root rights. Normal work with crypto containers is possible on any firmware.

The EDS Lite version is distributed free of charge and has functional limitations. For example, it can work exclusively with containers containing a volume with the FAT file system, encrypted using the AES algorithm with a 256-bit key length and using the SHA-512 hash function. It does not support other options. Therefore, it is worth focusing on the paid version.

Crypto container is the most reliable and universal way. It can be stored in any file system (even FAT32) and used on any device. All data that you encrypted on your desktop will become available on your smartphone, and vice versa.

EncFS

In 2003, Valient Gough (a software engineer from Seattle who wrote software for NASA and later worked for Google and Amazon) released the first release of a free file system with a built-in transparent encryption mechanism - EncFS. It interacts with the OS kernel through a callback layer, receiving requests through the libfuse interface of the FUSE framework. At the user's choice, EncFS uses one of the symmetric algorithms implemented in the OpenSSL library - AES and Blowfish.

Since EncFS uses the principle of creating a virtual file system, it does not require a separate partition. On Android OS, you just need to install an application that supports EncFS and just point it to a couple of directories. One of them will store the encrypted content (let it be called vault), and the second - temporarily decrypted files (let's call it open).

After entering the password, the files are read from the directory vault and are stored decrypted in open(as in a new mount point) where all applications can access them. After finishing work, click the Forget Decryption button (or its equivalent) in the application. Catalog open will be unmounted, and all decrypted files from it will disappear.

Disadvantages: EncFS does not support hard links, since the data is bound not to the inode, but to the file name. For the same reason, file names up to 190 bytes in length are supported. In the catalog vault file names and contents will be hidden, but metadata will remain available. You can find out the number of encrypted files, their permissions, and the last time they were accessed or modified. There is also a clear sign of using EncFS - this is a settings file with the encfs prefix and the version number in its name. The file contains encryption parameters, including the algorithm, key length, and block size.

A paid audit of EncFS was performed in February 2014. It concludes that "EncFS is likely to be secure as long as the attacker has only one set of encrypted files and nothing more." If more data is available to the attacker (for example, two snapshots of the file system taken at different times), then EncFS cannot be considered reliable.

Once installed, EncFS will be visible as a separate userspace file system through the FUSE driver. Access to it will be realized through some third-party application - for example, the Encdroid or Cryptonite file manager. The latter is based on the EncFS source code, so we will focus on it.

Cryptonite

The latest version of the Cryptonite application is 0.7.17 beta dated March 15, 2015. It can be installed on any device with Android 4.1 and higher, but some functions work more stably in Android 4.3 and later versions.

Most operations in Cryptonite do not require root or any specific components. Creating EncFS volumes and synchronizing with Dropbox can be performed on both official and custom firmware.

Cloud synchronization of encrypted files

However, a number of operations will require mounting EncFS volumes, which requires root rights and support for the FUSE framework by the OS kernel. The use of FUSE is necessary to organize “transparent encryption”, that is, so that other applications can access encrypted data and receive it already decrypted. Most older firmwares do not support FUSE, but it is available in CyanogenMod, MIUI, AOKP and other custom ones. Starting with Android 4.4, FUSE is standardly used to emulate an SD card in the built-in memory.

Disadvantages: When you click “Decrypt” and successfully enter the password, Cryptonite creates a temporary copy of the decrypted file in /data/data/csh.cryptonite/app_open/. A copy of the file is marked as world readable (readable and executable for everyone). You can delete decrypted files by clicking the Forget Decryption button.

conclusions

The method of encrypting data on a memory card should be chosen based on two main criteria: the usage scenario and the Android version. On modern gadgets with Android 6.0 and higher, the easiest option is to use Adoptable Storage, attach the card to the internal memory and transparently encrypt the entire logical volume. If you need to make files available on other devices or add encryption of data on a card in older devices, crypto containers of proven formats are suitable. It is better to avoid third-party “thing-in-itself” utilities altogether, since instead of real data protection, they often only imitate it.

Last updated by at February 18, 2017.

The special role of the memory card

Adapt it!

Android Marshmallow introduced a compromise called Adoptable Storage. This is Google's attempt to keep the sheep safe and the soldiers happy.

As an alternative, you can reserve space on the card for a second partition with FAT32. The files stored on it will be visible on all devices, as before.

However, it is not up to marketers to decide how we use our devices. Through ADB on a Windows computer, the Adoptable Storage function is enabled as follows.

We make a backup of all data on the card - it will be reformatted.
Java SE Development kit from Oracle website.
Install the latest version of Android SDK Manager.
Enable USB debugging on your smartphone.
Launch SDK Manager and write on the command line:

where x:y is the memory card number.
If you want to leave a part for the FAT32 volume, then change the command from step 7 to this:

$ sm partition disk : x : y mixed nn

where nn is the remaining volume as a percentage for a FAT32 volume.

For example, the command sm partition disk:179:32 mixed 20 will add 80% of the card’s capacity to the built-in memory and leave a FAT32 volume on it with 1/5 of its capacity.

$ adb shell sm set - force - adoptable true

If you perform a factory reset after merging the memory using Adoptable Storage, the data on the card will also be lost. Therefore, it’s worth making a backup of them first, or better yet, immediately assigning cloud synchronization.

Alternative encryption of data on a memory card

use of a universal cryptocontainer - a file with an image of an encrypted volume in a popular format that applications for different OSes can work with;
transparent encryption of files in a specified directory via the FUSE driver and a third-party utility for creating/mounting an encrypted partition as a file;
encryption of the entire memory card via dm-crypt;
using a “black box” - a separate application that stores encrypted data in its own format and does not provide access to it for third-party programs.

The first option is familiar to anyone who uses TrueCrypt or one of its forks on a computer. There are applications for Android that support TrueCrypt containers, but their limitations are different.

The third option is built-in dm-crypt. You can use it, for example, through LUKS Manager. The application requires root and BusyBox installed. Its interface is not for everyone.

EncFS

Cryptonite

Most operations in Cryptonite do not require root or any specific components. Creating EncFS volumes and synchronizing with Dropbox can be performed on both official and custom firmware.

Cloud synchronization of encrypted files

conclusions

Last updated by at February 18, 2017.

Starting with Android 4.2, you can encrypt your entire device using the Android operating system itself. However, you do not need to purchase or install any additional applications. Everything is done using the operating system itself, and Internet access is not required for this. You can encrypt your data at any time you deem appropriate.

Android encryption

Encryption works like this: after enabling encryption, all data on the device and on the memory card will be encrypted. Of course, if someone unlocks your device, they will still have access to the data, but this will save your data if someone tries to steal the memory card or read the data without turning on the smartphone from its internal memory. He won't succeed, since the data will be encrypted.

When you turn on your smartphone, you will need to enter a password to decrypt the data. Without entering the password, the smartphone will not boot further. This is not just a PIN code, it is a key that encrypts your data.

There are some things you should know about device encryption:

Encryption is only possible in one direction. Once encrypted, the device cannot be decrypted. You can only reset it to factory settings, but in this case you will lose all data.
Encrypting the entire device slows down your smartphone. In principle, in the era of 8-core processors and with a RAM capacity of 1 GB or more, this will not cause you any trouble. On weaker devices the “braking” will be noticeable.
Encrypting your device will not save your data in the event that someone asks to view your smartphone, and at that moment either installs a Trojan, or simply manually sends some data of interest to their phone. Only a crypto container can protect against such cases: after all, to access the data inside the container, you will need to enter another password that the attacker does not know.

If you want to encrypt your entire device, go to Settings, Security, then click the Encrypt phone (or Encrypt tablet) button under Encryption. Then follow the instructions.