Android encryption limitations revealed by cryptography professor

The problem is that the cryptographic keys for the Android file system is always stored in the RAM of the device when active.


A cryptography professor at Johns Hopkins University, Matthew Green, has dissected the way Android N approaches security, and has pointed out that it has a long way to go before achieving the same levels of security as an iPhone. Properly implemented security measures can slow down if not prevent the most sophisticated hacking techniques, but improper implementation can be disastrous in terms of device security.

There are two ways to encrypt the data on a phone. A full disk encryption (FDE) is a popular and easy to implement security measure, where the data is protected at the sector level. File based encryption (FBE) encrypts individual files, and gives a much more granular control of the security measures for each file. FDE has been the historical approach, but one that worked with computers, where the machines were regularly shut down. Smartphones are more or less perpetually on, and require different security approaches from the kinds of encryption used on computers.

The problem is that the cryptographic keys for the Android file system is always stored in the RAM of the device when active. Hacking measures can be used to pull the key from the RAM. If the lock screen is bypassed somehow, then the files can be accessed directly.

Apple has given developers the option of assigning four protection classes to data. Complete protection means that the data can be accessed when the device is powered on and unlocked. Some files can be protected after first authentication, which means the key remains in device memory after a reboot. There are some files with no protection, with access available even when the user has not logged in. A fourth option lets users create new encrypted files without unlocking the phone. An example of this is the camera app being able to take photos from the lock screen itself.

Android on the other hand just offers two options to developers, and according to Green, does not even direct the developers to use the options in the right way. The encryption context are known as Credential encryption storage, and Device encryption storage. Android has an additional security context for multiple users on the same phone. The Android Documentation does not give proper guidance to developers, and this hurts Android security in the long term, according to Green.

Green calls Android encryption as being six years behind the capabilities of the iPhone.

The Director of Security at Android recently announced that the Pixel smartphone by Google was as good as the iPhone when it came to security features. A Chinese hacking team broke through Pixel protection measures in less than a minute. A security researcher revealed that users were in danger of malicious attacks because of flaws in the way Android handled full disc encryption. The vulnerability is the latest in a series of vulnerabilities affecting millions of android users.

The Great Diwali Discount!
Unlock 75% more savings this festive season. Get Moneycontrol Pro for a year for Rs 289 only.
Coupon code: DIWALI. Offer valid till 10th November, 2019 .