Does Android encryption really prevent law enforcement access?

  • Google recently announced that in Android L encryption would be turned on by default:

    For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement. As part of our next Android release, encryption will be enabled by default out of the box, so you won't even have to think about turning it on. (Reported by The Washington Post 18-Sep-2014.)

    Currently, if I have an Android phone and I have a Google account associated with that phone, if I forget my phone's PIN I can still get by using my Google account credentials, at least according to Recover Android Device in case of Forgot password/pattern unlock an Android device.

    How does turning on encryption by default help protect against law enforcement accessing the device's data if law enforcement can go to Google and get them to reset the user's Google account credentials and thereby get around the PIN? (Let's assume that the device we are considering has a PIN and a Google account associated with it.)

    https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager This app uncouples the lock screen password and the encryption password (root req)

    Why are you so worried about law enforcements getting hold of your data? I'm sure that if they build a solid enough case against you (let's say terrorism) they will ask google to provide them with enough information so they can access that data. In which case, I'd say laws (or special made up rules) beat encryption.

    While not an answer since you have the assumption that the device has a pin, you can set the encryption password to be different than the pin - this would be more secure than having the same pin/password for the encryption AND the lock screen, and if done right the encryption password would never leave the phone, thus Google won't have the technical ability to help much in the matter. Also, as others noted, encryption helps mostly when the device is off - if you want it to be secure, make sure your device turns off regularly without your intervention.

    It appears to be possible to brute force the pin that is used to encrypt the disk under certain circumstances. Code was opensourced in defcon 20 which shows this working on a Nexus S and Galaxy phone by viaforensics. So, use a long non-numerical pin

    @FlorinCoada I'd imagine it's little more than asking for a court order, and Google would comply immediately. Depending on fickle factors like your religion, the colour of your skin etc could probably make you far more susceptable.

    Any disk encryption software can easily provide a trivial backdoor simply by storing the secret key somewhere on the disk encrypted by some public key provided by the FBI/NSA/etc. So if law enforcement wants to decrypt your whole disk they just send that stored encrypted key to the FBI/NSA/etc... who in turn just use their private key to decrypt it. Super simple trivial backdoor.

  • Disk encryption only protects your phone when it is turned off (i.e., it protects data at rest). Once the device is turned on, data is decrytped transparently, and (at least with the current implementation) the decryption key is available on memory.

    While Android uses the device unlock PIN/password to derive the disk encryption key, the two are completely separate. The only way someone can change your disk encryption password is if there is a device administrator application installed that allows remote administration (or they have a hidden backdoor you don't know about, but in that case you are already owned). UPDATE: the Google account fallback has been removed in 5.0+.

    The article you link seems to be rather old and out of date. In current Android versions, login with Google account is only supported as a fallback to the pattern unlock (not the PIN/password) one, so if you are using PIN/password you are generally OK. Again, this only works if the device is already on, if it is off, they will need the disk encryption password to turn it on (technically to mount the userdata partition).

    That said, because the disk encryption password is the same as the unlock password, most people tend to use a simple PIN which is trivial to bruteforce with the current implementation (slightly harder on 4.4 which uses scrypt to derive keys). Android L seems to have improved on this by not deriving the disk encryption password directly from the lockscreen one, but no details are currently available (no source). It does seems that, at least on Nexus devices, the key is hardware-protected (likely TrustZone-based TEE), so bruteforcing should no longer be trivial. (Unless, of course, the TEE is compromised, which has been demonstrated a few times.)

    BTW, turning encryption on also helps with factory reset, because even if some data is left on the flash, it will be encrypted and thus mostly useless.

    Google still seems to be able to remotely unlock a device even when using a PIN or password as of Android 4.4. On the Android Device Manager, the existing screen lock mechanism can be replaced with a password entered in the web interface. I haven't checked what happens in case the device is encrypted, though (since this would theoretically bring the lock screen password and the encryption password out of sync).

    I haven't tested this either, but looking at the code, it does seem that this resets the disk encryption password as well (they don't get out of sync). The Android Device Manager works in conjunction with a device administrator app on the device, if you disable it, you cannot reset the lockscreen/encryption password remotely.

    As for the Device Manager, in the current version, you cannot change the unlock PIN/password. You can only set a new one, if the device doesn't have a PIN/password set.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM