I am a little upset with the built in Note 4 encryption. I encrypted my phone with a password because I would like it to be secure, however, when I change my phone password it changed the encryption password to the same thing. This is troubling to me because this tells me that my phone is not necessarily encrypted using the original password I gave it as the unique encryption and decryption key. Could somebody explain to me how the Note 4's encryption works? I just can't believe it is very secure if the so the call encryption key is the exact same as the phone password which can just be scraped from the RAM.
Sorry to bring this old thread back up.
Regarding scraping from RAM, AFAIK there is currently no known way to use disk encryption on android or elsewhere without having the key stored in ram. I recently read about some proofs of concept and other ideas regarding possible different storage locations such as dedicated hardware, but I do not believe any commercial applications use this.
Regarding the key being linked to the password - this is a somewhat different issue from the one above. Usually the drive is encrypted with a master key that is randomly generated and consists of a certain fixed length. That key is then encrypted using your "user password". Therefore, when you change password, you (among other things) decrypt the master key and reencrypt it but with a new password. That was the key is not directly ties to the password.
Related
RemoteData (code name, alpha)
Description:
Program to encrypt and locally store data retrieved over http. You define url source, get data, input password and text data is stored locally.
Algorithms used: Rijndael(256bit key), SHA256. No password is stored (only strong hash), no recovery option available. Encrypted file is only valid on device that saved it. Data is completely secured.
Purpose:
Store your personal data on server (in.e. yours), update it on demand, store safely.
Installation:
Just run cab file. Program doesn't use registry and temp. It just creates two files in it's own directory. One with password hash (just for initial verification) and one with encrypted data. If the first is accidently deleted, it can be restored (if you know your password), but the second one is still safe.
Usage:
Run application; set your password; add source (url and name); refresh source. On exit, program will crypt and save data. On next run, just type password and your data is there (no need of net connection).
Notes:
I need opinions and proposals, in.e. useful enchancements. Tested on WM6/Schaps 3.6/Hermes and emulator.
Technically, data is stored in xml file in base64 format, but only item names are not encrypted (so if you loose you password/something breaks, you know what you've had).
Rijndael has the largest key space of the portable symetric algorithms. To put the size of the key space into perspective, if there was a machine fast enough that could brute force a DES key in one second, it would take 149 trillion years to brute force a 128 bit key for the Rijndael algorithm.
Please note: the longer and more complicated password you provide, the better.
Requirements: CF2
Needs: I need a nice icon and testing. This is one of my first apps for mobile platform
Okay, my HD2 yesterday forgot my unlock passcode, I have not installed any version of sype, and running 1.66 WWE stock Rom. My Exchange Server security policies forces a passcode.
What i have found (tested) is that an option in BsB Tweaks is causing the problem.
The option that is causing this (or at least for me) is 'Owner Information - show or hide owner in settings'
When enabled, with the show notes, your Owner information and notes are displayed when you wake the phone (before slide to unlock) I wanted this option because it gives you a slightly better chance of recovering your phone if it gets lost.
It works well initially, then for some reason it fails to show, restart the phone and BANG, your passcode wont work!! I have experimented this and it happens every time.
Thought I'd let you all know my findings, and hopefully this bug can be ironed out.
regards
Paul
I've tested it some more today, and I'm pretty sure that it is the Owner info. Going to leave it off now, but would definitely want this feature fixed As i said before it does give me a slightly better chance in getting it back if it gets lost!
Have you tried using the Recovery Password from the Outlook Web Access for your exchange server?
It's not the Exchange password that gets forgotten, it the unlock code for the phone!!! You just cant unlock the phone, hard re-set is the only option!!
Its a know problem for some people that install sype! Same thing your passcode just will not work
Paul Boy said:
My Exchange Server security policies forces a passcode.
Click to expand...
Click to collapse
Microsoft said:
You can use the EMC, the Shell, or Microsoft Office Outlook Web App to recover a device password.
You can require a device password through Microsoft Exchange ActiveSync policies. A user can configure a device password even if your Exchange ActiveSync policies don't require one. If users forget their password, you can obtain a recovery password using the EMC or the Shell. The recovery password unlocks the device and lets the user create a new password. Users can also recover their device passwords by using Outlook Web App.
Click to expand...
Click to collapse
Is what I think you are looking for.
Is there any way to tell Android (or CM7, if there's a difference) to never use a particular access point? There are three APs at my office that look equivalent as far as the WiFi software can tell, but two are unusable for administrative reasons, and I'd like to tell my NC to just ignore them. Sometimes it latches onto one of the wrong ones and I have to connect to the right one manually.
Can't just forget them, because they come back next time it scans.
Thanks!
If they can't be accessed then why are they there at all? If they can be accessed by certain people then shouldn't they be password protected? Maybe I'm not understanding the question but In my home I have 2 one connect to everything on my internal network and that's password protected. The other is for guests which don't need a password.
Anyways I did find this app. I have never used it but from the looks of things it may help.
https://market.android.com/details?id=com.hogdex.WifiRuler&feature=search_result
IFLATLINEI said:
If they can't be accessed then why are they there at all? If they can be accessed by certain people then shouldn't they be password protected? Maybe I'm not understanding the question but In my home I have 2 one connect to everything on my internal network and that's password protected. The other is for guests which don't need a password.
Click to expand...
Click to collapse
The answer has more to do with the administratium density in the building than anything sensible. One is fully open, another is open at the 802.11 level and password protected, but you have to access an internal website to find today's password, and the third is is inside the firewall but 802.1x protected and they don't support Android for that.
Anyways I did find this app. I have never used it but from the looks of things it may help.
https://market.android.com/details?id=com.hogdex.WifiRuler&feature=search_result
Click to expand...
Click to collapse
Thanks for the pointer! I've installed it, and it helps quite a bit. I reliably get the new mail notification noise from my bag before I pass through security.
Hi,
does anyone knows what is the most secure way to store sensitive information in application? Because using internal storage and shared preferences is vulnerable if person who want that information have a rooted phone.
Case is that I have some kind of activation code which needs to be stored somewhere inside the phone (not on server) for further communication and authentication with server side, that code needs to be secured and not available to other apps and users, even on a rooted phone. Also, user can not be bothered with additional verification (he enters the PIN code when he enters the application and send that code to the server side for authentication) .
Bottom line, is there a secure way to store something and to be secure that it will remain hidden, even on a rooted phone?
To be honest, i'm not sure it is completely possible to hide it from rooted users. The only thing I could think was to use a hardware ID and base64 encrypt your activation code while salting it with a hardware ID. Then have your app decrypt and send the activation code to the server when it needs it. It will still be able to be found but the code will be encrypted and someone would need to know what the salt is to be able to decrypt it which would take decompiling your app.
Hi there,
we are brainstorming at the signal forum how we can implement password encryption for the db. Signal at the moment stores data in sqlcipher and the key is stored in the keystore or in plaintext depending on the Android version. We want to encrypt this key with a user password. To ever get a chance to upstream such a change we need to prove that it is possible to zero out the password with JVM. Since it gets copied a lot in ram, moxie is concerned it want get collected in time. Feel free to help us with a concept how to accomplish this. At stack I found some info that instead of string you can use char[].
https:// community.signalusers.org/t/signal-with-password-encryption-poc/6159