Risks of Unencrypted Fire Tablet? - Fire General

The fire tablet are one of the few devices that aren't encrypted by default. What are the theoretical and practical risks of physical attacks on these devices? Encryption seems to have noticeable performance hit when enabled on these devices, and want to understand the tradeoffs.

Welcome to XDA.
I would not encrypt it but bare that in mind by how you use it. Keep it physically secured at all times as well.

blackhawk said:
Welcome to XDA.
I would not encrypt it but bare that in mind by how you use it. Keep it physically secured at all times as well.
Click to expand...
Click to collapse
I ended up encrypting and found the speed serviceable - about as fast as the previous generation unencrypted. However, it might be more susceptible to brute force hacking, especially with just a pin, because when encrypted there is no penalty for failed password entry, whereas there is a 30-second penalty when unencrypted using a wrong password after 5 times. Assuming the most precious thing one has on the tablet is logged into their main email account in an app or browser, I feel like I'm choosing between two scenarios, assuming exploits and social engineering would have the same effect regardless of encryption:
If I encrypt, brute-force hacking becomes easier, since there isn't a penalty to repeated failure when in that mode. Once in, they could simply use my browser session token or email app to cause havoc.
If unencrypted, they could in theory read the data off the tablet, but they would have open the device and have hardware to read the data, know how to remove the session or app data, and put it into a virtual environment where they could cause havoc.
Is that a fair assessment of the situation, and if so, I assume the unencrypted scenarios is more difficult to break, at least for email access. Thoughts?

ZombieParade said:
Thoughts?
Click to expand...
Click to collapse
Yes, Android 5.1 isn't secure. That's it.
with PIN: A brute force attack will get the correct PIN (without penalty) within a few minutes.
w/o PIN: It depends on speed of the USB port how long it takes to create a raw image of /data.

ZombieParade said:
I ended up encrypting and found the speed serviceable
Click to expand...
Click to collapse
It's a full disk encryption. After entering the correct display pattern /data will be mounted decrypted.

ZombieParade said:
I ended up encrypting and found the speed serviceable - about as fast as the previous generation unencrypted. However, it might be more susceptible to brute force hacking, especially with just a pin, because when encrypted there is no penalty for failed password entry, whereas there is a 30-second penalty when unencrypted using a wrong password after 5 times. Assuming the most precious thing one has on the tablet is logged into their main email account in an app or browser, I feel like I'm choosing between two scenarios, assuming exploits and social engineering would have the same effect regardless of encryption:
If I encrypt, brute-force hacking becomes easier, since there isn't a penalty to repeated failure when in that mode. Once in, they could simply use my browser session token or email app to cause havoc.
If unencrypted, they could in theory read the data off the tablet, but they would have open the device and have hardware to read the data, know how to remove the session or app data, and put it into a virtual environment where they could cause havoc.
Is that a fair assessment of the situation, and if so, I assume the unencrypted scenarios is more difficult to break, at least for email access. Thoughts?
Click to expand...
Click to collapse
Secure the device with ways where you don't bone yourself. You are the most likely to be locked out of the device, not "them" by setting a lock on the device or data. Never, ever encrypt backup data drives!!!
Use the SD card as the data drive; all critical data goes here. Only the apps, DCIM and Download folder go on internal. Do not encrypt SD cards!!!
If you have expandable storage, use it! Get a V30 rated card like Sandisk Extreme. If the phone is dropped/damaged or the OS crashes/burns, the data drive will likely survive. Then regularly backup the card to at least 2 hdds that are physically and electronically isolated from each other and the PC.
Use Android 9 or higher.
Use a good firewall; block any apps that shouldn't need internet service. Examine logs for possible trouble.
Use NextDNS.
Use a good browser like Brave; back out of bad sites, close window, browser, wipe browser cache even data if needed.
Be careful what you install and download. Keep email in the cloud. All downloads go into the Download folder and are open there first before transferring. Scan with Virustotal if appropriate.
Check the Download folder daily for anything you didn't authority; no auto downloads.
Keep trashware off the phone. No social media or sales apps and interactive gaming sites. Interface them by browser login only.
Scan all side loads with Virustotal first and if there's any doubt, don't load it.
Do not allow apps the update if they are running well unless there's a really good reason.
Do not allow Playstore apps to update.
Same goes for the firmware as far as I'm concerned.
Scan with Malwarebytes occasionally. Track down, ID and fix any odd behavior ASAP, never ignore it. If any obvious malware is found do a factory reset if you can't eliminate it completely within a few hours. Zero tolerance. Reset passwords and secure bank accounts etc as required after a factory reset.
This N10+ is still running on Pie, no screen password tap on/off. Last firmware update was 11/2019.
Current load will be 3yo this June. Still fast and stable, no malware in all that time. This device is heavily used and goes all over the internet. Little maintenance or troubleshooting, and very reliable.
This is more or less my plan, it works for me... I use whatever comes in handy.

WoKoschekk said:
Yes, Android 5.1 isn't secure. That's it.
with PIN: A brute force attack will get the correct PIN (without penalty) within a few minutes.
w/o PIN: It depends on speed of the USB port how long it takes to create a raw image of /data.
Click to expand...
Click to collapse
Fire OS is now Android 11. In order to read from the USB port a locked device, they'd have to have an unpatched exploit, correct?

ZombieParade said:
Fire OS is now Android 11. In order to read from the USB port a locked device, they'd have to have an unpatched exploit, correct?
Click to expand...
Click to collapse
Android 11 without forced encryption? It's mandatory for devices shipped with Android 6+.
If /data is unencrypted then you're able to dump the partition by using the EDL mode. It creates an raw ext4 image that can be mounted on every Linux environment.
EDL mode = emergency download mode:
When booting a device the primary bootloader (hardcoded on SoC by CPU manufacturer) verifies the extensible bootloader (part of firmware) to load kernel, ramdisk and so on. If verification should fail, the primary bootloader starts the EDL mode. In this state you can use special tools to flash a new bootloader and you also have access to all partitions.
You can manually start EDL mode by a special key combo or with adb reboot edl or by using test points (contacts on your mainboard).

ZombieParade said:
Fire OS is now Android 11. In order to read from the USB port a locked device, they'd have to have an unpatched exploit, correct?
Click to expand...
Click to collapse
Maybe. Never give someone unfettered physical access to your tab, smartphone, PC, etc unless you trust explicitly.

Depends. if you'd use it like me just for reading ebooks and component datasheets it doesn't really matter if it's encrypted or not. If it's something sensitive i would encrypt it and replace operating system with something more secure than FireOS (i.e LineageOS).

Related

DM_CRYPT kernel required

Hello,
Most tablet owners will store valuable and/or personal files on their tablets. I belive no one wants his data to be stollen, right?
I solved this problem on my laptop using Truecrypt.
However no truecrypt is available for android .
The solution for android is Luks manager (available on the market).
However (again however) in order luks manager to work it requires the kernel to be DM_CRYPT capable.
I have no idea what this is. Just I know a kernel must be compiled in such manner that this to be part of it.
So, is it possible when compiling next kernels to put this in?
Thanks
Why anyone would leave personal and sensitive data on a portable machine is beyond me. Keep it in a secure location and use a secure VPN to access it.
Why anyone would leave sensitive data on a networked device is beyond me.
Sent from my Transformer TF101
Android 3.0 does have device-mapper and dm-crypt baked into the kernel.
It's actually also coded into the OS. See here:
http://bryanhinton.com/android3security
sassafras
encrypting entire tablet vs. secure mounting like Truecrypt
@sassafras_
I read the link and I sent it to the author of Luks Manager - the thing that acts as Truecrypt for android devices.
Here is the discussion on the matter between us:
http://nemesis2.qx.net/forums/index.php/topic,60.0.html
here is the description of his software:
http://nemesis2.qx.net/pages/LUKSManager
I think that Truecrypt conception is much better than encrypting the entire tablet, which I personally find to be clumsy and not useful:
1. You encrypt the entire tablet, that is slow.
2. (More important): You decrypt the tablet when turning it on. On the other hand, with Truecrypt conception you mount the sensitive data when you need it, after that you can unount it. I.e. it is possilble to use the tablet without exposing the data.
@cosine83 & @frosty5689 - Guys, everyone is free to choose the way he keeps senstive data.
@cosine83 - it is a plus to keep whatever you want wherever you wish, provided it is protected, includingly on portable device.
You're asking for someone to make a workaround to a non-problem.
Encrypting the entire tablet is not clumsy - it is built into the OS and is persistent. It takes about two minutes to set it up.
It isn't slow - if you read the entire article you see a 20% speed decrease for reads, and almost no speed penalty for writes. This is slower but certainly not slow.
If you're concerned about security, doesn't it make sense to have a password to work with the tablet? With the built-in solution, you must enter a PIN each time you unlock the device. This is the most secure and minimally intrusive. Much less than mounting an encrypted volume each time you want to interact with sensitive data and then having to unmount it when complete.
sassafras
sassafras_ said:
You're asking for someone to make a workaround to a non-problem.
Encrypting the entire tablet is not clumsy - it is built into the OS and is persistent. It takes about two minutes to set it up.
It isn't slow - if you read the entire article you see a 20% speed decrease for reads, and almost no speed penalty for writes. This is slower but certainly not slow.
If you're concerned about security, doesn't it make sense to have a password to work with the tablet? With the built-in solution, you must enter a PIN each time you unlock the device. This is the most secure and minimally intrusive. Much less than mounting an encrypted volume each time you want to interact with sensitive data and then having to unmount it when complete.
sassafras
Click to expand...
Click to collapse
+1, my tablet is encrypted using Honeycomb's built-in encryption engine, and I have no qualms with performance considering that all data is decrypted on the fly.
sassafras_ said:
If you're concerned about security, doesn't it make sense to have a password to work with the tablet? With the built-in solution, you must enter a PIN each time you unlock the device.
Click to expand...
Click to collapse
How long is the PIN? Does it contain letters? If it's only numbers and short it can be hacked in hours if not minutes.
Also - has anyone tried if HC works with linux encrypted (with DM_CRYPT) external drives? I don't have USB adapter to check it. Hm, or maybe you could encrypt microSD with DM_CRYPT on linux and use it with Transformer?
Magnesus said:
How long is the PIN? Does it contain letters? If it's only numbers and short it can be hacked in hours if not minutes.
Also - has anyone tried if HC works with linux encrypted (with DM_CRYPT) external drives? I don't have USB adapter to check it. Hm, or maybe you could encrypt microSD with DM_CRYPT on linux and use it with Transformer?
Click to expand...
Click to collapse
It doesn't have to be a PIN, mine is protected with a password containing letters and numbers. The only slight concern I have is that for some reason the password itself can't be longer than 16 characters .
misunderstanding
@sassafras_ "You're asking for someone to make a workaround to a non-problem."
You do not understand what I mean, when I say encrypting the entire device is clumsy. I am not talking about speed. I am talking about conception.
I will try to explain once more, please do try to understand, if you want.
I do not want to encrypt the entire tablet. Did you ever use TrueCrypt? It makes a containter. It contains all your valuable files. When you need them you simply supply a password and mount the container to the file system. It appears like device. Encrypting entire tablet is so far from this conception that I am getting very frustrated to explain this again and again.
For example, if your friend wants to check his email on the tablet, if you hand it over he will have access to all your files. Unlike that with the TrueCrypt method you would simply unmount the container and you will be safe to give it whoever you want to.
Have you looked at tasker (non market verion). This has the ability to encrypt folders, there are definitely some issues if stuff is really classified but for what you describe it could work.
Sent from my Transformer TF101 using XDA Premium App

[Q] About forgot password (strange)

(sorry about my chinglish )
So here's how:I locked my nexus10 and forgot the password, and I do not see the "Forgotten" button on the screen and also I didn't turn USB debugging mode on, so is there any possibility I can save my data instead of cleaning them up? Thank you (btw, I deleted the original recover files(because I once booted Ubuntu Touch on it) how can I reset it anyway?) Tanks a lot
EX_RIVER said:
(sorry about my chinglish )
So here's how:I locked my nexus10 and forgot the password, and I do not see the "Forgotten" button on the screen and also I didn't turn USB debugging mode on, so is there any possibility I can save my data instead of cleaning them up? Thank you (btw, I deleted the original recover files(because I once booted Ubuntu Touch on it) how can I reset it anyway?) Tanks a lot
Click to expand...
Click to collapse
If you have TWRP (not sure about Clockworkmod), "Factory Reset" will leave personal files on while clearing settings, custom apps, etc. FORTUNATELY, there is no way to bypass, other than resetting the device, the password for security reasons
dibblebill said:
If you have TWRP (not sure about Clockworkmod), "Factory Reset" will leave personal files on while clearing settings, custom apps, etc. FORTUNATELY, there is no way to bypass, other than resetting the device, the password for security reasons
Click to expand...
Click to collapse
Pretty sure that's not true, strictly speaking. Unless OP is talking about encryption, flashing a new ROM over top will preserve most user data saved on /sdcard (much to my annoyance).
Rirere said:
Pretty sure that's not true, strictly speaking. Unless OP is talking about encryption, flashing a new ROM over top will preserve most user data saved on /sdcard (much to my annoyance).
Click to expand...
Click to collapse
You are correct. I forgot that circumstance. TWRP specifically excludes the data/media area
Sent from my Samsung Galaxy Victory via XDA Developers App
dibblebill said:
You are correct. I forgot that circumstance. TWRP specifically excludes the data/media area
Sent from my Samsung Galaxy Victory via XDA Developers App
Click to expand...
Click to collapse
I mean, it's useful because if you flub a flash you can use a backup, but these recoveries are not secure and aren't designed to be.
EX_RIVER said:
(sorry about my chinglish )
So here's how:I locked my nexus10 and forgot the password, and I do not see the "Forgotten" button on the screen and also I didn't turn USB debugging mode on, so is there any possibility I can save my data instead of cleaning them up? Thank you (btw, I deleted the original recover files(because I once booted Ubuntu Touch on it) how can I reset it anyway?) Tanks a lot
Click to expand...
Click to collapse
USB debugging isn't required for ~all~ USB stuff, so you should try it anyways.
Then, as long as you still know your Google password you can install this to your Nexus, via the web (no log on to device actually needed):
http://www.androidlost.com/
I haven't actually tried or used that program, so cant say 100% it will work on N10 - but "in general" it seems like it should!
:good:
bigmatty said:
USB debugging isn't required for ~all~ USB stuff, so you should try it anyways.
Then, as long as you still know your Google password you can install this to your Nexus, via the web (no log on to device actually needed):
http://www.androidlost.com/
I haven't actually tried or used that program, so cant say 100% it will work on N10 - but "in general" it seems like it should!
:good:
Click to expand...
Click to collapse
I don't know if AndroidLost can unlock a device, and he doesn't seem to have lost it either. Unless an app had root/device admin access, I can't imagine that it would have the privileges necessary to remove authentication from a device (since that seems to be the pinnacle of bad security). Secure Settings + Tasker can do it, but you need to set that up beforehand.
Rirere said:
I don't know if AndroidLost can unlock a device, and he doesn't seem to have lost it either. Unless an app had root/device admin access, I can't imagine that it would have the privileges necessary to remove authentication from a device (since that seems to be the pinnacle of bad security). Secure Settings + Tasker can do it, but you need to set that up beforehand.
Click to expand...
Click to collapse
It says it can:
Lock the phone
You can lock and unlock the phone from the web. If you forget your pincode you can simply overwrite it or remove it from the web
bigmatty said:
It says it can:
Lock the phone
You can lock and unlock the phone from the web. If you forget your pincode you can simply overwrite it or remove it from the web
Click to expand...
Click to collapse
I don't think this means what you think it means (and I could be wrong). Many security apps like avast! offer a similar "locking" functionality, where the normal lockscreen (whatever security it is) is covered by a second lockscreen, superimposed over all system UI elements to prevent access. This lockscreen is controlled by the app, but it will not affect any underlying security (basically, think of it as a replacement lockscreen for security reasons, not much unlike HoloLocker or Go Launcher's lockscreen).
Rirere said:
I don't think this means what you think it means (and I could be wrong). Many security apps like avast! offer a similar "locking" functionality, where the normal lockscreen (whatever security it is) is covered by a second lockscreen, superimposed over all system UI elements to prevent access. This lockscreen is controlled by the app, but it will not affect any underlying security (basically, think of it as a replacement lockscreen for security reasons, not much unlike HoloLocker or Go Launcher's lockscreen).
Click to expand...
Click to collapse
I don't know man, and like I said I've never tried it. But its a super popular app, and has been featured in write ups. On their main page it states that text, as the fifth "main feature" which seems pretty straight forward to mean "the main lock screen"...
bigmatty said:
I don't know man, and like I said I've never tried it. But its a super popular app, and has been featured in write ups. On their main page it states that text, as the fifth "main feature" which seems pretty straight forward to mean "the main lock screen"...
Click to expand...
Click to collapse
No good, sorry. You're right on one count-- I just tested it, and it does interact with the stock lockscreen. Unfortunately, as I said earlier, unless the app is granted root/device admin privileges, no Android app can change the stock lockscreen...and since OP can't get into his device, he can't grant it device admin.
Rirere said:
No good, sorry. You're right on one count-- I just tested it, and it does interact with the stock lockscreen. Unfortunately, as I said earlier, unless the app is granted root/device admin privileges, no Android app can change the stock lockscreen...and since OP can't get into his device, he can't grant it device admin.
Click to expand...
Click to collapse
Nice on the testing! Too bad about the unlock. Perhaps he can still use it to offload his content though.
Did you try to "push" it to your device w/out installing it direct? I have wondered if I should pre-load this app on my devices, but "they" tout its remote-install-ablity, so I somewhat feel like I would not have to pre-install. (But then again, Im always apprehensive of claims that make things seem super easy.)
EDIT: Hmmm.... I see it requires "SMS" to install this on a device via Push - so I guess it NEEDS to be pre-loaded on a N10 if one wishes to use it to retrieve a lost N10, or even use it in this context! Now to decide if I install this or not...
bigmatty said:
Nice on the testing! Too bad about the unlock. Perhaps he can still use it to offload his content though.
Did you try to "push" it to your device w/out installing it direct? I have wondered if I should pre-load this app on my devices, but "they" tout its remote-install-ablity, so I somewhat feel like I would not have to pre-install. (But then again, Im always apprehensive of claims that make things seem super easy.)
Click to expand...
Click to collapse
I installed direct. I use Cerberus (and before that, avast! Anti-Theft) to help secure my devices, but these things are all a game of chance. My advice: completely disregard remote-install abilities. If you're going to use this kind of service, it really doesn't make any sense not to install it yourself, where you can change your preferences (such as install to /system or rename the application) to work for you.
The bigger problem is that, obviously, six hundred million things could go wrong. I noticed that AndroidLost noted that they were using Google to push messages, which indicates that they're using C2DM (unlikely, it's deprecated) or GCM push services, which require your phone being connected to a network (itself a big assumption) that will allow Google's ports to send traffic. This excludes no small number of places, particularly corporate networks (and many schools as well). It also looks like one of the wakeup methods if SMS, which is not only noticeable (to a thief), but potentially may be intercepted by other apps on the phone (such as an alternative SMS app).
The idea is that these apps intercept and delete any command SMS before any other app, but in practice this doesn't always happen. So test your setup before something happens!
Rirere said:
I installed direct. I use Cerberus (and before that, avast! Anti-Theft) to help secure my devices, but these things are all a game of chance. My advice: completely disregard remote-install abilities. If you're going to use this kind of service, it really doesn't make any sense not to install it yourself, where you can change your preferences (such as install to /system or rename the application) to work for you.
The bigger problem is that, obviously, six hundred million things could go wrong. I noticed that AndroidLost noted that they were using Google to push messages, which indicates that they're using C2DM (unlikely, it's deprecated) or GCM push services, which require your phone being connected to a network (itself a big assumption) that will allow Google's ports to send traffic. This excludes no small number of places, particularly corporate networks (and many schools as well). It also looks like one of the wakeup methods if SMS, which is not only noticeable (to a thief), but potentially may be intercepted by other apps on the phone (such as an alternative SMS app).
The idea is that these apps intercept and delete any command SMS before any other app, but in practice this doesn't always happen. So test your setup before something happens!
Click to expand...
Click to collapse
Thanks for the info, I will look into Cerberus. I am assuming you would recommend that as you are currently using it? Do you think its better than AndroidLost, even though you haven't spent as much time w/ AndroidLost?
bigmatty said:
Thanks for the info, I will look into Cerberus. I am assuming you would recommend that as you are currently using it? Do you think its better than AndroidLost, even though you haven't spent as much time w/ AndroidLost?
Click to expand...
Click to collapse
I like it a lot more, but I will admit I personally liked avast! better. Its uncertain future (plus a nice promotion) led me to jump ship to Cerberus. I'd have to play around with it a bit more to be sure though.
Rirere said:
No good, sorry. You're right on one count-- I just tested it, and it does interact with the stock lockscreen. Unfortunately, as I said earlier, unless the app is granted root/device admin privileges, no Android app can change the stock lockscreen...and since OP can't get into his device, he can't grant it device admin.
Click to expand...
Click to collapse
Yep, you're right I can't get root under this situation, thanks a lot I'm trying to figure out how to save my data mow
EX_RIVER said:
Yep, you're right I can't get root under this situation, thanks a lot I'm trying to figure out how to save my data mow
Click to expand...
Click to collapse
It's not root you need per se, it's device admin. But root isn't an easy option for you either, because unlocking your bootloader will hose your data. I also think most of the locked-bootloader exploits require the device to be on and unlocked. If you're signed into your Google account, you should have a fair degree of stuff backed up already-- what sorts of data are you trying to save?
Rirere said:
It's not root you need per se, it's device admin. But root isn't an easy option for you either, because unlocking your bootloader will hose your data. I also think most of the locked-bootloader exploits require the device to be on and unlocked. If you're signed into your Google account, you should have a fair degree of stuff backed up already-- what sorts of data are you trying to save?
Click to expand...
Click to collapse
Mostly..........Photos and videos
EX_RIVER said:
Mostly..........Photos and videos
Click to expand...
Click to collapse
...do you have a Google+ account? Slash have you ever opened the app? If so, you might actually be in luck and your data should have been backed up to your Google+ (or PicasaWeb if you prefer).

Android Security Concerns

I'm hoping someone can point me in the right direction after spending a day reading about mobile phone security. I'm still confused as to what an app can do and how I can limit access. Some answers or a point in the right direction for more information would be helpful.
Apps that are granted permission "Modify/Delete SD Card" can pretty much read/write anything on my device? Could an app go through my sd card and see files, for example, music, movies, other data from different apps; file names/content? I have about 35 apps running on my phone with this access. I'd rather not leave it to "how much I trust the developer" and have some means to limit access to data.
I don't keep national security secrets on my nexus but there is work and personal information that is sensitive and I wouldn't want shared. It looks like if I use android to encrypt my data it only encrypts the /data folder and there doesn't seem to be much in there.
What about securing contact and calendar data? Is this possible? Not as critical as guarding my file data, but still important to me. Thanks.
Yes, files on the external sdcard are not protected, I.e. all apps which have the right to read/write sdcard can read/write everything there. One reason is just the filesystem type: on FAT you don't have access rights. On internal /sdcard it's a bit different, because it's using ext4 as a filesystem, so principally not all apps can read everything, but also here you have the problem that for example the camera, the gallery app, ... need access to the same files and directories. So at the moment you need to trust the apps in a certain way or not to install it at all.
Sent from my Nexus 7 using xda app-developers app
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. The best bet is as you already suggested, that is to be smart about where you browse the net, and only install trusted apps. Always think twice and review permissions carefully for any app even if it's from the Play Store.
And don't forget encryption only works similar to a house door. It's only good if you keep it locked. But if you let the bad guys into your house (i.e., installing a naughty app), it doesn't protect you much. It only keeps them out so long as you don't let them in (physical access). P.S. I'm assuming you're talking about the stock android encryption not actually having individual encrypted files on your device if not then ignore this paragraph (although I'm sure some will disagree that even having SHA-512 AES encrypted files with a extremely complex and long passwords is still not enough to protect data once a malicious user gets their hands on that file.)
Even on the internal SD card, it looks like once I give an app access to "modify/delete" the entire sd card is exposed; did I understand that correctly? It looks like grant access to everything or nothing.
After reading this:
http://appanalysis.org/
It seems that even trusted developers can't be trusted. I don't consider myself a novice user but I'm really surprised at how exposed the data is on phones and tablets. Its like leaving money on your front porch and hoping it isn't too tempting for someone to walk though a broken gate and grab.
Any idea what WP, iOS or BB10 offer in the way of data protection?
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
mgerbasio said:
TheAltruistic said:
While it is difficult for someone with limited tech experience, it is plausible to protect your data with measures like XPrivacy or PDroid.
However, if you're looking for an answer without jumping through a few technical hoops, there aren't many good ones unfortunately. /QUOTE]
XPrivacy looks good, might be worth rooting for that app.
I'm not as concerned with an app downloading files and using a high level attack on my data. I am concerned about an app where the developer decides to go through my contacts, photos, and files which are unlocked and easily viewed. Then sell the data to whomever that can do whatever. No effort required, no ability to know the data was even accessed and no ability to lock the data. I think like most things, if there is more than a slight effort needed to access the data, they'll move on to something else.
I see Google offers encryption but I can't find information on exactly what is encrypted and if I install an app with say permission to contacts does that give them encrypted access to all contacts? For example, a program that can add a contact via sms I don't want to allow it to read all my contacts, just add a new one.
Maybe Android isn't the right platform for me.
Click to expand...
Click to collapse
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
As far as I know, and I'm assuming we're talking about the same thing, the type of encryption Android offers only prevents people from gaining unauthorized access to your data if your device is mounted or accessed when your lock screen is up. (I'm sure someone will correct me if I'm wrong--please do). But if your device is not password protected (e.g., you set lock password to lock every hour and they get it when it's unlocked) then your data can potentially be compromised.
This encryption does not, however, protect your data as you're browsing the internet, or running apps like facebook.
If you're looking for something to protect your data from say facebook finding your GPS location without your permission, or accessing your contacts and doing God knows what with it, then XPrivacy and PDroid (links above) is your answer, and I'd say that's awesome.
I may not play around with an iPhone / iOS enough, but I'm confident enough to say that they don't offer the same privacy protection even from Cydia that you can get from communities like here on XDA. Perhaps for iOS users, ignorance is bliss?
Click to expand...
Click to collapse
TheAltruistic said:
mgerbasio said:
Heh don't give up. To be honest at least android tells you when it grants a program certain permissions unlike some other OSes where you're in the dark in terms of security.
Click to expand...
Click to collapse
Thanks again. I appreciate the comments.
All I'm really looking to do is prevent an app downloading all my contacts, photos, movies, files, etc. I have some work data on my tablet that isn't confidential but it is what I would call sensitive. Actually, I rarely use external memory, mostly just use in internal sd card.
It seems all the "good apps" grab more permissions than they need or, the permission they do need to operate gives them way more access than I'd like. I'm not so concerned that I'd start using Tor or duckduckgo, but just trusting a developer with an open door to data is more than I can to leave to chance.
From what I've been reading the sandboxing in iOS and WP provide good security and in BB you can remove permissions from apps; BB10 is still the most secure if you can believe the internet articles. I'd like to see Google make it more clear as to what encryption actually allows and prevents.
There seems to be apps that button up a lot of holes, like photos, but there still are gaping holes.
Click to expand...
Click to collapse
Hi guys,
Any progress? I use PDroid on my smartphone and find it unnerving to see how much and how often data is accessed not only by third party apps but by Google itself. With PDroid you can restrict permissions without bricking the app because it can provide fake data rather than none. I have to say that I am not entirely happy with it though. I hope that Firefox OS will have success in stopping the appification of our devices. Data wise, it is much safer to use web-based services than app-based services.
I think Google's Android is so successful with developers (also) because they can gather so much data. Our smartphones are unfortunately "data gold mines" for the ICT industry.
If you have any progress in improving privacy, safety and security of the Nexus 7 than I'd be happy to read about it.

Encryption - Is it complete storage encryption?

Sorry if this is a completely nonsensical and stupid question but I wanted to make sure on how encryption with Android 6 works. Because I thought I had read somewhere that encryption is only done on certain parts but not others such as System partition. Of course, I could be completely wrong about what I thought I read.
And yes... I'm not completely crazy and I know it's called "Full Disk Encryption" for a reason. I think I'm just paranoid. Even the Android page description uses the terms "all user created data... " is encrypted. So, part of me was wondering why they emphasize the "user created" part.
Also, wondering how much effect, if any, an unlocked bootloader and rooting has
I just want to make sure that, for example, if I put my keepass database on my phone, that I don't have to worry. Thanks!
mattkroeder said:
Sorry if this is a completely nonsensical and stupid question but I wanted to make sure on how encryption with Android 6 works. Because I thought I had read somewhere that encryption is only done on certain parts but not others such as System partition. Of course, I could be completely wrong about what I thought I read.
And yes... I'm not completely crazy and I know it's called "Full Disk Encryption" for a reason. I think I'm just paranoid. Even the Android page description uses the terms "all user created data... " is encrypted. So, part of me was wondering why they emphasize the "user created" part.
Also, wondering how much effect, if any, an unlocked bootloader and rooting has
I just want to make sure that, for example, if I put my keepass database on my phone, that I don't have to worry. Thanks!
Click to expand...
Click to collapse
Well, that's a pretty good question.
My assumption is that it is just the user data that is indeed encrypted, and not anything in the system partition.
Why would the system partition need encryption? It is supposed to be left alone, and only accessible by certain apps that Google grants such access.
As to your KeePass database, it seems that it is always encrypted, irrespective of whether your device is encrypted.
That stated, you'd probably be better off leaving encryption enabled rather than decrypting your device, especially if you're the least bit concerned about it.
Rooting your device and data encryption are discrete issues, and therefore seem to be separate security concerns; ie, rooting and unlocking your bootloader opens your system partition to meddling, hopefully by you and no one else, while encryption keeps all of your data on your device encrypted unless someone has your password, pin or pattern unlock.
Ultimately all of this is about choice.
Sent from My Nexus 6P, #WhiteUIsMustDie, #EndDarkAppOppression
Thank you for taking the time to answer my question. I thought it may have been a dumb question because considering it is called 'Full Disk Encryption", I thought maybe it should have been obvious.
True, KeePass is already encrypted but it's nice to know the storage medium it is on is encrypted as well.
I'm definitely leaving encryption enabled. Thanks again.

ENCRYPTION and selling my phone.

Currently I have an S7 Edge, but my companies IT is supplying everyone with iPhones since it was too hard to juggle so many different phones. Well as much as I love Android, I don't want to carry 2 phones around everywhere lol, so I was thinking about selling it as it was mine to begin with and the company just paid my phone bill. IT at work just said factory reset it and you're good to sell, but idk they don't seem like the brightest bulbs.
My work involves a good deal of private information from my clients. So my phone is full of photos, texts, emails, pdfs, etc... of things that my clients would probably be extremely angry about if it got out.
Is there anyway to wipe this phone 100% clean with 0% chance of anything being recovered by anyone?
I saw this review article quote:
I asked Samsung if these new phones were encrypted, like the iPhone (most Android phones aren’t.) Referring to both models, the company said: "Default encryption is turned on for Galaxy S7. Samsung cannot decrypt the user’s encrypted phones. The encryption key is randomly generated for each user and the key is protected with the user’s password."
According to that, it sounds like Samsung themselves couldn't even get my data after I factory reset? Is this true? What exactly do I need to do to get to this point?
I'm not sure what this encryption key is and user password? Is user password just your lockscreen pin?
Reason why I'm worried is I remember people always saying if you delete something its gone! Well I remember 10 years ago my mom formatted her camera SD card on accident and all it took was me hooking it up and googling a free recovery program and BAM I had all the photos back. I imagine technology has advanced ten fold since then. I don't want someone rooting my phone and getting some super program and next thing I know my personal information is out there.
Thanks!
wipe the operating system.
reinstall new operating system with odin or if you have an sd card using stock recovery. make sure that you do not reinstall your gmail account to prevent auto recovery.
Cosmic Blue said:
wipe the operating system.
reinstall new operating system with odin or if you have an sd card using stock recovery. make sure that you do not reinstall your gmail account to prevent auto recovery.
Click to expand...
Click to collapse
I do have an SD card. But I'm not sure about anything you said. Is it possible for you to make a guide for me?
which model of do you have.
?
I will point out the correct rom to copy to your sd card and/or computer.
Do you know anything about flashing a phone at all ?
This is what i usually do.
a. delete all files in internal memory with myfiles/any file explorer
b. delete your google account via settings
c. factory reset your device.
that will do.
A factory reset wipes your pin / pattern / password so that in itself makes the encryption key useless even if you use the same pin / pattern / password. Without that key you can still recover files but it will take hundreds of years to break the encryption.
You may see stories like the FBI breaking encryption but thats not strictly true. They break the unlock system which gives them access to the encryption key which decrypts the data.
Safe to say a factory reset will do the job nicely and if you are in the UK, you will be okay under the Data Protection Act as youve done all YOU can to secure the data from recovery. Its up to your IT tech to make sure you are compliant, especially with Bring Your Own Devices policies so any fallback should be on them.
I would question why you havent mentioned Knox as thats like a safe within a safe and you IT tech should be employing it if they let you use BYOD!
Just note that your clients security is only as secure as your password as if anyone gets hold of that password then they have free rein to your files. You did mention a pin code which i hope you will update to a password asap!!
There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code.
Click to expand...
Click to collapse
36×36×36×36=1679616 distinct passwords of length 4
Click to expand...
Click to collapse
As you can see, a pin has much less combinations than a password and passwords can be even more secure the longer they are and if you include special characters like @ # * etc. Here is a site which you can use to test how easy it would be to crack your pin or password: https://password.kaspersky.com/
My pin would take 15 minutes to crack, my password would take 33 centuries
Sources:
https://password.kaspersky.com/
http://www.datagenetics.com/blog/september32012/
http://math.stackexchange.com/quest...-digits-0-9-how-many-combinations-are-possibl

Resources