[phyllapine]

In light of recent court decisions concerning mobile phone searches, I am looking for information on file encryption technologies for the Android OS. Does anyone here have any first-hand experience with free or reasonably priced encryption that works well on this platform? Google returns a lot of obscure/sketchy looking results. I'm not sure which apps to trust.

 

[sirkut]

In light of recent court decisions concerning mobile phone searches, I am looking for information on file encryption technologies for the Android OS. Does anyone here have any first-hand experience with free or reasonably priced encryption that works well on this platform? Google returns a lot of obscure/sketchy looking results. I'm not sure which apps to trust.

Encryption for what application? Storing files? Text Messages? etc?

 

[dcannon1]

I highly doubt you'll find anything worthwhile. If it's a commercial application and some govt body wanted access, all they would have to do is subpoena the company that made the app for their encryption scheme.

To be truly protected you would need to come up with a one of a kind encryption scheme that was very strong and only you had the decryption scheme.

However, even that isn't practical. You would have to encode/decode your data every time you wanted to access it, which would equal very poor performance.

You could just enable the android lock screen where you have to swipe it in sequence to unlock it. That would give you some level of protection.

 

[AMD]

In light of recent court decisions concerning mobile phone searches, I am looking for information on file encryption technologies for the Android OS. Does anyone here have any first-hand experience with free or reasonably priced encryption that works well on this platform? Google returns a lot of obscure/sketchy looking results. I'm not sure which apps to trust.

You raise a good point. I've used TrueCrypt in the past for my thumb drive and PC's and it works very very well. I'm going to research that.

 

[Puffyfish]

That law was in Commiefornia. Not here.
I'm insured I'll just smash mine to bits if I had to. Grab a new one, no problems.
Also if the battery is missing, well....

 

[phyllapine]

The screen lock is a good first step but can be easily defeated by removing the SD card and mounting the file system in a PC card reader. Is there a way to encrypt the SD card so that only the android device has the encryption keys thus making the SD card useless outside of the phone.?

 

[moga]

That law was in Commiefornia. Not here.

Agreed. As I recall, the decision was reached in the Kommiefornia Supreme Court. I don't believer the decisions of that judge is binding on any legal cases but those deliberated in his/her state.

 

[kkennett]

The screen lock is a good first step but can be easily defeated by removing the SD card and mounting the file system in a PC card reader. Is there a way to encrypt the SD card so that only the android device has the encryption keys thus making the SD card useless outside of the phone.?

This may not fall within the bounds of even that silly court decision. A search incident to arrest, even given this decision and in my opinion, would not cover taking out an SD card, mounting it in a different device, and manually browsing the files.

 

[spector]

http://www.lifehacker.com.au/2011/01/ho ... martphone/

http://gizmodo.com/5547858/encrypt-call ... droid-apps

http://www.hacker10.com/tag/android-aes-encryption/

Start with a good swipe pattern or password. Also look at mobile defender. Perhaps you could teach one of your friends how to do a remote wipe in the event of your "absence" for a couple of days :wink:

You can also sync android with dropbox and secure that with a good password. Dropbox can also be encrypted at the PC level and they are working on dropbox encryption between phone and PC. Should be coming soon. Open source, ftw.

 

[frankr]

...To be truly protected you would need to come up with a one of a kind encryption scheme that was very strong and only you had the decryption scheme....

Your statement is completely untrue.

It is a terrible idea, from a security standpoint, to come up with your own encryption scheme.

The strongest cryptographic systems must be open source and peer-reviewed to be trusted. It should always be assumed that the adversary knows everything about the scheme. The key is what has to be kept secret. Everything else is public. When passwords are used, they must be of sufficient length and entropy to withstand cracking attempts for a long time.

 

[frankr]

Android has public key and symmetric key crypto support through the SSL library
http://developer.android.com/reference/ ... descr.html.

Despite the implications of its name, the SSL routines can be used to protect data not only for transit across the network but also for storage.

However, this support would have to be worked into individual Android applications to secure their data from forensics.

I do not know that a full-disk encryption scheme is available for a non-rooted device. Android is built on top of Linux, which does have encrypted partition support:
http://encryptionhowto.sourceforge.net/ ... WTO-4.html

 

[sirkut]

http://www.lifehacker.com.au/2011/01/how-to-secure-your-smartphone/

http://gizmodo.com/5547858/encrypt-call ... droid-apps

http://www.hacker10.com/tag/android-aes-encryption/

Start with a good swipe pattern or password. Also look at mobile defender. Perhaps you could teach one of your friends how to do a remote wipe in the event of your "absence" for a couple of days :wink:

You can also sync android with dropbox and secure that with a good password. Dropbox can also be encrypted at the PC level and they are working on dropbox encryption between phone and PC. Should be coming soon. Open source, ftw.

With a custom rom (I'm using Cyanogenmod) you can assign any sort of gesture swipe as your unlock pattern. Swirly S, figure 8, whatever. Beats using the connect the dots method. Makes it harder to figure out.

 

[madamimadam]

http://www.lifehacker.com.au/2011/01/how-to-secure-your-smartphone/

http://gizmodo.com/5547858/encrypt-call ... droid-apps

http://www.hacker10.com/tag/android-aes-encryption/

Start with a good swipe pattern or password. Also look at mobile defender. Perhaps you could teach one of your friends how to do a remote wipe in the event of your "absence" for a couple of days :wink:

You can also sync android with dropbox and secure that with a good password. Dropbox can also be encrypted at the PC level and they are working on dropbox encryption between phone and PC. Should be coming soon. Open source, ftw.

With a custom rom (I'm using Cyanogenmod) you can assign any sort of gesture swipe as your unlock pattern. Swirly S, figure 8, whatever. Beats using the connect the dots method. Makes it harder to figure out.

your paddling upriver

http://androidvoid.wordpress.com/2009/0 ... -and-luks/

After a bit of work, I was able to build and run cryptsetup successfully, but it complained about the backend not being available. Unfortunately I hadn’t had much time to work on it until now. The final work on this was all done on Cyanogen

 

[spector]

I'll have to check out cyanogen. I'm using *****'s Mod right now and really like it.

The point is, OP, there are lots of ways to secure your android. Keep an eye on the android forums and websites such as lifehacker which are good at posting comprehensive how-tos for stuff like you are asking. The technology is still at that point where lots of disparate people know how to do it, and you can do it if you try hard enough, but you'll have to wait a little bit if you want to be walked through the process (and I don't blame you, it's complicated).

For now, focus on basic security stuff (strong passwords, remote wipe/off-site backup, etc) and that should keep ya safe from most prying eyes.

 

[psrumors]

Locks (screen swipes) will not keep anyone out. The units (Cellebite) used to transfer contacts and such at your local wireless store will bypass any lock you have on the phone, even with a custom ROM. These units are available to law enforcement agencies and more and more are making use of them. We have supplied quite a few to various agencies in GA and Alabama.

 

[sirkut]

Locks (screen swipes) will not keep anyone out. The units (Cellebite) used to transfer contacts and such at your local wireless store will bypass any lock you have on the phone, even with a custom ROM. These units are available to law enforcement agencies and more and more are making use of them. We have supplied quite a few to various agencies in GA and Alabama.

Now that is certainly interesting. I've seen Cellebrite mentioned before.

 

[psrumors]

Locks (screen swipes) will not keep anyone out. The units (Cellebite) used to transfer contacts and such at your local wireless store will bypass any lock you have on the phone, even with a custom ROM. These units are available to law enforcement agencies and more and more are making use of them. We have supplied quite a few to various agencies in GA and Alabama.

Now that is certainly interesting. I've seen Cellebrite mentioned before.

I have played with 'em a few times. Very powerful machines. They are only available to wireless service providers and law enforcement.

http://www.cellebrite.com/

CELLEBRITE UNIVERSAL FORENSICS EXTRACTION DEVICE (UFED)
Fast and secure mobile data extraction and analysis from mobile phones and GPS
Based on cellebrite’s expertise in data extraction technology, the mobile forensics products perform both logical and physical data extraction, including recovery of deleted messages and content.

With more than a decade of experience in mobile data technologies, cellebrite provides the widest coverage available in the market today. The UFED family of products is able to extract and analyze data from more than 3000 phones, including smartphones and GPS devices.

Designed for portability, the cellebrite UFED solution is a stand-alone device that can be used either in the field or at the lab.

The most complete mobile forensics experience, cellebrite's UFED is in use at military, law enforcement, and government agencies across the world.

 

[phyllapine]

Good discussion. Thanks for all the thoughtful input. My biggest concern is not so much about focused, intensive investigations with forensics techs and subpoenas. They would just be wasting their time; I'm not that interesting. My goal is to make the data inaccessible to the average thief/LEO/TSA agent etc.

 

[spector]

Good discussion. Thanks for all the thoughtful input. My biggest concern is not so much about focused, intensive investigations with forensics techs and subpoenas. They would just be wasting their time; I'm not that interesting. My goal is to make the data inaccessible to the average thief/LEO/TSA agent etc.

Exactly. If someone really wants the data they'll get it. A good password and such goes a long way in preventing casual thieves and such from poking around.

Just saw this today on lifehacker:
http://lifehacker.com/5727548/wallet-se ... roid-phone

*data encryption app for personal data*

If you don't have lifehacker on your RSS feed you should -- great site.

 

[frankr]

There is an XKCD cartoon that explains security risk environment around encrypted computers/cell phones pretty well:

http://xkcd.com/538/

I hear the Chinese are especially adept at rubber hose cryptanalysis ;-) In the United Kingdom, they lock you away in prison for 5 years for refusing to disclose a password. In the US, it is up in the air right now if a defendant can be compelled to disclose a password despite the 5th amendment.

From Mr. Volok:
http://volokh.com/archives/archive_2007 ... 1197763604