Sunday, August 19, 2012

Android and Disk Encryption

Beginning with Android 3.0 (Honeycomb), Android includes the ability to transparently encrypt your phone's storage using the phone's settings. Internally, this works by using dm-crypt — just like every other Linux distro out there. But what I found intriguing about this was that it only allows you to encrypt your phone if you use either a password or a numeric pin to lock your phone.

This means that the password/pin is shared between the screen lock and dm-crypt. This has a number of consequences which I'll talk about below.

Now, I understand why this is the default behaviour. Most users rarely, if ever, reboot their phones, and so if the phone has a (separate) passphrase for dm-crypt, we'll see users flooding service centres to get their phone "un-bricked" because they forgot they even had a passphrase.

What surprises me is that there's no stock method to set a different passphrase for dm-crypt. Even CyanogenMod doesn't have this feature built-in. The only easy-to-use way I know to do this is by using the Cryptfs Password app (Disclaimer: I haven't actually tried the app itself, so I can make no guarantees about it).

What also surprises me is that Android accepts pin numbers as dm-crypt passphrases, but not lock patterns! This decision makes little sense to me. Pattern locks are almost equivalent to pin numbers because as can be seen below, your pattern lock directly corresponds to a number.

I say almost equivalent because from each node on that grid, you can only access adjacent nodes to create patterns, and this reduces the number pattern space by a bit (and there's no zero). But if this is a problem, then pin numbers shouldn't be allowed either since a numeric passphrase is trivial to crack— as anyone silly enough to use a numeric bicycle lock has found to great distress.

And even if the screen lock is set using a password, the user is extremely unlikely to use anything but a trivial password for securing a screen that they unlock tens of times a day. This again means that the passphrase would be ridiculously easy to brute-force if the attacker has physical access to the phone.

The level of security for a screen lock is just massively different from the level of security suitable for full-disk encryption. It's really good that the groundwork for this feature has been done, but as it stands the feature is mostly pointless.

PS: The phone wallpaper in the screenshot was brought to you by, Pattrn!


Anonymous said... really don't know anything about security, do you? You're just spouting random stuff from the internet, but put together in the wrong way.

Bicycle locks with pin codes do not get brute forced. Some of the locks are vulnerable to bypass, but no thief ever stood and rotated the pins for 10000 combinations (4 digit) manually. "as anyone silly enough to use a numeric bicycle lock has found to great distress" - citation needed if I ever saw one.

Same thing with phones. Have you actually *tried* to brute force the pin of a phone? Try it, oh I don't know, three times or so? Then get back here.

But the biggest thing is that you think that users should enter two pin codes for each login? Or just when booting the phone? Can't tell which. In case one it's a usability nightmare that doesn't really make any practical sense (if you ACTUALLY have the needs for this level of security, as opposed to playing a security guy in the internet, you're running something that just takes a much better pass code). If it's the second, that extra stage is basically useless for all practical purposes except maybe airline travel - and then, see point one.

Reading Scheiner's blog is not enough. Dude.

Nirbheek said...

Dear Anonymous Coward,

First off, good lord you're angry —

Now, about your comment itself. Since in your eagerness to prove someone on the internet wrong you didn't stop and think, I'll have to do your thinking for you.

1) The comment about bicycle locks was a joke.

2) Have you tried to brute-force dm-crypt passphrases (or any passwords for that matter)? 10000 combinations get done within minutes if not seconds.

3) Did you see me suggest a solution for the problem? Why are you insulting both our intelligences by setting up strawmen solutions to topple down with your wondrous arguments?

4) What makes you think I even read Scheiner's blog? :D

To be honest, I don't know why you're so angry. Do you have problems in the household or your daily life? ;)

Anonymous said...

"I say almost equivalent because from each node on that grid, you can only access adjacent nodes to create patterns"

Tiny nit: this isn't strictly true. You can access any other node that's in unobstructed line-of-sight, which includes more than just adjacent. From 5, obviously, you can reach anything. From any other non-corner node, you can reach every other node except the one directly opposite: you can go from 4 to 3 and 9, but not 6. From corner nodes, you can access any non-corner node, but no corners (so from 7, you can get to 2 and 6 as well as the neighbours, but not 1, 3 or 9).

People rarely use these non-neighbour links, but android *does* accept them (they can be a pain to draw, though, without accidentally hitting a neighbour on the way by).

Nirbheek said...


You're absolutely right. It requires some precision, but it can be done.

Thanks for pointing it out!