Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Encryption Security

Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption 91

MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.
This discussion has been archived. No new comments can be posted.

Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption

Comments Filter:
  • Is the a public booth around here ? -- Richard Stallman
  • Free space (Score:4, Insightful)

    by narced ( 1078877 ) on Sunday July 13, 2014 @08:48AM (#47442375) Journal
    What is not addressed is whether or not this wipes the free space as well. Recovering deleted files is easy, and if the encryption doesn't fill the device then encrypt then this trick can leave some stuff behind.
    • This also ignores the fact that once a phone is fully encrypted, Android does not support un-encrypting it. Believe me, I know. I encrypted my phone and the only way to un-encrypt it, even according to the experts, was to do a restore from a bit-by-bit "nandroid" backup from before the encryption.
      • by tlhIngan ( 30335 )

        This also ignores the fact that once a phone is fully encrypted, Android does not support un-encrypting it. Believe me, I know. I encrypted my phone and the only way to un-encrypt it, even according to the experts, was to do a restore from a bit-by-bit "nandroid" backup from before the encryption.

        That's the point.

        The point is not to enable encryption for day-to-day use of your phone (because Android forces you to have a PIN or password at a minimum, no more facial recognition), and given how inconvenient th

    • by Andy Dodd ( 701 )

      Android encryption is done on a partition basis - so the entire partition is going to get clobbered by the encryption process.

      The only way data might "leak" out of this is if the eMMC wear leveller saves off the information somewhere - but this requires a pretty sophisticated attacker to recover. Also, Android's wiping facility has done an eMMC secure erase since ICS (exception - Samsung Galaxy S2 family does either a standard format or a nonsecure erase, since firing a secure erase at Samsung's defective

  • 1 pass with 0xff
    5 random passes. /dev/urandom is used for a secure RNG if available.
    27 passes with special values defined by Peter Gutmann.
    Rename the file to a random value
    Truncate the file

    viola ! .. no more naked selfies
    • by Anonymous Coward

      viola

      I do not think this word means what you think it means.

    • Re:srm -v -z (Score:5, Insightful)

      by wiredlogic ( 135348 ) on Sunday July 13, 2014 @10:15AM (#47442733)

      The "special values" were from Guttmann's paper on wiping MFM/RLL drives. It is pointless on any modern magnetic drive or solid state memory. He points out in his newer paper on solid-state memories that multi-level flash (now used everywhere other than the most performance critical applications) is particularly hard to recover data from. Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction. You're just practicing cult cargo voodoo.

      • Re:srm -v -z (Score:4, Interesting)

        by Immerman ( 2627577 ) on Sunday July 13, 2014 @10:47AM (#47442879)

        >Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction.

        Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.

        I don't know that I'd trust it to wipe vital military secrets, but it should do a good enough job for most anything in the civilian realm.

        • by plover ( 150551 )

          Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.

          If you were an engineer in charge of destroying data printed on paper, and you decided on shred then burn then stir the ashes in water, how many times would you repeat the cycle in order to be sure the data was destroyed? Hint: if your recommendation is greater than one (in order to be pretty sure), check your job title, because you're probably Dilbert's pointy-haired boss.

          Drives today work almost nothing like the drives of 20 years ago. They don't paint bit-bit-bit in a stripe, they encode a set of bits in

          • Re:srm -v -z (Score:4, Informative)

            by Immerman ( 2627577 ) on Sunday July 13, 2014 @02:22PM (#47444069)

            Not quite - modern magnetic drives still have tracks wider than the read-write head so that atomic-level alignment isn't necessary. There may be far less "overwrite" than there once was, but if a newly recorded track is not *perfectly* aligned with the last recording then there may well be several percent of the previously recorded track that remains unaltered (consider the worst case scenario case that the previous recording in this track was written at the smallest radius allowed by actuator tolerances, while this pass is at the maximum radius allowed). Now, recovering that data will probably require removing the platters and analyzing them with much higher resolution read heads, but it can be done.

            I was more addressing the problems with flash though - in order to disguise degradation modern flash drives typically include more capacity than is addressable by the host system. Fill it to the brim so there are zero bytes free, and there's still several percent of the total drive capacity that is sitting unused in the reserve pool. The only way to overwrite that (barring a OS-accessible "secure wipe" command implemented on the drive) is to generate sufficient churn that the internal wear leveling algorithms cycle through every byte of the reserve capacity at least once. And since you probably don't know the exact algorithm used or wear levels of the drive to begin with, more is better - after all you have to tease out the most heavily used page currently sitting in the reserve.

    • This is not required.
      https://security.web.cern.ch/s... [web.cern.ch] is relevant.
      This actually investigates the physics behind overwriting - in short - once is quite enough today.

      There are concerns about reallocated space on hard disks - but 99.99% of the data has gone
      away, and recovering the rest is at best expensive.

  • It's just too bad that it makes your android device run like complete sh!t.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Sunday July 13, 2014 @09:10AM (#47442485)
    Comment removed based on user account deletion
    • Yes, of course it will not be encrypting "empty" sections of the hard drive. So who knows what it is leaving unencrypted. It also would not prevent any method that cracks encryption. Also, since we all know that recovering deleted files is trivial, it would be possible to get back the deleted encryption key.....
    • by Anonymous Coward on Sunday July 13, 2014 @09:55AM (#47442659)

      According to the android documentation it is full-disk encryption [android.com] based on dm-crypt.

      • by Anonymous Coward

        Who gives a shit what the documentation says. Actual implementation is what matters. Do you really trust a mobile platform to be faithful to the documentation when you're trying to wipe a partition (which could easily be implemented directly but isn't) by first encrypting all data and then throwing away the key? Various recoveries silently switched from imaging to archiving for their backup functions (and then fail to restore because they don't handle all aspects of the filesystem), and even though they off

        • by swillden ( 191260 ) <shawn-ds@willden.org> on Sunday July 13, 2014 @04:55PM (#47444869) Journal

          Who gives a shit what the documentation says. Actual implementation is what matters.

          Absolutely. So, look at the source: https://android.googlesource.c... [googlesource.com]

          That file contains the code that generates the master key, derives the key encryption key used to protect it (using scrypt), stores the protected master key, and configures dm_crypt with the master key.

          Some functions to look at:

          - create_encrypted_random_key(), which creates the master key (reading from /dev/urandom).
          - encrypt_master_key(), which derives a KEK from your password and uses it to encrypt the master key.
          - decrypt_master_key(), which does the reverse.
          - create_crypto_blk_dev(), which creates dm_crypt block device.
          - cryptfs_setup_volume(), which mounts an encrypted block device.
          - cryptfs_enable_inplace(), which encrypts an existing file system.

          Do you really trust a mobile platform to be faithful to the documentation when you're trying to wipe a partition (which could easily be implemented directly but isn't) by first encrypting all data and then throwing away the key?

          The device doesn't know you're trying to wipe. It knows that you (a) requested full disk encryption and then later (b) requested a wipe. So it can't optimize (a) away. I suppose it's possible it could just lie and tell you "Yep, I'm encrypting" even though it isn't, but that's the sort of thing that would definitely get noticed by security analysts and gleefully published.

  • by retroworks ( 652802 ) on Sunday July 13, 2014 @09:16AM (#47442499) Homepage Journal

    It's well established that plenty of consumers discard or donate hard disks without taking any precautions, and are playing roulette with their identity. It's also well established that hundreds of millions of tons of this equipment is replaced, resold, stolen or discarded, and most people who wind up with the secondary device lack either the time, money, or effort to scavenge data off the phone. If in fact someone is in the identity theft business by buying phones on ebay, they'd profile themselves pretty well after a dozen phone purchases (what do these data-theft-victims have in common?). And who knows how many phones they'd have to buy which had been wiped in some way (and required more time, money and effort)?

    This isn't a bad article in that it birddogs simple things you can do before selling your used phone, and if it elevates the perception of risk in order to get people to do something easy, that's appropriate. But in response to people who are shooting and burning their devices to be "100% sure" that no one spends the time, money and effort to follow them... that's appropriate if you are a high risk target. If you have stuff on your phone of interest to the FBI or KGB, the amount of time+money+effort may be less than or = the amount of risk. Your call.

    But there is a lot of hyperbole out there about the percentage of identity theft which is traced to secondary market devices, and the billions of dollars in secondary market sales on sites like ebay represent time+money+effort interest in new product makers to spend fanning flames. Again it's appropriate that the article raises concerns and then points to simple efforts a consumer can take to increase the barrier-to-entry to their personal data. But the army of ebay buyers getting their porn fixes by buying and then de-encrypting cell phones to retrieve ugly selfies seems exaggerated. Warn people about sharks if they are swimming in shark infested waters, don't tell people that most swimmers will be attacked by sharks.

    Tear your mail in 8 pieces and someone could dig it out of the trash and tape it together, but the time+money+effort that represents is significant. I remember people selling paper shredding equipment in the 1990s who described armies of Iranian students or Chinese peasants who could be buying torn paper and taping it back together. If they know it's the President of the USA's mail, they no doubt will expend that time+money+effort... Presidents should assume they are swimming in a shark tank. For most of us, ebay resales are a swimming pool, and warnings of shark attacks get tiresome.

  • by itsme1234 ( 199680 ) on Sunday July 13, 2014 @09:37AM (#47442573)

    Last time I checked the standard Android encryption will not do the sdcard partition (I mean not the physical card, but the partition on the internal flash, usually the biggest chunk of it, like let's say 11 out of 16GB). YES, some manufacturers like Samsung and Motorola (possibly many more) have their own solution (I bet a really crappy one but never mind that) and it would do mostly everything, including the big sdcard partition and (if needed) even the physical sdcard.

    Anyway bottom line is that:

    a. depending on the phone you might not be able to encrypt at all /sdcard
    b. ANY activity, including storing random (non-private) crap on the phone and then removing it helps. However, this is no maggic bullet.

    • Last time I checked the standard Android encryption will not do the sdcard partition (I mean not the physical card, but the partition on the internal flash, usually the biggest chunk of it, like let's say 11 out of 16GB).

      I'm pretty sure that's not true, because it would make device encryption pretty much useless. A glance at the code certainly appears to show that it encrypts all volumes, but maybe /sdcard somehow gets excluded from the list? I'll ask my colleague, who "owns" disk encryption for Android at Google, tomorrow and post a followup.

      I'll also note that none of the devices I have handy (Galaxy Nexus, Nexus 4, Nexus 5, Nexus 7 1st & 2nd gen, Nexus 10, Moto X, Moto RAZR M, Samsung Note 2) even have an /sdcard p

  • How many times does it overwrite the files?
    • by ledow ( 319597 )

      Doesn't really matter - nobody has ever successfully recovered information from magnetic history like that.

      There was a $1m prize for nearly a decade and not one "recovery" company could claim it.

      Once a bit on a magnetic / solid state device is overwritten, that's your lot. Now, whether you overwrite ALL bits or not (e.g. reserved areas, replacement sectors, etc.) is another question entirely.

      • Really, so why does everyone suggest overwriting things like 6/8 times? Just to future proof it?
        • Simple: the need of multiple passes has just been a myth. People thought that it would be necessary, but it has now been proven that it isn't so.
          • My understanding is that in the old days of 20mb hard drives, storage densities were sufficiently low that even after one pass someone might be able to recover the data with at least some degree of fidelity. Once we entered the world of gigabyte drives, densities are so high that it's all but impossible to recover any data after even a single pass wipe

        • by lgw ( 121541 )

          Back in the days of MFM drives (and the previous decades), is was needed. But that was because there was space on the media that wasn't actively used for bits, and so would leave traces. Such waste was eliminated long ago in the quest for ever-larger drives.

          • There is still a gap between tracks in today's drives; just nowhere near as much so whatever signal might be available on the fringes will be much weaker.

            The real killer for PRML-based drives is that to cope with the amount of noise the head receives from nearby tracks, the coding itself relies on statistical analysis to reconstruct the data. Whatever signal might be on the fringe will be some blend of the old data under the current track, the new data, data on the tracks to either side, the previous data o

            • by lgw ( 121541 )

              Right - there's a physical gap, but there's no redundancy there, as there's no magnetic gap - infact as you noted there's actually overlap needing cleverness to sort out on a normal read.

              • The overlap region between ideal track centers is still somewhat of a gap; albeit not a dead/silent one.

                There will still be some residual information in there due to head deviations from the ideal path and when solving complex puzzles like reconstructing overwritten PRML blocks, every little extra hint counts.

                I have little doubt it is possible to recover at least some data from PRML drives that have been erased once, maybe twice. But the process would probably require the precision and sensitivity of someth

  • Unsafe Advice (Score:5, Informative)

    by bill_mcgonigle ( 4333 ) * on Sunday July 13, 2014 @09:50AM (#47442643) Homepage Journal

    Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.

    • Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.

      Yes, the safest approach is to enable encryption just after you get the device (after using it for a few minutes to accumulate some randomness in the Linux randomness pool, so you get a good key). If you don't, totally wiping it is more or less impossible, though the odds of anything significant surviving either the normal wipe or the encrypt & wipe (which probably won't actually do any more than the wipe) are pretty small.

  • and use up all free space. repeat again. Assumes you are saving things to internal "sdcard" and not the external.

  • In iOS, when the factory reset is performed the key is removed so when the phone is reset and tied to a new account a new key is generated which is unable to access the old content. I'd rather the content was erased first, just in case some exploit is uncovered that can get at that key, but it's better than what Android has.

    To expect an Android user to know that they must first encrypt the phone then do a factory reset if they want their data actually erased is absurd. Does Google not share the same view as

    • Oh, they have the individual permissions issue worked out - they accidentally released it through AOSP in ICS for a short time. Worked perfectly, you could disable any individual permission (and take your chances with apps crashing randomly), including the permissions that would let an app identify your phone for advertising use. Which is why they pulled the feature almost as soon as it got out - Google's buisness is ads, and anything that might upset their customers (hint, that's not the phone owner) is a
  • The use of full encryption and wiping the key was commented on many times in the article http://yro.slashdot.org/story/... [slashdot.org] quoted in this piece. Even the original story was an advert for avast's app. Does this really now deserve a separate article?
  • Whenever we take hard drives out of service we run a secure wipe if we are able to so they can be handed down.

    There seem to be a few utilities in the app store to securely wipe storage however would have been really nice if this was an option user is presented with when wiping their device.

    I personally wouldn't store anything worth protecting on a mobile phone (including device encryption keys) I don't trust myself not to screw it up... any passible security measure (linked to device key chain) would be wa

  • "all data is recoverable"

    Wanna bet? -- Lois Lerner

  • You're using an operating system built by an advertising company and you expect privacy?

  • There - problem solved. Go ahead and decipher my phone dust.
  • by jtownatpunk.net ( 245670 ) on Monday July 14, 2014 @03:31AM (#47447165)

    ...if it didn't force me to also use an alphanumeric password on my new phone. It's got a fingerprint scanner. I want to use that to unlock my phone. But that's disabled if I turn on encryption. Same with my new tablet. So no encryption for me on these devices. Both of my previous devices were content with a PIN which is considered as secure as the fingerprint scanner. Seems ridiculous that I can't determine the level of risk I'm comfortable with.

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...