π

Android Full Disk Encryption Considered Useless

Show Sidebar

Update 2016-11-26: Blog article by Matthew Green on this issue

Frequent readers of my blog know that I care about security and privacy. I do avoid the cloud, I don't use Facebook or Google+, and try to keep my sensitive data unexposed to malware, theft, or other threads.

Therefore, Android Full Disk Encryption (FDE) seems to be a must-have on my mobile phone currently running CyanogenMod 12.

Reading about this encryption feature did not convince its usefulness for my use-cases at all.

The Advantages of FDE

Data of apps and app storage can't be accessed/decrypted without PIN and the phone being turned off.

The Disadvantages of FDE

It seems to be the case that my SD card does not get encrypted at all. At least I could not find the corresponding feature in my CM12 preferences. This is quite a bummer since much of my sensible data resides on my internal SD card. I was told that SD cards of some devices could be encrypted with Android 5.0, some not.

Although I'd prefer a removable SD card, my non-removable internal «SD card» can't be easily extracted from the phone and accessed externally. So I'd guess no extra worries here.

With FDE activated, I am forced to use a (long) PIN any time I unlock the screen. While this is definitely added security compared to unlock patterns and such, it is not as quickly done as a unlock pattern. Google did put this into perspective by introducing the need for a swipe before applying the pattern with Android 5 (AFAIR).

There are many different attack scenarios on mobile phones. However, the highest «attack-probability» is for cloud data and network traffic attacks (companies, NSA, and others), malicious apps and lost or stolen phones.

Since I do avoid public clouds and network traffic attacks are independent to FDE, this does not relate to the discussion here.

Obviously, data has to be in decrypted state while the device is turned on. So there is no additional security layer introduced by FDE against malicious apps, trying to get my data.

This comes down to the use-case where the device gets lost or stolen. The thief can access my data only if he/she does have my PIN. Since I do run my phone with disabled ADB debug, this also holds for my device without activated FDE. There is no difference, whether or not it is running or turned off. Not much of additional security through FDE here as long as the thief doesn't have special purpose forensic equipment. Typical thieves don't care about the data. They just wipe the phone (if it is possible) and re-sell it on the (black) market.

If a friendly person finds my phone and it is turned off, he/she is not able to boot my phone so that I can send messages, make a phone-call to my own phone, or locate my phone via internet. For this purpose, I am using an unlock pattern but no SIM card PIN. Clearly a huge disadvantage of FDE as long as the hardware also represents a financial value to me in addition to the value of the stored data.

Wrap-up

Well, this seems to me that I did not think of certain aspects of the topic. I do find it very weird that I could not come up with more advantages for FDE.

So maybe you have quite interesting input to this topic: please do send me comments via Disqus or email below. I'd be happy to include it to the discussion here.

Please do take a look at the discussion on Twitter about this blog entry.

Comment via email or via Disqus comments below: