Android Encryption

The world of Android OS

The corporate mobile mail policy requires the device storage to be encrypted.  This is to prevent the loss information in the event the phone or device is lost.  Tough but doable, I thought.

What is Android Encryption?  It uses dm-crypt subsystem that is part of the Linux kernel.  It encrypts the storage using a 128 bit master key.  The master key is protected by the hash of the user’s unlock PIN and a random salt.  The encrypted master and other version information are kept in a clear file stored at the end of the disk volume.  This setup enables easy change of password, the master is re-encrypted with the new PIN and fast device wiping, the last block of the storage is deleted. More info here. link  Dev Doc

There are some trade-offs.  If a separate encryption password for the storage, the user might forget it, especially if the device is not restarted regularly.  Therefore Android Encryption is based on the user phone unlock PIN.  For the ease of use, this PIN is usually kept simple.  Who wants to enter a complex password just to get into a device many many times a day? For the security conscious, a security developer has come up with an app that will enable you to set a different password for the storage and it can be long and complex.  Exercise caution as there is no undo button.  link

I was flashing a new nightly, when the irony of the situation hit me.  If the storage is encrypted, it will not be readable in Recovery mode.  That means the new nightly will be stuck in the encrypted and not mounted storage.  Do I need to decrypt just flash a new nightly?  Hmm back to the search engines.

Somebody on XDA-Developers suggested using an SD card.  Shutdown the phone, insert SD card, flash, shutdown again to pull out SD card and power on.  The steps sound easy and clean, except on the Samsung S2, the back panel is piece of flimsy plastic.  All this disassembly and assembly is going to crack something.  In comparison, Nokia’s E71 is built like a tank.

Some nifty keyboard work reveals someone else has another solution to the same problem.  Put the phone in Recovery mode, use Android Debug Bridge (ADB) to mount a ram disk, copy the new nightly in and flash using that ram disk to as a source location.  Neat!  link

I was monitoring the progress of CM10.2 or Android 4.3 development on XDA-Developers when I noticed a trend. Some users have encrypted the storage, upgraded from cm 10.1 to 10.2; thereafter access to storage was lost.  In both cases, normal operations were resumed by wiping and restoring data from backup.  link link

In summary, Android encryption is easy to use, if you are flashing CM nightly, you might not want to cross a version number.

Update 7 Sep

I was poking around the nightly source files to shed some light on the missing encrypted storage problem.  I noticed that the vold.fstab file seems to be missing for Android 4.3.  That doesn’t seems to right, as it is one of the key config files.  Some more digging reveals that there has been some changes in the storage subsystem.  The fstab.device config file is now in root, probably part of boot.img.  I wonder if this is the cause of those upgrade problems. link

It is not always cloudy

Amazon Web Services suffered an outage at about 4 pm 24 Aug or 5am Singapore time.  Instagram, Vine and other services were affected.

What about fail over and redundancy?  All that nice things of cloudy stuff?  You might want to read about Amazon’s Availability Zones.


CM10.2 or Android 4.3 is here

From 13 Aug 13, all development work on CM10.1 has stopped and moved to CM10.2  The new version comes with BLE support and new version of OpenGL graphics. Cyanogenmod (CM) is adding their new camera called Focal for the new version.

In a few weeks time , they will rollout their version of Google Device Finder, called Cyanogenmod Account.  All this gives a good reason to upgrade when the bug level in the nightlies stabilises and the Focal camera stops hanging.

I might upgrade just for CM Account if they don’t back port. The other features don’t appear to be a deal breaker. I am currently on day 11 of CM10.1 13 Aug nightly.   Lets see how long I can pull this off before a reboot is required.

11 days of up time

Android 4.3 link CM Focal link account link

Update: 2 Sep 13
I managed to stretch the Up time to 14 days.  Unfortunately the GPS went mad and could lock on to any satellite.  In the end I restarted the phone.