Blog

Android Full Device Encryption Technique | Secure Code Warrior

Pieter De Cremer
Published Nov 02, 2017

Device encryption is the process of encrypting all the data on the Android device. Once this is enabled for an Android device, all user-created data is immediately encrypted before it is written to the storage. This protects the data so that even if any unauthorized party tries to access the data, they wont be able to read it. This is an especially good feature for smartphone devices, since these are carried around by the user and more prone to loss or theft than other computing devices. Any curious finder or thief can not access the data unless he can unlock the phone.

Android has two types of device encryption: full-disk encryption and file-based encryption.

Full-disk encryption

Full-disk encryption was introduced in API level 19 (Android 4.4 KitKat), but the new features in API level 21 (Android 5.0 Lollipop) really kickstarted its use. Full-disk encryption uses a single key to protect the whole devices userdata partition. The key is protected with the users credentials and they must be provided upon boot before any part of the disk is accessible.

This is great for security but it also means that most of the functionality of the device is unavailable until the user enters their credentials. This means when the device is rebooted but not unlocked, some features like alarms cannot operate, services are unavailable and phones cannot receive calls. For this reason the second encryption mode was created.

File-based encryption

File-based encryption, the second mode of device encryption, has been available since API level 24 (Android 7.0 Nougat). In this mode, different files are encrypted with different keys that can be unlocked independently. With this encryption mode came the Direct Boot mode, which allows encrypted devices to boot straight to the lock screen, enabling the previously missing features before unlocking the device.

The Direct Boot allows apps to operate within a limited context before the device is unlocked. This way, they can still function as expected without compromising the user information. In order to provide this functionality, the Android device needs two storage locations:

  1. Credential Encrypted storage. Default storage location, only available after the user has unlocked the device.
  2. Device Encrypted storage. Available in Direct Boot mode, and after the user has unlocked the device.
Protection Of Sensitive Customer Data

If your app needs to access data while running in Direct Boot mode, it should use the Device Encrypted storage. But be aware of the security implications! Device Encrypted Storage should not be used to store any sensitive data! The Device Encrypted storage is encrypted with a key that is available as soon as the device has successfully booted. Any data that is only meant be accessed by the user should be saved in the default location, the Credential Encrypted storage.

If you want to learn more about what encryption is or why it is important, check out the video on the Secure Code Warrior portal. Or you can try to test your knowledge on encryption by playing some challenges.

Need a step-by-step guide for your device? Check out this article from Bill Hess at Pixel Privacy.

I hope you learned something new. See you next week!

Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.

https://developer.android.com/training/articles/direct-boot.html

View Resource
View Resource

Android full device encryption safekeeps all of the data & writes it into storage, only seen after the device is unlocked. Learn from Secure Code Warrior.

Interested in more?

Application Security Researcher - R&D Engineer - PhD Candidate

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Pieter De Cremer
Published Nov 02, 2017

Application Security Researcher - R&D Engineer - PhD Candidate

Share on:

Device encryption is the process of encrypting all the data on the Android device. Once this is enabled for an Android device, all user-created data is immediately encrypted before it is written to the storage. This protects the data so that even if any unauthorized party tries to access the data, they wont be able to read it. This is an especially good feature for smartphone devices, since these are carried around by the user and more prone to loss or theft than other computing devices. Any curious finder or thief can not access the data unless he can unlock the phone.

Android has two types of device encryption: full-disk encryption and file-based encryption.

Full-disk encryption

Full-disk encryption was introduced in API level 19 (Android 4.4 KitKat), but the new features in API level 21 (Android 5.0 Lollipop) really kickstarted its use. Full-disk encryption uses a single key to protect the whole devices userdata partition. The key is protected with the users credentials and they must be provided upon boot before any part of the disk is accessible.

This is great for security but it also means that most of the functionality of the device is unavailable until the user enters their credentials. This means when the device is rebooted but not unlocked, some features like alarms cannot operate, services are unavailable and phones cannot receive calls. For this reason the second encryption mode was created.

File-based encryption

File-based encryption, the second mode of device encryption, has been available since API level 24 (Android 7.0 Nougat). In this mode, different files are encrypted with different keys that can be unlocked independently. With this encryption mode came the Direct Boot mode, which allows encrypted devices to boot straight to the lock screen, enabling the previously missing features before unlocking the device.

The Direct Boot allows apps to operate within a limited context before the device is unlocked. This way, they can still function as expected without compromising the user information. In order to provide this functionality, the Android device needs two storage locations:

  1. Credential Encrypted storage. Default storage location, only available after the user has unlocked the device.
  2. Device Encrypted storage. Available in Direct Boot mode, and after the user has unlocked the device.
Protection Of Sensitive Customer Data

If your app needs to access data while running in Direct Boot mode, it should use the Device Encrypted storage. But be aware of the security implications! Device Encrypted Storage should not be used to store any sensitive data! The Device Encrypted storage is encrypted with a key that is available as soon as the device has successfully booted. Any data that is only meant be accessed by the user should be saved in the default location, the Credential Encrypted storage.

If you want to learn more about what encryption is or why it is important, check out the video on the Secure Code Warrior portal. Or you can try to test your knowledge on encryption by playing some challenges.

Need a step-by-step guide for your device? Check out this article from Bill Hess at Pixel Privacy.

I hope you learned something new. See you next week!

Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.

https://developer.android.com/training/articles/direct-boot.html

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

Device encryption is the process of encrypting all the data on the Android device. Once this is enabled for an Android device, all user-created data is immediately encrypted before it is written to the storage. This protects the data so that even if any unauthorized party tries to access the data, they wont be able to read it. This is an especially good feature for smartphone devices, since these are carried around by the user and more prone to loss or theft than other computing devices. Any curious finder or thief can not access the data unless he can unlock the phone.

Android has two types of device encryption: full-disk encryption and file-based encryption.

Full-disk encryption

Full-disk encryption was introduced in API level 19 (Android 4.4 KitKat), but the new features in API level 21 (Android 5.0 Lollipop) really kickstarted its use. Full-disk encryption uses a single key to protect the whole devices userdata partition. The key is protected with the users credentials and they must be provided upon boot before any part of the disk is accessible.

This is great for security but it also means that most of the functionality of the device is unavailable until the user enters their credentials. This means when the device is rebooted but not unlocked, some features like alarms cannot operate, services are unavailable and phones cannot receive calls. For this reason the second encryption mode was created.

File-based encryption

File-based encryption, the second mode of device encryption, has been available since API level 24 (Android 7.0 Nougat). In this mode, different files are encrypted with different keys that can be unlocked independently. With this encryption mode came the Direct Boot mode, which allows encrypted devices to boot straight to the lock screen, enabling the previously missing features before unlocking the device.

The Direct Boot allows apps to operate within a limited context before the device is unlocked. This way, they can still function as expected without compromising the user information. In order to provide this functionality, the Android device needs two storage locations:

  1. Credential Encrypted storage. Default storage location, only available after the user has unlocked the device.
  2. Device Encrypted storage. Available in Direct Boot mode, and after the user has unlocked the device.
Protection Of Sensitive Customer Data

If your app needs to access data while running in Direct Boot mode, it should use the Device Encrypted storage. But be aware of the security implications! Device Encrypted Storage should not be used to store any sensitive data! The Device Encrypted storage is encrypted with a key that is available as soon as the device has successfully booted. Any data that is only meant be accessed by the user should be saved in the default location, the Credential Encrypted storage.

If you want to learn more about what encryption is or why it is important, check out the video on the Secure Code Warrior portal. Or you can try to test your knowledge on encryption by playing some challenges.

Need a step-by-step guide for your device? Check out this article from Bill Hess at Pixel Privacy.

I hope you learned something new. See you next week!

Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.

https://developer.android.com/training/articles/direct-boot.html

Interested in more?

Application Security Researcher - R&D Engineer - PhD Candidate

Click on the link below and download the PDF of this one pager.

Download

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Share on:
Interested in more?

Share on:
Author
Pieter De Cremer
Published Nov 02, 2017

Application Security Researcher - R&D Engineer - PhD Candidate

Share on:

Device encryption is the process of encrypting all the data on the Android device. Once this is enabled for an Android device, all user-created data is immediately encrypted before it is written to the storage. This protects the data so that even if any unauthorized party tries to access the data, they wont be able to read it. This is an especially good feature for smartphone devices, since these are carried around by the user and more prone to loss or theft than other computing devices. Any curious finder or thief can not access the data unless he can unlock the phone.

Android has two types of device encryption: full-disk encryption and file-based encryption.

Full-disk encryption

Full-disk encryption was introduced in API level 19 (Android 4.4 KitKat), but the new features in API level 21 (Android 5.0 Lollipop) really kickstarted its use. Full-disk encryption uses a single key to protect the whole devices userdata partition. The key is protected with the users credentials and they must be provided upon boot before any part of the disk is accessible.

This is great for security but it also means that most of the functionality of the device is unavailable until the user enters their credentials. This means when the device is rebooted but not unlocked, some features like alarms cannot operate, services are unavailable and phones cannot receive calls. For this reason the second encryption mode was created.

File-based encryption

File-based encryption, the second mode of device encryption, has been available since API level 24 (Android 7.0 Nougat). In this mode, different files are encrypted with different keys that can be unlocked independently. With this encryption mode came the Direct Boot mode, which allows encrypted devices to boot straight to the lock screen, enabling the previously missing features before unlocking the device.

The Direct Boot allows apps to operate within a limited context before the device is unlocked. This way, they can still function as expected without compromising the user information. In order to provide this functionality, the Android device needs two storage locations:

  1. Credential Encrypted storage. Default storage location, only available after the user has unlocked the device.
  2. Device Encrypted storage. Available in Direct Boot mode, and after the user has unlocked the device.
Protection Of Sensitive Customer Data

If your app needs to access data while running in Direct Boot mode, it should use the Device Encrypted storage. But be aware of the security implications! Device Encrypted Storage should not be used to store any sensitive data! The Device Encrypted storage is encrypted with a key that is available as soon as the device has successfully booted. Any data that is only meant be accessed by the user should be saved in the default location, the Credential Encrypted storage.

If you want to learn more about what encryption is or why it is important, check out the video on the Secure Code Warrior portal. Or you can try to test your knowledge on encryption by playing some challenges.

Need a step-by-step guide for your device? Check out this article from Bill Hess at Pixel Privacy.

I hope you learned something new. See you next week!

Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.

https://developer.android.com/training/articles/direct-boot.html

Table of contents

View Resource
Interested in more?

Application Security Researcher - R&D Engineer - PhD Candidate

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts