How strong is Android security in 2021 in situations where your phone gets stolen?
My main concern is internal storage. Is there any specific security progress since Android 7.0?
Is there a possibility of leaking pictures and other data from salvaging parts like internal storage?
Asked
Active
Viewed 379 times
1
-
3Are you aware that Androids are encrypted by default? However, this has been the default since 6.0, so I'm not sure what you do know about the current security measures and what you are hoping has been improved. – schroeder Jul 19 '21 at 09:46
1 Answers
5
Android has File Based Encryption (FBE) by default which is cryptographically bound to screen lock code and backed by Trusted Execution Environment (TEE). Data on a powered off device or the device that is on but not yet been unlocked even for once after reboot cannot be decrypted without the knowledge of screen lock code. This state is called Before First Unlock (BFU) state.
OS in BFU state awaits for the screen lock code to decrypt user & app data. Although some basic functions like incoming calls, alarms, lockscreen wallpaper, emergency info, etc. remain available in BFU, biometrics, contact names on incoming calls and incoming messages won't be available. Screen lock code is verified by TEE which throttles number of incorrect attempts with exponential growth of cooldown. TEE chip consumes 100ms to verify the lock code.
After 5th and 10th incorrect authentication attempt, there is a timeout of 30 seconds. Every successive attempt up to the 30th gets the same timeout. Between 30 and 140 attempts, the timeout grows in an exponential manner from 32 seconds to 17 hours 4 minutes. After 140 attempts the timeout for each incorrect attempt is 1 day. A brute force attack against a 4 digit PIN would take around 27 years to complete.
Stolen devices if not already powered off by the thief are most likely to be in After First Unlock (AFU) state which is a vulnerable state for the data that is unencrypted in memory. Spyware agencies have been exploiting this state by using known critical vulnerabilities, zero day exploits and by physical extraction from quite sometime. Once FBE keys keys are in memory, they can be extracted to decrypt the storage.
Chipmakers tries to address the problem with AFU state by provisioning Inline Crypto Engine (ICE) which is a separate hardware on SoC that temporarily stores FBE keys and encrypt & decrypt data for I/O while the device is in AFU state. If ICE is provisioned, FBE keys will not be present in system memory in clear. This prevents against memory safety issues. ICE makes physical extraction harder but not infeasible. Also, if the kernel is compromised, it can be forced to request ICE to decrypt arbitrary data.
If your device is fully updated and in BFU state, there is nothing much an attacker can do with the device except for answering incoming calls. If the attacker compromises TEE chip, it could be able to bypass cooldown timer and under 28 hours, a 6 digit PIN could be brute forced. The thief can still factory reset your device by going into recovery mode. Unfortunately, no android device have authentication for recovery mode and android by default allows power off the device from locked screen because of environment safety*. Factory Reset Protection (FRP) prevents the thief from reusing the stolen device but after when the factory reset is done which I believe is half the protection. FRP is also backed by TEE.
*Environment safety: Some security trade-offs were made by android security team by allowing to shut down, to turn on airplane mode and to turn off mobile data from locked screen so that devices in case of emergency like overheating of the device while in plane and radio interference, these features can be remain functional from locked screen.
BFU: Screen hasn't been unlocked since last reboot.
AFU: Screen has been unlocked once since last reboot. Re-locking won't change the state to BFU. Only reboot does.
How is bootloader state protected against physical tampering in Google Pixel
defalt
- 6,231
- 2
- 22
- 37