Secure coding technique: Android device encryption and Direct Boot2nd November 2017
Device encryption is the process of encrypting all the data on the Android device. Once this is enabled for an Android device, all user-created data is immediately encrypted before it is written to the storage. This protects the data so that even if any unauthorized party tries to access the data, they won't be able to read it. This is an especially good feature for smartphone devices, since these are carried around by the user and more prone to loss or theft than other computing devices. Any curious finder or thief can not access the data unless he can unlock the phone.
Android has two types of device encryption: full-disk encryption and file-based encryption.
Full-disk encryption was introduced in API level 19 (Android 4.4 KitKat), but the new features in API level 21 (Android 5.0 Lollipop) really kickstarted its use. Full-disk encryption uses a single key to protect the whole device's userdata partition. The key is protected with the user's credentials and they must be provided upon boot before any part of the disk is accessible.
This is great for security but it also means that most of the functionality of the device is unavailable until the user enters their credentials. This means when the device is rebooted but not unlocked, some features like alarms cannot operate, services are unavailable and phones cannot receive calls. For this reason the second encryption mode was created.
File-based encryption, the second mode of device encryption, has been available since API level 24 (Android 7.0 Nougat). In this mode, different files are encrypted with different keys that can be unlocked independently. With this encryption mode came the Direct Boot mode, which allows encrypted devices to boot straight to the lock screen, enabling the previously missing features before unlocking the device.
The Direct Boot allows apps to operate within a limited context before the device is unlocked. This way, they can still function as expected without compromising the user information. In order to provide this functionality, the Android device needs two storage locations:
- Credential Encrypted storage. Default storage location, only available after the user has unlocked the device.
- Device Encrypted storage. Available in Direct Boot mode, and after the user has unlocked the device.
If your app needs to access data while running in Direct Boot mode, it should use the Device Encrypted storage. But be aware of the security implications! Device Encrypted Storage should not be used to store any sensitive data! The Device Encrypted storage is encrypted with a key that is available as soon as the device has successfully booted. Any data that is only meant be accessed by the user should be saved in the default location, the Credential Encrypted storage.
If you want to learn more about what encryption is or why it is important, check out the video on the Secure Code Warrior portal. Or you can try to test your knowledge on encryption by playing some challenges.
Need a step-by-step guide for your device? Check out this article from Bill Hess at Pixel Privacy.
I hope you learned something new. See you next week!
Credential encrypted storage, which is the default storage location and only available after the user has unlocked the device.