Apple recently made waves within the tech community by refusing to comply with law enforcement in regards to accessing encrypted user data. Their statement was that they do not have the technical ability to decrypt this data.
As an Android user, is there any similar possibility (preferably built in to the OS instead of third party) that I can use to achieve similar protection from even Google and my device manufacturer? I know there is the "Full Device Encryption" in my settings, but does this prevent Google etc. from accessing it?
For reference, my device runs Android Lollipop and is a OnePlus Two. If other versions like Marshmallow would allow me to do this that's fine.
Answer
Google has no idea what the encryption key for your device is. The entire process takes place on your device and the key is never transmitted anywhere. The key itself is also not stored in plaintext on your device:
The encrypted key is stored in the crypto metadata. Hardware backing is implemented by using Trusted Execution Environment’s (TEE) signing capability. Previously, we encrypted the master key with a key generated by applying scrypt to the user's password and the stored salt. In order to make the key resilient against off-box attacks, we extend this algorithm by signing the resultant key with a stored TEE key. The resultant signature is then turned into an appropriate length key by one more application of scrypt. This key is then used to encrypt and decrypt the master key.
So even if someone had a copy of your encrypted master key, they could not decrypt it without the TEE key from your device's SoC.
Therefore, outside of a flaw in the implementation, full device encryption will prevent anyone from accessing your data unless they know/obtain your password OR can guess your password (e.g via brute-forcing it or some kind of social engineering techniques). On devices that lack the necessary hardware-backing, FDE will attempt to encrypt the key using a software-only method.
No comments:
Post a Comment