First of all…
Most of this text is ready for getting posted for roughly a week; I'm always hesitant. But since @Blauhasenpopoforced encouraged me… I finished this today. Happy now? 
The latter featuring some kind of plausible deniability is a bonus.
- my description won’t fit in few words – as always. If you want to read it, then do it. If not, then don't, but please leave me alone with nonsense like tl;dr →
- I do not want to discuss if my concerns and ideas make sense or if I’m a paranoid tinfoil hat wearing lunatic and conspiracy theorist. Instead I simply want to learn what is possible regardless if there is any practical value in this or not. Please spare me the name calling →
- it was not possible to avoid certain, possibly controversial, thoughts touching politics →
Most of this text is ready for getting posted for roughly a week; I'm always hesitant. But since @Blauhasenpopo
Main Question
Does anybody know how data on an Android phone/tablet can be reliably protected from unauthorized access? This means a similar security level like offered by LUKS and VeraCrypt.The latter featuring some kind of plausible deniability is a bonus.
I’m still at the very beginning of the process in understanding Android and it’s strange security design (locking the owner out of their own stuff). Much of it seems to be based on hard to justify assumptions, treated like axioms which must not be questioned:
The locked bootloader prevents flashing/running arbitrary code and the verified boot chain even prevents Evil Maid Attacks (on the software side→ data deletion and tamper evidence on unlock). Strong assumptions:
While phone/tablets are encrypted by default using AES with random master key, which is inaccessible (Trust Zone? Is that the correct term?) and well-protected (another assumption!) there is a inherent weakness connected with usability:
The locked bootloader prevents flashing/running arbitrary code and the verified boot chain even prevents Evil Maid Attacks (on the software side→ data deletion and tamper evidence on unlock). Strong assumptions:
A) There are no security holes allowing ACE with bootloader rights
B) Non-malicious vendors (no backdoors, no modified signed images, no rouge updates ↓↓↓)
C) No government influence (no government backdoors)
I doubt any of the three assumptions is true, let alone all of them.While phone/tablets are encrypted by default using AES with random master key, which is inaccessible (Trust Zone? Is that the correct term?) and well-protected (another assumption!) there is a inherent weakness connected with usability:
Each time you want to use a phone you have to unlock it. It is simply not practical to enter a complex passphrase (at least 20 random alphanumeric characters) good enough to withstand an automated bruteforce attack every single time. There doesn’t seem to be a way to enforce a complex passphrase on boot and have a simple PIN for normal screen unlock (or I’m too dumb to find it). For unlocking a computer with a touchscreen I can’t even use my usual, mediocre local PC login passwords.
Preventing unauthorized access to personal/user data solely depends on the assumptions A), B), C) in the spoiler above this one to be true. If device integrity is actually given and there is no way to bruteforce the user PIN other than manually typing, then a simple but random 8 to 10 digit numeric PIN is secure enough. Normal unlocking methods intentionally change the encryption key. But… if one can let the computer do the guesswork for obtaining the user PIN by executing own, malicious code…
…your data security goes down the drain.
All in all the security theater(!) provides a false sense of security; people are relying on devices simply defined as secure and convenient by design (opposed to the open PC platform, which is obviously vulnerable to Evil Maid Attacks. They try to counter with attached hardware security called TPM, but in the end PCs are more often than not unencrypted anyway).
Preventing unauthorized access to personal/user data solely depends on the assumptions A), B), C) in the spoiler above this one to be true. If device integrity is actually given and there is no way to bruteforce the user PIN other than manually typing, then a simple but random 8 to 10 digit numeric PIN is secure enough. Normal unlocking methods intentionally change the encryption key. But… if one can let the computer do the guesswork for obtaining the user PIN by executing own, malicious code…
…your data security goes down the drain.
All in all the security theater(!) provides a false sense of security; people are relying on devices simply defined as secure and convenient by design (opposed to the open PC platform, which is obviously vulnerable to Evil Maid Attacks. They try to counter with attached hardware security called TPM, but in the end PCs are more often than not unencrypted anyway).
While searching for a way to mitigate the problem that an Android device can probably easily read (and written!) by malicious “law enforcement”¹ and other attackers, I stumbled upon three apps (all by the same developer, x13a) that can be installed as device administrators:
Please do not play around with these apps on your productive devices! You can easily trigger deletion and Sentry can NOT be removed once set as device owner (which is required for disabling safe mode and disabling data USB connection) other than by doing the factory reset!
These apps are a fun addition and might improve the situation very slightly.
If your dear friend, the cop, confiscates your phone and asks you for the PIN, it may help. Some police officers might even simply try out the PIN given to them on the spot and thus set off the deletion nuke.
And if the computer forensics experts, too convinced of their own importance and abilities, simply plug in a cable carelessly, these apps would also help.
But ultimately these are just beginner's traps that don't really help much if the adversary has done their homework or smells a rat. Emergency deletion is not a replacement for solid encryption. Preventing USB connection and safe mode could be a serious security upgrade though. A bad side effect is that Sentry kills Seedvault backup when set as device owner.
________________________
¹It is completely impossible to find reliable information about so-called forensic tools. The topic has inherent secrecy and intentional incomplete information and even misinformation in order to intimidate people.
With freedom (of speech for example) melting like snow in the summer sun this kind of threat model (prosecuting innocent people) has to be taken in account.
Duress → Define a duress key/password. If entered, the device with factory reset (and hopefully change master key immediately)
Wasted Factory Reset on given triggers (fake icons, device unused for days, USB cable with data connection gets plugged in without unlocking the phone before doing so – last one is pretty effective but easy to trigger accidentally yourself)
Sentry → Disable safe mode (to prevent circumventing such apps), disable USB data connection. Could possibly prevent forensic tools from even trying to apply exploits on the running system. Factory reset on too many failed PIN attempts (some phones offer this by default).
I’ve tested the three apps and they worked for me as intended. Please do not play around with these apps on your productive devices! You can easily trigger deletion and Sentry can NOT be removed once set as device owner (which is required for disabling safe mode and disabling data USB connection) other than by doing the factory reset! These apps are a fun addition and might improve the situation very slightly.
If your dear friend, the cop, confiscates your phone and asks you for the PIN, it may help. Some police officers might even simply try out the PIN given to them on the spot and thus set off the deletion nuke.
And if the computer forensics experts, too convinced of their own importance and abilities, simply plug in a cable carelessly, these apps would also help.
But ultimately these are just beginner's traps that don't really help much if the adversary has done their homework or smells a rat. Emergency deletion is not a replacement for solid encryption. Preventing USB connection and safe mode could be a serious security upgrade though. A bad side effect is that Sentry kills Seedvault backup when set as device owner.
________________________
¹It is completely impossible to find reliable information about so-called forensic tools. The topic has inherent secrecy and intentional incomplete information and even misinformation in order to intimidate people.
With freedom (of speech for example) melting like snow in the summer sun this kind of threat model (prosecuting innocent people) has to be taken in account.
), which could get knocked out there was nothing to lose.
