Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Want To Ensure Your Personal Android Data Is Truly Wiped? Turn On Encryption

samzenpus posted about two weeks ago | from the getting-it-clean dept.

Android 91

MojoKid writes We've been around the block enough times to know that outside of shredding a storage medium, all data is recoverable. It's just matter of time, money, and effort. However, it was still sobering to find out exactly how much data security firm Avast was able to recover from Android devices it purchased from eBay, which included everything from naked selfies to even a completed loan application. Does this mean we shouldn't ever sell the old handset? Luckily, the answer is no. Avast's self-serving study was to promote its Anti-Theft app available on Google Play. The free app comes with a wipe feature that overwrites all files, thereby making them invisible to casual recovery methods. That's one approach. There's another solution that's incredibly easy and doesn't require downloading and installing anything. Before you sell your Android phone on eBay, Craigslist, or wherever, enable encryption and wait for it to encrypt the on board storage. After that, perform a wipe and reset as normal, which will obliterate the encryption key and ensure the data on your device can't be read. This may not work on certain devices, which will ask you to decrypt data before wiping but most should follow this convention just fine.

cancel ×

91 comments

And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47442339)

Because that's the only way to know for sure that you are safe from the scum bags out there!

Re:And then throw it in a fire (1)

Anonymous Coward | about two weeks ago | (#47442481)

I'd nuke it from orbit...

Re:And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47442585)

I'd come up with an original joke.

Re:And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47442883)

Why don't you then?

Re:And then throw it in a fire (4, Informative)

plover (150551) | about two weeks ago | (#47442631)

This.

What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.

I've had people saying "oh, look at all these hard drives, you should totally sell them on ebay and I bet you could get $10 apiece for them!" Adding up the time I would waste running DBAN or sdelete or whatever, and keeping track of which ones have been wiped, and double checking to make sure everything is really gone, it's not worth the time.

A big hammer and a punch, driven deeply through the thin aluminum cover and down the platter area, takes about a second and leaves nothing anybody would bother trying to recover. You can quickly look at a drive and say "yes, this drive has been taken care of", or "hey, there's no jagged hole here, this drive isn't destroyed." The aluminum cover contains the shards if the platters are glass. I don't care who handles them after destruction. There's no worries about toxic smoke. And if you have to inventory them before shipping them to a recycler, the serial numbers are still readable.

Smashing a phone wouldn't destroy the data on the chips, so a fire is a somewhat safer option.

Re:And then throw it in a fire (1)

davester666 (731373) | about two weeks ago | (#47443537)

course, there is the risk of physical damage to your hand using your data destruction method...

Re:And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47444077)

What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.

If said data is encrypted and the encryption key is lost forever? Then it's pretty damn good.

Re:And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47444401)

I'm curious because I was told a LOW level format and using free-software tools for this very purpose would wipe the HD clean, resulting in nothing being recoverable?

I would like a response even tho it is an AC post, I do keep an eye out on my posts! For Windows there's a boot cd with a variety of tools Hiren's Boot CD, which is built to do a number of things. Obviously that's not taking into account Linux, but with Linux or free-software OS's I'm sure the solutions are the same, maybe even easier.

I'm nowhere close to a savvy computer users nor an expert, but I do study means and ways of either fixing a system and or destroying it without physically smashing them.

Re:And then throw it in a fire (1)

Zmobie (2478450) | about two weeks ago | (#47444909)

As far as I know, the hardware is no different than a standard platter drive and since most phones can be mounted to and read/written from a normal PC, I really see no reason why you couldn't use a secure rewrite with something like CCleaner or even use killdisk if you want to WIPE the phone. Don't quote me on it, because I've never tried myself on a phone but I would think it is fine.

Most people who say to "destroy" the drive are just being overly cautious. For anything that does multiple overwrites on all drive sectors you should be fine for the most part. Technically yes the only way to guarantee the drive is unreadable is destruction, but for an individual that is normally over the top (says this as I've destroyed a few old drives myself...).

Re:And then throw it in a fire (1)

jrumney (197329) | about two weeks ago | (#47445739)

As far as I know, the hardware is no different than a standard platter drive

You don't know very far then, do you? But yes, a secure rewrite of the full device should wipe the flash to the point where some serious lab equipment is needed to recover anything from the device.

Re:And then throw it in a fire (1)

Zmobie (2478450) | about two weeks ago | (#47446809)

That would be why I posted that caveat... Obviously it isn't a 3.5'' or a 2.5'' platter drive, those are literally bigger than the phones most of the time, but conceptually it is the same principles for OS data storage and access (probably isn't using magnetic platters, but neither do SSDs and you can do the same things to both).

Re:And then throw it in a fire (1)

zacherynuk (2782105) | about two weeks ago | (#47444571)

Tell you what mate, good luck with your punch and hammer technique.

I very regularly need to physically destroy hard disks, and depending on the vendor, it's actually rather tough - especially 15K SCSI jobbies which, due to the rotational speed require very sturdy housings.

Couple of weeks ago I had to wreck 3 dozen old worthless drives - even with running water to keep the bit cool, I still went through 4 tungsten bits.

Re: And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47447625)

A couple of .308 through them ought to do the trick. Turn your drive-destroying job into a plinking event.

Re: And then throw it in a fire (1)

zacherynuk (2782105) | about two weeks ago | (#47447789)

I'd like that ! :)

Sadly I only have a .177 air rifle ...

Re:And then throw it in a fire (2)

thegarbz (1787294) | about two weeks ago | (#47445469)

What is the value of a used device? Compare that to the risk of the data on that device going to a malevolent third party.

That depends on the device. The fact that you liken them to a $10 harddisk is a problem for your argument. A Galaxy S4 fetches some $300 used on ebay. A Galaxy S4 with a broken screen is still fetching some $150+

That's the value of a used device. Now take $300 in your hand right now, hold a lighter under it and ask yourself, would you light it up right now to maybe protect the data on your phone from the slight chance that someone wants the phone for your secrets rather than as a replacement for the one they dropped in the toilet? I wouldn't. I don't routinely burn money for slight maybe chances.

That said I don't have naked selfies on my phone either, or loan applications, and if I did they're on my external SD card which would not be going with the phone.

I have a better idea, just send me the $300, less waste that way.

Re:And then throw it in a fire (1)

plover (150551) | about two weeks ago | (#47465681)

I don't think you considered the depth of the question: what is the risk? Could your device contain credit card information? Could it have your social security numbers? Could it have a way to access your bank account? Your retirement accounts? Your brokerage accounts? A lot of your personal finances could be at risk. Are you wealthy enough to be worth kidnapping, and if so, could the device provide access to your family's panic room, or to your alarm system? What about medical information? Assign dollar values to those (it's certainly nebulous, but you want to end up with some kind of estimate) and add up your overall potential for loss. Now, divide by the likelihood your device will be compromised - you might estimate that tens of millions of devices are recycled each year, and you might figure a hundred thousand are handled by people who would like to steal from them, giving you roughly a 1 in 100 chance of having your device compromised. Would you bet the information above on those odds for $300?

Maybe you don't think you have very much worth stealing. Perhaps you're young, and don't have a retirement account, and not much in the bank, so your financial risk is only $1,000. Maybe you don't see any risk at leaking your health data. And maybe you're supremely confident in your abilities to wipe the flash RAM. Good for you, take the $300 and spend it. For you, it's a solid bet. For those of us with more at risk, it's not such a sure thing; even if I am confident in my skills at wiping these devices, what if I make a mistake?

Re:And then throw it in a fire (1)

thegarbz (1787294) | about two weeks ago | (#47465841)

I don't think you considered the depth of the question: what is the risk? Could your device contain credit card information? Could it have your social security numbers? Could it have a way to access your bank account? Your retirement accounts? Your brokerage accounts? A lot of your personal finances could be at risk. Are you wealthy enough to be worth kidnapping, and if so, could the device provide access to your family's panic room, or to your alarm system? What about medical information?

My device *could* also be used as a sex toy, be implicated in the murder of someone by blunt force trauma, or contain state secrets. Why not rephrase the question, rather than asking "could" it contain, ask "does" it contain.

Now, divide by the likelihood your device will be compromised - you might estimate that tens of millions of devices are recycled each year, and you might figure a hundred thousand are handled by people who would like to steal from them, giving you roughly a 1 in 100 chance of having your device compromised. Would you bet the information above on those odds for $300?

Yes, because your hypothetical doomsday scenario doesn't apply to the device. Now lets look at something more realistic. The vast majority of devices will leak personal information. It has my name and address, it has nickname and email accounts. Would I risk a 1 in 100 chance despite how unrealistic the thought that there are 100,000 people out there trawling for used devices for the purpose of theft? Yes I still would because I don't place value on the information on my phone when weighed up against the risk.

Maybe you don't think you have very much worth stealing. Perhaps you're young, and don't have a retirement account, and not much in the bank, so your financial risk is only $1,000. Maybe you don't see any risk at leaking your health data. And maybe you're supremely confident in your abilities to wipe the flash RAM. Good for you, take the $300 and spend it. For you, it's a solid bet. For those of us with more at risk, it's not such a sure thing; even if I am confident in my skills at wiping these devices, what if I make a mistake?

Actually it's far more simple than that. What is highly sensitive information doing on your phone to begin with. And more to the point why did in the TFA they identify photos of the owner's "manhood". I'm no more confident in my ability to wipe my phone than you are, but judging your post I feel far more confident that I don't need to wipe my phone quite as thoroughly as you do.

I'm more questioning what the hell it is you people do with your phones!

Re:And then throw it in a fire (5, Funny)

wisnoskij (1206448) | about two weeks ago | (#47442635)

Data cannot be destroyed, that is a fundamental axiom of physics. Someone might read your data based on the smoke your chimney emits.

Re:And then throw it in a fire (0)

Anonymous Coward | about two weeks ago | (#47446227)

Data cannot be destroyed, that is a fundamental axiom of physics.

Outside of black holes. Inside there is much disagreement about it.

Re:And then throw it in a fire (2)

kmoser (1469707) | about two weeks ago | (#47449929)

Careful when you burn that phone--you might elect a new Pope!

What is this android thing? (1)

invictusvoyd (3546069) | about two weeks ago | (#47442349)

Is the a public booth around here ? -- Richard Stallman

Re:What is this android thing? (0, Troll)

Anonymous Coward | about two weeks ago | (#47442359)

Is there a public booth around here ? -- Richard Stallman

yeah smart guy . But nobody wants stallmans naked selfies anyways ..

Free space (4, Insightful)

narced (1078877) | about two weeks ago | (#47442375)

What is not addressed is whether or not this wipes the free space as well. Recovering deleted files is easy, and if the encryption doesn't fill the device then encrypt then this trick can leave some stuff behind.

Re:Free space (1)

Jane Q. Public (1010737) | about two weeks ago | (#47443829)

This also ignores the fact that once a phone is fully encrypted, Android does not support un-encrypting it. Believe me, I know. I encrypted my phone and the only way to un-encrypt it, even according to the experts, was to do a restore from a bit-by-bit "nandroid" backup from before the encryption.

Re:Free space (2)

tlhIngan (30335) | about two weeks ago | (#47449019)

This also ignores the fact that once a phone is fully encrypted, Android does not support un-encrypting it. Believe me, I know. I encrypted my phone and the only way to un-encrypt it, even according to the experts, was to do a restore from a bit-by-bit "nandroid" backup from before the encryption.

That's the point.

The point is not to enable encryption for day-to-day use of your phone (because Android forces you to have a PIN or password at a minimum, no more facial recognition), and given how inconvenient those things are for a good chunk of users, they'd rather go without security.

The point is to enable encryption, have it encrypt the phone, then do a master wipe which tosses the encryption key and restores it back to unencrypted state. Since the key is tossed, the data is irretrievable.

In short, you do this prior to selling the phone. Just make sure you have a couple of hours and AC power to do it - it's not like the 5 minutes it takes on an iPhone to toss and regenerate keys.

Re:Free space (1)

Andy Dodd (701) | about two weeks ago | (#47448019)

Android encryption is done on a partition basis - so the entire partition is going to get clobbered by the encryption process.

The only way data might "leak" out of this is if the eMMC wear leveller saves off the information somewhere - but this requires a pretty sophisticated attacker to recover. Also, Android's wiping facility has done an eMMC secure erase since ICS (exception - Samsung Galaxy S2 family does either a standard format or a nonsecure erase, since firing a secure erase at Samsung's defective eMMC will send the wear leveller out into la-la-land 5% of the time, and once it goes there, there is no coming back.)

when a hammer is not an option...... (0)

Anonymous Coward | about two weeks ago | (#47442405)

There should be no need to decrypt before wipe, just start phone in bootloader mode where you get the option to wipe cache, memory etc and reset to factory defaults. That should then reset the phone and delete the encryption/decryption key but leave the bits of memory that do not get overwritten still encrypted.

Hope this works as that is the procedure I go through before selling any android phone I have owned since the encryption feature has been there.

srm -v -z (0)

invictusvoyd (3546069) | about two weeks ago | (#47442415)

1 pass with 0xff
5 random passes. /dev/urandom is used for a secure RNG if available.
27 passes with special values defined by Peter Gutmann.
Rename the file to a random value
Truncate the file

viola ! .. no more naked selfies

Re:srm -v -z (1)

Anonymous Coward | about two weeks ago | (#47442467)

viola

I do not think this word means what you think it means.

Re:srm -v -z (0)

Anonymous Coward | about two weeks ago | (#47442545)

Maybe he means the naked selfies all get turned into pictures of violas? Yaaaa that's what 27 passes are for to transform the image of the human body into an image of a viola ...... follow the steps and voilà! Naked selfie is now naked viola.

Re:srm -v -z (0)

Anonymous Coward | about two weeks ago | (#47442909)

Wrong word. He meant to type "wallah!"

Re:srm -v -z (1)

graphius (907855) | about two weeks ago | (#47445013)

or "see here"

Re:srm -v -z (5, Insightful)

wiredlogic (135348) | about two weeks ago | (#47442733)

The "special values" were from Guttmann's paper on wiping MFM/RLL drives. It is pointless on any modern magnetic drive or solid state memory. He points out in his newer paper on solid-state memories that multi-level flash (now used everywhere other than the most performance critical applications) is particularly hard to recover data from. Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction. You're just practicing cult cargo voodoo.

Re:srm -v -z (3, Interesting)

Immerman (2627577) | about two weeks ago | (#47442879)

>Furthermore, the wear-leveling strategies used in flash mass storage devices negates any attempt to securely wipe them short of physical destruction.

Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.

I don't know that I'd trust it to wipe vital military secrets, but it should do a good enough job for most anything in the civilian realm.

Re:srm -v -z (2)

plover (150551) | about two weeks ago | (#47443887)

Well, it confounds it at any rate. But completely filling the device's memory 33 times in a row is pretty likely to overwrite everything at least once or twice - even the hidden "failure reserve" space if it's included in the wear leveling (and if it's not, then it doesn't yet hold any sensitive data, so there's no problem). Guttmann's values may be irrelevant to today's storage media, but that many repeated rewrites of anything still mostly does the job.

If you were an engineer in charge of destroying data printed on paper, and you decided on shred then burn then stir the ashes in water, how many times would you repeat the cycle in order to be sure the data was destroyed? Hint: if your recommendation is greater than one (in order to be pretty sure), check your job title, because you're probably Dilbert's pointy-haired boss.

Drives today work almost nothing like the drives of 20 years ago. They don't paint bit-bit-bit in a stripe, they encode a set of bits in every pulse of the write head. Alter it a tiny fraction, and it becomes a completely different set of bits, one that error correction won't be able to overcome.

Old disks were recoverable because the mechanisms weren't precise, and the data was written with big chunky magnets to assure it was readable. All that slop has been engineered out on order to achieve today's remarkable areal densities. One overwrite is all it takes - as long as you're overwriting it all.

Re:srm -v -z (3, Informative)

Immerman (2627577) | about two weeks ago | (#47444069)

Not quite - modern magnetic drives still have tracks wider than the read-write head so that atomic-level alignment isn't necessary. There may be far less "overwrite" than there once was, but if a newly recorded track is not *perfectly* aligned with the last recording then there may well be several percent of the previously recorded track that remains unaltered (consider the worst case scenario case that the previous recording in this track was written at the smallest radius allowed by actuator tolerances, while this pass is at the maximum radius allowed). Now, recovering that data will probably require removing the platters and analyzing them with much higher resolution read heads, but it can be done.

I was more addressing the problems with flash though - in order to disguise degradation modern flash drives typically include more capacity than is addressable by the host system. Fill it to the brim so there are zero bytes free, and there's still several percent of the total drive capacity that is sitting unused in the reserve pool. The only way to overwrite that (barring a OS-accessible "secure wipe" command implemented on the drive) is to generate sufficient churn that the internal wear leveling algorithms cycle through every byte of the reserve capacity at least once. And since you probably don't know the exact algorithm used or wear levels of the drive to begin with, more is better - after all you have to tease out the most heavily used page currently sitting in the reserve.

Re:srm -v -z (0)

Anonymous Coward | about two weeks ago | (#47450495)

What does your girlfriend have to say...

Re:srm -v -z (2)

queazocotal (915608) | about two weeks ago | (#47443023)

This is not required.
https://security.web.cern.ch/s... [web.cern.ch] is relevant.
This actually investigates the physics behind overwriting - in short - once is quite enough today.

There are concerns about reallocated space on hard disks - but 99.99% of the data has gone
away, and recovering the rest is at best expensive.

Dupe? (0)

Zanadou (1043400) | about two weeks ago | (#47442435)

Re:Dupe? (2)

danlip (737336) | about two weeks ago | (#47442449)

Followup, not dupe. The post you referenced is also referenced in the summary.

call now for lost innocence recovery app (-1)

Anonymous Coward | about two weeks ago | (#47442437)

or just click http://randomrahrah1.wordpress.com/

Encryption should be used WHILE you own it... (1)

Anonymous Coward | about two weeks ago | (#47442475)

It's just too bad that it makes your android device run like complete sh!t.

security through diversity (0)

Anonymous Coward | about two weeks ago | (#47442527)

not a short story http://www.youtube.com/watch?v=vVg7mtgEqGY

Full-disk wipe or only current data? (5, Insightful)

Gaygirlie (1657131) | about two weeks ago | (#47442485)

I'm under the impression that turning on encryption works by file-by-file basis, not full-disk encryption, and as such it might still be possible to find at least some old files there if the locations haven't been overwritten by new data. If it indeed works as I have the impression of then turning encryption on is still possibly inadequate a safety method.

Re:Full-disk wipe or only current data? (1)

wisnoskij (1206448) | about two weeks ago | (#47442589)

Yes, of course it will not be encrypting "empty" sections of the hard drive. So who knows what it is leaving unencrypted. It also would not prevent any method that cracks encryption. Also, since we all know that recovering deleted files is trivial, it would be possible to get back the deleted encryption key.....

Re:Full-disk wipe or only current data? (5, Informative)

Anonymous Coward | about two weeks ago | (#47442659)

According to the android documentation it is full-disk encryption [android.com] based on dm-crypt.

Re:Full-disk wipe or only current data? (1)

Anonymous Coward | about two weeks ago | (#47443185)

Who gives a shit what the documentation says. Actual implementation is what matters. Do you really trust a mobile platform to be faithful to the documentation when you're trying to wipe a partition (which could easily be implemented directly but isn't) by first encrypting all data and then throwing away the key? Various recoveries silently switched from imaging to archiving for their backup functions (and then fail to restore because they don't handle all aspects of the filesystem), and even though they offer to wipe partitions, they actually only format them. You simply cannot believe anything in the mobile world. Everybody just tells the users it's secure, that the data is protected, encrypted, wiped, stored redundantly, whatever they want.

Re:Full-disk wipe or only current data? (4, Insightful)

swillden (191260) | about two weeks ago | (#47444869)

Who gives a shit what the documentation says. Actual implementation is what matters.

Absolutely. So, look at the source: https://android.googlesource.c... [googlesource.com]

That file contains the code that generates the master key, derives the key encryption key used to protect it (using scrypt), stores the protected master key, and configures dm_crypt with the master key.

Some functions to look at:

- create_encrypted_random_key(), which creates the master key (reading from /dev/urandom).
- encrypt_master_key(), which derives a KEK from your password and uses it to encrypt the master key.
- decrypt_master_key(), which does the reverse.
- create_crypto_blk_dev(), which creates dm_crypt block device.
- cryptfs_setup_volume(), which mounts an encrypted block device.
- cryptfs_enable_inplace(), which encrypts an existing file system.

Do you really trust a mobile platform to be faithful to the documentation when you're trying to wipe a partition (which could easily be implemented directly but isn't) by first encrypting all data and then throwing away the key?

The device doesn't know you're trying to wipe. It knows that you (a) requested full disk encryption and then later (b) requested a wipe. So it can't optimize (a) away. I suppose it's possible it could just lie and tell you "Yep, I'm encrypting" even though it isn't, but that's the sort of thing that would definitely get noticed by security analysts and gleefully published.

"It's just matter of time, money, and effort." (5, Interesting)

retroworks (652802) | about two weeks ago | (#47442499)

It's well established that plenty of consumers discard or donate hard disks without taking any precautions, and are playing roulette with their identity. It's also well established that hundreds of millions of tons of this equipment is replaced, resold, stolen or discarded, and most people who wind up with the secondary device lack either the time, money, or effort to scavenge data off the phone. If in fact someone is in the identity theft business by buying phones on ebay, they'd profile themselves pretty well after a dozen phone purchases (what do these data-theft-victims have in common?). And who knows how many phones they'd have to buy which had been wiped in some way (and required more time, money and effort)?

This isn't a bad article in that it birddogs simple things you can do before selling your used phone, and if it elevates the perception of risk in order to get people to do something easy, that's appropriate. But in response to people who are shooting and burning their devices to be "100% sure" that no one spends the time, money and effort to follow them... that's appropriate if you are a high risk target. If you have stuff on your phone of interest to the FBI or KGB, the amount of time+money+effort may be less than or = the amount of risk. Your call.

But there is a lot of hyperbole out there about the percentage of identity theft which is traced to secondary market devices, and the billions of dollars in secondary market sales on sites like ebay represent time+money+effort interest in new product makers to spend fanning flames. Again it's appropriate that the article raises concerns and then points to simple efforts a consumer can take to increase the barrier-to-entry to their personal data. But the army of ebay buyers getting their porn fixes by buying and then de-encrypting cell phones to retrieve ugly selfies seems exaggerated. Warn people about sharks if they are swimming in shark infested waters, don't tell people that most swimmers will be attacked by sharks.

Tear your mail in 8 pieces and someone could dig it out of the trash and tape it together, but the time+money+effort that represents is significant. I remember people selling paper shredding equipment in the 1990s who described armies of Iranian students or Chinese peasants who could be buying torn paper and taping it back together. If they know it's the President of the USA's mail, they no doubt will expend that time+money+effort... Presidents should assume they are swimming in a shark tank. For most of us, ebay resales are a swimming pool, and warnings of shark attacks get tiresome.

usually will not do the sdcard partition (2)

itsme1234 (199680) | about two weeks ago | (#47442573)

Last time I checked the standard Android encryption will not do the sdcard partition (I mean not the physical card, but the partition on the internal flash, usually the biggest chunk of it, like let's say 11 out of 16GB). YES, some manufacturers like Samsung and Motorola (possibly many more) have their own solution (I bet a really crappy one but never mind that) and it would do mostly everything, including the big sdcard partition and (if needed) even the physical sdcard.

Anyway bottom line is that:

a. depending on the phone you might not be able to encrypt at all /sdcard
b. ANY activity, including storing random (non-private) crap on the phone and then removing it helps. However, this is no maggic bullet.

Re:usually will not do the sdcard partition (1)

swillden (191260) | about two weeks ago | (#47445259)

Last time I checked the standard Android encryption will not do the sdcard partition (I mean not the physical card, but the partition on the internal flash, usually the biggest chunk of it, like let's say 11 out of 16GB).

I'm pretty sure that's not true, because it would make device encryption pretty much useless. A glance at the code certainly appears to show that it encrypts all volumes, but maybe /sdcard somehow gets excluded from the list? I'll ask my colleague, who "owns" disk encryption for Android at Google, tomorrow and post a followup.

I'll also note that none of the devices I have handy (Galaxy Nexus, Nexus 4, Nexus 5, Nexus 7 1st & 2nd gen, Nexus 10, Moto X, Moto RAZR M, Samsung Note 2) even have an /sdcard partition, exactly. They all mount their data partition on /data, and /data is definitely included in device encryption. In fact, it and /cache are the primary targets of device encryption (/system doesn't matter).

Re: usually will not do the sdcard partition (0)

Anonymous Coward | about two weeks ago | (#47447677)

Perhaps you could pass on that, scrypt or no scrypt, Android uses the phone unlock PIN to encrypt the bulk dm-crypt key in the custom volume header, unless vold is called via command line to encrypt the device with another passphrase (which is possible but not via the Android GUI interface, and then the unlock PIN mustn't be changed afterwards as Android will sync them).

This is wrong. Unlock PIN must resist online attack and is often very short because it's typed very frequently - this is completely at odds with using it to protect a secret key that is available to OFFLINE attack, i.e. the volume header. This is a real, practical vuln that is used for attack in the wild by GCHQ and forensics tools. A reasonable implementation would take about an hour to unlock most phone images, even with scrypt.

You need to fix that, or store the keys in crypto area if available on the SoC unlocked by unlock PIN which can't be accessed in any raw way by forensic tools without the unlock PIN.

This has been reported before, for years no action taken. Want Full-Disclosure?

Re: usually will not do the sdcard partition (1)

swillden (191260) | about two weeks ago | (#47449005)

Yeah, we're fully aware of the problem. Improvements are in the pipeline. I'm not sure I can disclose what, exactly, although there's obviously no reason to be secretive about this.

"overwrites all files" How Many Times? (1)

wisnoskij (1206448) | about two weeks ago | (#47442597)

How many times does it overwrite the files?

Re:"overwrites all files" How Many Times? (1)

ledow (319597) | about two weeks ago | (#47442729)

Doesn't really matter - nobody has ever successfully recovered information from magnetic history like that.

There was a $1m prize for nearly a decade and not one "recovery" company could claim it.

Once a bit on a magnetic / solid state device is overwritten, that's your lot. Now, whether you overwrite ALL bits or not (e.g. reserved areas, replacement sectors, etc.) is another question entirely.

Re:"overwrites all files" How Many Times? (0)

Anonymous Coward | about two weeks ago | (#47442751)

I just learned that flash memory is magnetic. I may need to turn in my degree.

Re:"overwrites all files" How Many Times? (1)

ledow (319597) | about two weeks ago | (#47442817)

You can be pedantic, and replace with "electromagnetic history" if you like, but to be honest - apart from pedantry - it just makes the case more. And I do mention "solid-state" in the next paragraph.

You can't tell what a bit held on a memory storage device held historically with ANY degree of accuracy at all. Flash memory even less so than 40-year-old hard drives, in fact.

Re:"overwrites all files" How Many Times? (1)

uncqual (836337) | about two weeks ago | (#47445071)

Go ahead, try to convince a homeopath [homeopathy-soh.org] that there's no memory of stuff that's no longer there!

Re:"overwrites all files" How Many Times? (1)

wisnoskij (1206448) | about two weeks ago | (#47442915)

Really, so why does everyone suggest overwriting things like 6/8 times? Just to future proof it?

Re:"overwrites all files" How Many Times? (2)

jones_supa (887896) | about two weeks ago | (#47443155)

Simple: the need of multiple passes has just been a myth. People thought that it would be necessary, but it has now been proven that it isn't so.

Re:"overwrites all files" How Many Times? (1)

MightyMartian (840721) | about two weeks ago | (#47443725)

My understanding is that in the old days of 20mb hard drives, storage densities were sufficiently low that even after one pass someone might be able to recover the data with at least some degree of fidelity. Once we entered the world of gigabyte drives, densities are so high that it's all but impossible to recover any data after even a single pass wipe

Re:"overwrites all files" How Many Times? (1)

jones_supa (887896) | about two weeks ago | (#47443797)

That might be it.

Re:"overwrites all files" How Many Times? (1)

lgw (121541) | about two weeks ago | (#47443641)

Back in the days of MFM drives (and the previous decades), is was needed. But that was because there was space on the media that wasn't actively used for bits, and so would leave traces. Such waste was eliminated long ago in the quest for ever-larger drives.

Re:"overwrites all files" How Many Times? (1)

InvalidError (771317) | about two weeks ago | (#47445369)

There is still a gap between tracks in today's drives; just nowhere near as much so whatever signal might be available on the fringes will be much weaker.

The real killer for PRML-based drives is that to cope with the amount of noise the head receives from nearby tracks, the coding itself relies on statistical analysis to reconstruct the data. Whatever signal might be on the fringe will be some blend of the old data under the current track, the new data, data on the tracks to either side, the previous data on the tracks to either side, etc. There may not be enough signal left in-between tracks after a full PRNG erase or two to recover anything useful.

Re:"overwrites all files" How Many Times? (1)

lgw (121541) | about two weeks ago | (#47451077)

Right - there's a physical gap, but there's no redundancy there, as there's no magnetic gap - infact as you noted there's actually overlap needing cleverness to sort out on a normal read.

Re:"overwrites all files" How Many Times? (1)

InvalidError (771317) | about two weeks ago | (#47466379)

The overlap region between ideal track centers is still somewhat of a gap; albeit not a dead/silent one.

There will still be some residual information in there due to head deviations from the ideal path and when solving complex puzzles like reconstructing overwritten PRML blocks, every little extra hint counts.

I have little doubt it is possible to recover at least some data from PRML drives that have been erased once, maybe twice. But the process would probably require the precision and sensitivity of something like an atomic force microscope, which would be a "little" too much time and effort for the casual identity thief or creep.

Re:"overwrites all files" How Many Times? (0)

Anonymous Coward | about two weeks ago | (#47444377)

> Really, so why does everyone suggest overwriting things like 6/8 times? Just to future proof it?

Because SQUIDs [wikipedia.org]

Unsafe Advice (4, Informative)

bill_mcgonigle (4333) | about two weeks ago | (#47442643)

Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.

Re:Unsafe Advice (1)

swillden (191260) | about two weeks ago | (#47445269)

Any marginal blocks mapped out before you encrypt will remain unencrypted and may be available to a determined attacker. Same goes for hard drives, and SATA secure erase is not provably trustworthy. Always encrypt your storage before you put any data on it. If you do not trust your hardware AES to not be backdoored then use software crypto.

Yes, the safest approach is to enable encryption just after you get the device (after using it for a few minutes to accumulate some randomness in the Linux randomness pool, so you get a good key). If you don't, totally wiping it is more or less impossible, though the odds of anything significant surviving either the normal wipe or the encrypt & wipe (which probably won't actually do any more than the wipe) are pretty small.

take blank video (1)

Lawrence_Bird (67278) | about two weeks ago | (#47442869)

and use up all free space. repeat again. Assumes you are saving things to internal "sdcard" and not the external.

Re:take blank video (0)

Anonymous Coward | about two weeks ago | (#47463711)

Why use blank video? Fill it up with "Never Gonna Give You Up!" Or, if you're particularly devious, hello.jpg.

Just get an iPhone (-1)

Anonymous Coward | about two weeks ago | (#47443151)

Android is for chumps

Meanwhile in iOS land (1, Flamebait)

Mr_Silver (213637) | about two weeks ago | (#47443169)

In iOS, when the factory reset is performed the key is removed so when the phone is reset and tied to a new account a new key is generated which is unable to access the old content. I'd rather the content was erased first, just in case some exploit is uncovered that can get at that key, but it's better than what Android has.

To expect an Android user to know that they must first encrypt the phone then do a factory reset if they want their data actually erased is absurd. Does Google not share the same view as the public on what the phrase "factory reset" actually means?

This (along with the all or nothing approach to app permissions) is something Google's PHDs really need to sort out.

Re:Meanwhile in iOS land (1)

theraptor05 (908452) | about two weeks ago | (#47444267)

Oh, they have the individual permissions issue worked out - they accidentally released it through AOSP in ICS for a short time. Worked perfectly, you could disable any individual permission (and take your chances with apps crashing randomly), including the permissions that would let an app identify your phone for advertising use. Which is why they pulled the feature almost as soon as it got out - Google's buisness is ads, and anything that might upset their customers (hint, that's not the phone owner) is a bad thing.

Like I said the other day (0)

Anonymous Coward | about two weeks ago | (#47443237)

This should be a default feature, mandatory, and automated because the average user has no clue that their data can be stolen after a format. The last phone I sold, I encrypted>scrubbed>reset>scrubbed>encrypted>scrubbed>encrypted>scrubbed>reset>scrubbed

I know that may sound excessive, but I don't want some nutcase ending up with information like birthdays, kids cell, addresses, school, banking, schedule, and that's just the tip, but mainly, a lot of very kinky and perverted sexting with the old lady lol.

Dupe: Why is this even an article? (1)

tapi0 (2805569) | about two weeks ago | (#47443631)

The use of full encryption and wiping the key was commented on many times in the article http://yro.slashdot.org/story/... [slashdot.org] quoted in this piece. Even the original story was an advert for avast's app. Does this really now deserve a separate article?

Factory Reset (0)

Anonymous Coward | about two weeks ago | (#47443951)

This is probably a stupid question but is everything recoverable after a factor reset?

the security myth (-1)

Anonymous Coward | about two weeks ago | (#47444127)

Everyone, turn on encryption! Everyone turn on two factor auth! Everyone have strong passwords....

In the end, it's all security by obscurity. You're either hiding keys, passcodes, or a method to get access. That's still obscurity by any means, just by an equation than physically hiding something.

What else is new? (1)

WaffleMonster (969671) | about two weeks ago | (#47444151)

Whenever we take hard drives out of service we run a secure wipe if we are able to so they can be handed down.

There seem to be a few utilities in the app store to securely wipe storage however would have been really nice if this was an option user is presented with when wiping their device.

I personally wouldn't store anything worth protecting on a mobile phone (including device encryption keys) I don't trust myself not to screw it up... any passible security measure (linked to device key chain) would be way too cumbersome and annoying to have to constantly deal with at unlock screen.

More importantly I simply don't trust android. Why is the keychain used to store VPN credentials yet email, accounts, browsers, etc all store passwords in the clear when facility to punt responsibility to keychain is right there? Seems to be either incompetence or intentional action either way result is the same -- I don't trust android for anything.

LG -E612 (Android 4.1.2) has no Encryption? (0)

Anonymous Coward | about two weeks ago | (#47444177)

It's easy to say to"Turn On Encryption" I don't believe I have that function on LG -E612 (Android 4.1.2)

Ya don't say... (0)

Anonymous Coward | about two weeks ago | (#47444707)

Also in the obvious department: water is wet. News at 11

all data is recoverable - unless you're the IRS (2)

phrackthat (2602661) | about two weeks ago | (#47444929)

"all data is recoverable"

Wanna bet? -- Lois Lerner

Clueless (1)

Swampash (1131503) | about two weeks ago | (#47445811)

You're using an operating system built by an advertising company and you expect privacy?

Just throw it in the blender... (1)

seanvaandering (604658) | about two weeks ago | (#47446445)

There - problem solved. Go ahead and decipher my phone dust.

I'd use encryption if... (2)

jtownatpunk.net (245670) | about two weeks ago | (#47447165)

...if it didn't force me to also use an alphanumeric password on my new phone. It's got a fingerprint scanner. I want to use that to unlock my phone. But that's disabled if I turn on encryption. Same with my new tablet. So no encryption for me on these devices. Both of my previous devices were content with a PIN which is considered as secure as the fingerprint scanner. Seems ridiculous that I can't determine the level of risk I'm comfortable with.

Still a problem .... (0)

Anonymous Coward | about two weeks ago | (#47447583)

Encrypted data is still retrievable. In 20 years, computers will be powerful enough to crack any encryption that android uses.

The better solution if you care about data is to get a Blackberry .... I did and I don't have to worry about it. Blackberry's have a built in security wipe that does what wiping should do. In this day and age I can't believe people still trust their toys (Android and iOS).

Re:Still a problem .... (1)

coofercat (719737) | about two weeks ago | (#47447691)

The better solution is to use a Windows Phone. You can be sure no one will want to buy that on ebay ;-)

Re:Still a problem .... (1)

Blaskowicz (634489) | about a week ago | (#47486449)

A dirt-cheap, little used phone more secure than Android? that feels like a good idea.

Re:Still a problem .... (1)

Blaskowicz (634489) | about a week ago | (#47486435)

What encryption is used? If there's no major flaw in the algorithm that can simplify the breaking by many orders of magnitude, and if compared to what we can break now the thing is 2^64 or 2^128 times harder to break (or some measure worse than that), good luck with that, even in 20 years.

Treat it like an old hard drive (0)

Anonymous Coward | about two weeks ago | (#47450755)

Fire up the drill press and run a 1/4 inch hole through the phone. This is the methodology that Qcom and others have used for decades to discard used hard drives, working or otherwise. Granted, on a phone you might actually have to hit the memory devices with the drill. And as others have said, if you are so hard up for 10 bucks from trading in your phone, you shouldn't be buying a new one!

Re:Treat it like an old hard drive (1)

Blaskowicz (634489) | about a week ago | (#47486501)

If everyone did the same to all things..
When you pack and move, tear down your house with a jackhammer, sledgehammer etc.
When you divorce, murder your wife.
When your Windows laptop is slow because of malware and lack of RAM, pour gasoline on it and set it on fire.
Broke a windshield, take your car to a junkyard and have it compressed to a very small cube.
After you had dinner, empty your fridge and flush everything you didn't eat in the toilet.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...