Android

Full disk encryption flaw could affect millions of Android users

When it comes to vulnerabilities and security, Google’s Android has never been in the good books of security experts or even its users to a great extent. Now, another vulnerability has surfaced that claims to leave millions of devices affected. Security expert Gal Beniamini has now revealed another flaw in Android encryption.

According to the DailyMail, the security researcher has said that Android devices with full disk encryption and powered by Qualcomm processors are at risk of brute force attacks wherein hackers can use persistent trial and error approach. Full disk encryption is on all devices running Android 5.0 onwards. It generates a 128-bit master key for a user’s password. The report adds that the key is stored in the device and can be cracked by malicious minds.

“Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE,” Beniamini explains.

A combination of things like Qualcomm processors verifying security and Android kernels are causing the vulnerability. Google along with Qualcomm is working at releasing security patches, but Beniamini said hat fixing the issue may require hardware upgrade.

“Full disk encryption is used world-wide, and can sometimes be instrumental to ensuring the privacy of people’s most intimate pieces of information. As such, I believe the encryption scheme should be designed to be as “bullet-proof” as possible, against all types of adversaries. As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” he adds.

Lately, encryption debate had taken centre stage when Apple refused to unlock an iPhone belonging to a terrorist involved in San Bernardino shooting. The FBI reportedly managed to break into the device without Apple’s help and is believed to have paid a whopping $13 million to do so.

How to encrypt iPhone and Android, and why you should do it now

Apple’s fight with the FBI may be over for the time being, but this high-profile fight about user privacy and state security may have puzzled some smartphone users. When is an iPhone or Android device encrypted? And how does one go about securing the data on them?

iPhone

It’s pretty simple actually: as long as you set up a password or PIN for the iPhone or iPad’s lockscreen, the device is encrypted. Without knowing the access code, nobody can unlock it, which means your personal data including photos, messages, mail, calendar, contacts, and data from other apps, is secured. Sure the FBI can crack some iPhones, but only if they’re included in criminal investigations, and only if the recent hacks work on all iPhones out there.

If you don’t use a lockscreen password, you should do it right away. Go to Settings, Touch ID & Passcode, tap on Turn Passcode On and enter a strong passcode or password.

As CNET points out, things are a bit more complicated on Android.

The newer the device, the easier it is to get it done. In this category, we have Nexus devices, the Galaxy S7 series, and other new handsets that ship with Android 6.0 preloaded. Just like with the iPhone, go to the Settings app to enable a security lock for the screen, and the phone is encrypted.

With older devices, the encryption procedure is a bit more complex, as you’ll also have to encrypt the handset manually. You’ll even have to do it with newer devices, including the Galaxy S6 and Moto X Pure. Go to Settings, then Security then Encrypt phone. While you’re at it, you may want to encrypt your microSD card as well, so data on it can be read on other devices – do it from the Security menu, then Encrypt external SD card. Once that’s done, you will still need to use a password for the lockscreen.

CNET says there are reasons you should consider not encrypting your Android device, like the fact that a device might take a performance hit when encrypted. The performance drop may be barely noticeable on new devices, but older models and low-end handsets could suffer.

Five free Android encryption tools for the paranoid user

Do your hats tend to fall into the tinfoil range? Are you afraid there is always somebody watching you? If so, rest assured that the Android ecosystem offers plenty of apps to soothe your paranoia. But which apps are the must-haves? Here are five apps you should immediately install and put to work. They’ll bring you peace in the knowledge that your mobile data is far more secure than those around you.

1: Orbot Proxy with Tor

Orbot Proxy with Tor (Figure A) is an open network that strives to prevent any form of data surveillance. Tor protects you by bouncing your communications around a distributed network run by volunteers around the globe. Not only does this help prevent prying eyes from spying on you as you use the internet, it also keeps sites from learning your physical location.

Figure A

To use Tor on Android, your best bet is Orbot Proxy with Tor. Once you have it installed and connected, it will encrypt all internet traffic leaving your device. This is the only app that produces a truly secure and encrypted connection for your Android device. If you are really paranoid, you need Orbot Proxy with Tor. It’s free… what do you have to lose?

2: CSipSimple

CSipSimple (Figure B) lets you do encrypted SIP calling via your Android device. It’s open source and free, and it offers an easy-to-use Wizard for setting up the app. You are required to have an account on a SIP server, and I highly recommend using Ostel. It works seamlessly and has its own wizard for setting up the SIP account within CSipSimple. Even the Ostel account is free—so the only cost associated with this will be any data usage from your provider. You can set up CSipSimple to only use Wi-Fi, to avoid any charges whatsoever. CSipSimple uses rewrite/filtering rules to integrate with Android and allows you to record calls.

Figure B

3: ChatSecure

ChatSecure (Figure C) offers free, unlimited encrypted chatting on your Android device. You can chat over Google Talk/Hangouts, Facebook Chat, Dukgo, Jabber, and more. ChatSecure claims 100% privacy using state-of-the-art Off the Record (OTR) encryption. If you’re concerned about ChatSecure being blocked, you can use it in conjunction with Orbot to circumvent all firewalls and monitors.

Figure C

With ChatSecure, setting up an OTR session is simple. When you start a chat with someone, you can first verify the contact and then start the encryption. This app isn’t perfect. You might run into instances where the encryption won’t start or the connection with Orbot isn’t made. But should either happen, you can restart the app and try again. It doesn’t occur often, but when you’re dealing with the need for 100% security, you don’t want to use the app without the aid of Tor.

4: K-9 Mail

K-9 Mail with APG (Figure D) encrypts email on your Android device. You must install both apps and set up APG, which will create a key pair to be used by K-9. Once you’ve created your key pair in APG, set up K-9 and it will automatically detect that you have APG installed and offer the option to sign and encrypt an outgoing email with a simple tap of a check box. This is by far the easiest means of getting encrypted email on your Android device.

Figure D

One thing to remember is that all encryption keys are handled with APG—which lets you import keys created from other sources (even searching for public keys from key servers). Both apps are free. Use K-9 in conjunction with Tor and you’ll enjoy even more security.

5: Built-in device encryption

This option is for those who want to ensure the privacy of their device should it fall into the wrong hands. This built-in encryption system (Figure E) works with all data—including app data, downloaded files… everything on your device. Of course, this level of security does come with its drawbacks.

Figure E

First, older (or lower-end) devices might see a hit on the performance. (Newer and flagship devices shouldn’t so much as hiccup with system-wide encryption.) Second, you’ll have to enter the encryption password on every startup of the device—but that’s a small price to pay for this level of security. Pay it and be safe. Also understand that once you’ve encrypted your Android device, the only way to disable the encryption is to do a factory reset. Note: Android Lollipop defaults to device encryption.

Topping the list

Do you already feel more secure? You should. Each of these apps does a great job of keeping your data away from prying eyes. But if you only have time for one of these tools, I’d highly recommend Orbot Proxy with Tor. It will ensure all of your device traffic is routed through a far more secure network.

How to recover a saved Wi-Fi password on Android within minutes?

Every now and then you end up with a blanked face when a friend visits your place and tries to connect to your Wi-Fi, while you cannot seem to recall the password, since most default passwords are a combination of letter and numbers.

While you feel rather helpless, you need to know that there are certain ways thanks to which you can retrieve the password within minutes, accessible via PC and rooted Android devices.

First up, let’s take a look at how it is done via PC.

1. On the desktop, look up the Wi-Fi signal present in the bottom-right corner of your screen, next to the time and date. Click on the icon, and a pop-up should appear where you ought to click “Open Network and Sharing Center.”

2. The center should open and under your active networks, you should see the Wi-Fi you are connected to. Click, and a new window, named Wi-Fi Status would open.

3. In the window, click on the Wirless Properties button, and you should land at another window, the last one.

4. A new window, named TitanGate Wirless Network Properties would open, featuring two tabs; connection, and security. Choose the latter, and you should land on the screen from where you can retrieve your password.

5. The network security key holds your password, although it is hidden, showing asterisks. Check the show characters box, and you are done.

In case you happen to have the Wi-Fi saved on your Android device only, and not your PC, you could still retrieve it without having to worry much. However, you need to have a rooted device to be able to retrieve your password. If you happen to have one, follow these simple steps, and you should be able to get the job done with ease.

1. Make your way to the Google Play Store, and get your hands on any root explorer. If you wish to go by our word, we suggest you download Root Browser which is available for free.

2. Once the installation completes, open the app and you should be exposed to a list of folders.

3. Head to data > misc. > Wi-Fi.

4. In the Wi-Fi folder, look up, and open the file named “wpa_supplicant.conf”

5. When prompted, choose the RB Text Editor to view the file.

6. In the following screen, you would be exposed to cryptic codes, where you ought to look out for the Wi-Fi.

7. It should be under “network={“ with the ssid signifying the Wi-Fi you are connected to, and the psk being the password.