[liberationtech] secure wipe of flash memory

[Nathan of Guardian]

On 07/30/2012 08:09 AM, Matt Mackall wrote:
> About the only way to mitigate this is software full-device encryption.

Ha, well, now that this has been stated for the 100th time, can we stop
being theoretical and overall technical, and start getting practical?

The issue is that full-disk/device encryption on most consumer
smartphones, if it is available at all, is a) not on by default and b)
often does not work so well.

To me, this means a few things:

1) Training organizations must ensure that "How to activate full device
encryption" is a standard topic in the coming years (as the majority of
smartphones move to OSes like Android 4.x)

2) Training orgs must ensure that they teach people "How to smash a
smartphone into a thousand pieces using a heavy lamp and flush it down
the toilet" (true story, btw!) is taught as standard curriculum

3) App developers today who are building mobile software targeted to
high risk situations need to better ensure their data is always
encrypted by default, using something like GnuPG, SQLCipher or IOCipher,
or even just basic symmetric encryption of fields and files

4) App/Service developers must be careful about what data they store,
persists, sync, send into the default apps or storage on a smartphone
(i.e. SMS-based services, Photo Galleries, data collections apps using
SDCard, etc), as this is the most vulnerable to logical/physical extraction

BTW, there was a great talk at #HOPE9 by Cooper from Radical Designs, on
this very topic, among others. You can find the slides and video links here:
https://guardianproject.info/2012/07/19/from-hope9-your-cell-phone-is-covered-in-spiders-practical-android-security/

+n