[liberationtech] Android Full-Disk Encryption Cracked

[Axel Simon]

On 30/04/13 04:55, Tom Ritter wrote:
> Android *NEEDS* to allow a user to have a separate unlock screen
> password from the disk password. Most users are wholly unwilling to
> have a long screen unlock password, but willing to have a long boot
> password.  They need to be decoupled.  There is no technical reason
> this is not possible (as demonstrated) - it's just usability concerns
> and UI. This issue is at
> https://code.google.com/p/android/issues/detail?id=29468 and I
> encourage you to star it to vote for it.

This may come a bit late, but I feel it might be interesting to add that an app
has been developped to do just that:

EncPassChanger - https://github.com/kibab/encpasschanger
> This is an application for Android 4.0.3+, which allows to set disk encryption password different from lock screen password. Stock Android 4 firmware doesn't allow setting different screen lock and disk encryption passwords, and that either forces you to use weak password, or to type long secure password each time you unlock the screen of device. This application uses standard VDC calls to validate and set new password.

It's also on F-droid:
https://f-droid.org/repository/browse/?fdid=com.kibab.android.EncPassChanger

Lastly, Nathan's solution of combining a Yubikey (on a USB-OTG/Host cable) with
a short PIN is great and could still be used in combination with EncPassChanger.
Unfortunately, I can't vouch for it: I discovered with some disappointment that
my phone doesn't have USB-OTG (I would have thought it was standard on all
modern smartphones) and that some homebrew Android ROMS (a CyanogenMod
derivative in my case) don't have the Android encryption active.


axel


-- 
Axel Simon

----------
mail/jabber/gtalk: axelsimon at axelsimon.net
twitter / identi.ca: @AxelSimon