What native Android encryption options should IT consider? - TechTarget

Posted: 18 Sep 2019 11:45 AM PDT

It's relatively easy to manage device encryption when there are only iOS devices in a mobile fleet.

Apple provides a single encryption standard across all of the iOS devices it manufactures. Android device encryption, however, depends on the version of Android the devices run, the OEM and device model, the hardware architecture and other factors.

IT professionals should learn about native Android encryption options to protect its mobile users without spending more for third-party encryption tools.

Android's device encryption history

Android has supported some form of device encryption for quite a while now, but the documentation of this encryption is incomplete. It's difficult to determine when Google first introduced Android OS encryption and what was encrypted, but Android has supported full-disk encryption (FDE) since at least Android 5.

FDE encodes all user data in the device's user data partition. To protect the data, Android applies a single encryption key, which is tied to the user's device password. Once IT enables the encryption, Android automatically encrypts user-created data before committing it to a disk. Android automatically decrypts the data before returning it to a calling process.

With the release of Android 6, the OS started to enforce FDE by default. However, FDE comes with a serious limitation: It protects all user data with a single credential. As a result, some features are not available if users reboot their devices, but do not unlock them with their passcode. For example, alarms do not work, and users cannot receive phone calls.

To address these limitations, Google introduced file-based encryption (FBE) in Android 7. FBE makes it possible to encode different files with different encryption keys, so users can unlock the files independently. At the same time, Google introduced new APIs to enable FBE, so OEMs had to design the devices to support them if they wanted FBE compatibility.

Each user on an FBE-enabled device has two available storage locations. The first is Credential Encrypted (CE) storage, the default location. CE storage is only available after the user unlocks the device, similar to traditional FDE storage.

The other location is Device Encrypted (DE) storage, which is available in one of two ways. The first option only decrypts the data after the user unlocks the device, as with CE storage. The other option decrypts the data during Direct Boot, a boot mode that enables encryption-aware apps to operate within a limited context without compromising most of the device's private information. Direct Boot makes it possible for users to carry out certain operations without unlocking their phones, such as receive phone calls or use their alarms.

In Android 9, Google added support for metadata encryption, which encodes any content not protected by FBE, such as permissions, file sizes or directory layouts. Android encryption uses a single key to encode the content at the time of a boot. IT pros can only enable metadata encryption when they first format the data partition, which means it only applies to new devices with hardware that provides an inline cryptoengine that can support metadata encryption.

In early 2019, Google introduced Adiantum encryption for devices with Android 9 or higher and CPUs that do not provide AES instructions. These tend to be low-end devices, with basic processors that do not include AES support. Adiantum encryption likely won't apply to enterprise devices.

In September 2019, Google released Android 10, which lacks support for FDE. For modern enterprise deployments, DE and CE storage are the best native Android encryption options for IT to deploy.

Best apps to share files securely: the best ways to share files safely - TechRadar

Posted: 18 Sep 2019 07:21 AM PDT

There are a lot of ways to share files online, but not so many ways to do so securely.

While many existing software platforms might offer additional features such as document password protection, it won't apply to every file or folder you may want to send. What's required is some form of end-to-end encryption to ensure any files shared remain private.

This can be obviously important for businesses, it hasn't ordinarily been seen as something important to ordinary home users - but the increasingly common hack attacks revealing personal and confidential data from even big brand companies mean that many people are now actively looking to protect their online information.

There are a number of methods available you could use directly, such as PGP and GPG which use public key cryptography, as well as SSH and SFTP, these are technical approaches most home users won't be familiar will and may struggle to implement themselves.

Therefore we'll look at existing popular apps and software that uses encryption by default, so that any information - and files - you send using these will stay protected and secured.

Here then are the best apps for sharing files securely:

1. pCloud Crypto

The best way to secure cloud storage

Cloud storage

Encryption applied

Reasonable prices

pCloud Crypto is a cloud storage service with a difference in that it uses encryption to add an extra layer of security to your backed-up files.

There doesn't appear to be any limit to the size of files you can upload to pCloud, so that makes it ideal not just for syncing files, but syncing large ones – and sharing them with whoever you want.

You can opt to pay for just cloud storage services, which cost just under $5 per month for 500GB, if paid annually. However, the company also offers a one-time lifetime charge of around $200, which could prove very cost-effective in the long-term.

The encrypted option is an additional feature, and costs another $5 per month, providing client-side encryption to password protect files as they speed across the net.

Another strength here is the wide range of supported devices, including Windows, macOS, Linux, iOS and Android hardware, plus there's a web platform to boot.

(Image credit: Enigmail)

2. Enigmail

The best way to secure emails

Plugin for Thunderbird

Encryption as standard

Requires Thunderbird

Mozilla may be famous for developing the Firefox broswer, but what many people overlook is that the company also provides the Thunderbird email client as a free alternative to Outlook to install on your PC.

It's both open source, and can be be installed on Windows, Apple, FreeBSD, and Linux machines.

That in itself would be good news, but it gets even better with the array of plugins available for it - and this includes the Enigmail plugin, which uses OpenPGP to encrypt and digitally sign emails that you send and receive.

The clear advantage here is that it means you don't have to learn your way around encryption protocols to create your own secure solution.

However, the obvious disadvantage is that you need to use Mozilla Thundrebird as an email client to gain the benefit of Enigmail.

(Image credit: Signal)

3. Signal

The best way to secure messages

Open source

Industry-leading encryption

Sparse interface

Signal is widely regarded as the gold standard of encrypted messaging apps, not least because its encryption engine is open source and available for anyone to inspect. That doesn't make it any easier to hack, but it does mean there are a lot more pairs of eyes looking at the robustness of the encryption methods.

Besides the industry-leading encryption on offer here, the app itself is fairly plain and basic in terms of visuals and appearance. It does support group chats though, as well as the sending of files and photos in addition to text, so you're going to be pretty well covered no matter what your needs.

Signal can replace the default SMS app if you want it to, but basic SMS texts aren't encrypted – you and the person you're chatting with both need to have Signal installed for the encryption feature to function properly, otherwise Signal doesn't have enough control over both ends of the conversation.

The app also includes several other useful features on top of the tight security, such as video calling, and disappearing messages that vanish after a certain time period (perfect for those conversations you don't want to stay on the record).

(Image credit: LastPass)

4. LastPass

The best password manager

Keep passwords secret

Keep passwords hidden

Requires shared devices

LastPass is an excellent service which stores all of your usernames and passwords in one place. One of its niftiest features is that you can choose to share a login – say, for Google Photos – via email.

Part of the beauty of LastPass is that if you choose you can allow your correspondent to log in and access files without them seeing the password. Your connection is also protected by SSL so there's very little chance anyone could connect to your data in the same way. In short, this is one of the most respected password managers out there, and with good reason.

(Image credit: Resilio)

5. Resilio Connect

The best file syncing solution

Peer-2-peer syncing

High performance

Not open source

Resilio Connect (formerly BitTorrent Sync) synchronises files using the BitTorrent protocol. The advantage of this is that instead of having to share files via a cloud service like Dropbox, files can be synced directly between two devices.

Provided both your device and your correspondent's are online, files can be shared in real-time and the connection is secured by 128-bit AES. BitTorrent is particularly good for sharing large files and folders as it was originally designed for that purpose. More devices can be added to share files with others if you wish.

The app is available for Windows, macOS, Linux, Android and iOS. The client is not open source so there's no easy way for security experts to check the code used for any vulnerabilities.

Search This Blog

Android Full Encryption