Protect your Android and still enjoy it

Just recently, the latest CyanogenMod nightly began supporting encryption on my phone, even though the bugreport still says it's an open issue. I don't mind. Anyway, this allowed me to finish a major project of mine: Protect the data on my phone, even in the case of a theft, while maintaining the ability to use the device conveniently. The goal. I want a strong disk encryption password, but i want a weak screen password or PIN, because unlocking the device is a frequent task. In such a scenario, it makes sense to implement an account lockout policy: In other words, we want the phone to shut down after, say, 3 failed attempts to unlock the screen. This prevents the screen password from being brute forced. Your device needs to be rooted to do everything I did. You will also need the Android studio if you want to do this properly, and it's a large download, you might as well start now. ##### Get Android to use two passwords The first order of business is to actually get Android to use two different passwords for the disk and the screen. This used to be very easy in Android 4, but I am running CM12.1, which is a mod of Android 5, and here it's not all that easy. Either way, I recommend making a full backup, maybe like this:
@echo off
set ADB="%AppData%\..\Local\Android\sdk\platform-tools\adb.exe"
set DTE=%date:~-4%-%date:~3,2%-%date:~0,2%
set TME=%time:~0,2%.%time:~3,2%.%time:~6,2%
%ADB% backup -f "android-%DTE%.%TME%.ab" -system -shared -apk -all
Once you have a nice backup of your phone, the following should in theory work on Android 5. I say in theory because I do not exactly remember how I did it. I am sorry. * Set the screen password to what you want to use, I will assume it is the PIN 1234. * Encrypt the phone: The encryption automatically uses your screen password. * As superuser on your phone, execute the following command:
vdc cryptfs changepw password HEXPASS
Here, HEXPASS should be a secure 16 character password in hex. For example, if your password should be swordfish, then the hex version is 73776F726466697368. In python, you can get this as ''.join('%X'%ord(a) for a in 'swordfish'). This command changes the password for the disk encryption, but it should not affect your screen password. * If the return code is 200 0 0, you are fine. If your return code is 200 0 -1, enter the following:
vdc cryptfs changepw pin 1234
Omitting this bricks my phone because I get 200 0 -1 all the time. However, adding the above line would yield the result that I aimed for: The screen password remains the PIN 1234 and the boot password is now swordfish. ##### Implement the lockout policy This is not as easy as it might sound, though it is pretty easy because I already wrote an app that does this for you and put it in the public domain. Open that up in your Android Studio, look at the source code inquisitively and deduce that it is a whoppin' 80 lines of code, none of which will steal all your data or do any harm to your device. Compile it and enjoy the kitty. ##### Avoid as many sidechannels as possible It is time to think like an attacker. Some stuff is really obvious: * Disable USB debugging. * Set your phone to charge only when attached via USB. * Do not use quick unlock for your PIN. Otherwise, the sleepy kitty can't do its job. * Obviously, do not display notifications on your lockscreen and disable all widgets. And I think this is all. I hope I did not miss anything. If you can think of any more side channels, please tell me.

5 Replies to “Protect your Android and still enjoy it”

  1. Have you thought it submitting this project to f-droid? It'd be great to have it added to the repository and enjoy automatic updates.
  2. I had not thought about it yet, but it might be a good idea. I never submitted anything to F-Droid, it might take me some time to figure that out. However, if I succeed, I will post an update. Thanks for the suggestion!
  3. I've had the problem that data couldn't be unmounted because there were open files. The culprit is dalvik-cache. I "solved" the problem by executing 'while true; do adb shell umount /data/dalvik-cache; done' before pressing the encrypt phone button.
  4. I have recently installed [LineageOS](, version lineage-14.1-20170731-nightly, on my phone. Everything still works, but with a slight modification that I found in [this GitHub thread]( You now simply have to enter
    vdc cryptfs changepw passwod [PIN] [PASSWORD]
    where [PIN] is your current screen PIN and [PASSWORD] is your desired, long, plaintext HD password. No more hex encoding. Technically, the syntax is
    vdc cryptfs changepw passwod [OLD-PASSWORD] [NEW-PASSWORD]
    where [OLD-PASSWORD] is your current HD password and, well [NEW-PASSWORD] will be the new one. If you encrypted the phone while you had a PIN set for screen security, it will be the old password. I mention this because if you ever want to change your HD password later, the syntax changes accordingly.

Leave a Reply

Your email address will not be published. Required fields are marked *