Protect your Android and still enjoy it

technology 2015-11-09
Just recently, the latest <a href="http://www.cyanogenmod.org" target="_blank">CyanogenMod</a> nightly began supporting encryption on my phone, <a href="https://jira.cyanogenmod.org/browse/CYAN-6670" target="_blank">even though the bugreport still says it's an open issue</a>. I don't mind. Anyway, this allowed me to finish a major project of mine: Protect the data on my phone, even in the case of a theft, while maintaining the ability to use the device conveniently. <b>The goal.</b> I want a strong disk encryption password, but i want a weak screen password or PIN, because unlocking the device is a frequent task. In such a scenario, it makes sense to implement an account lockout policy: In other words, we want the phone to shut down after, say, 3 failed attempts to unlock the screen. This prevents the screen password from being brute forced. Your device needs to be rooted to do everything I did. You will also need the <a href="http://developer.android.com/sdk/index.html" target="_blank">Android studio</a> if you want to do this properly, and it's a large download, you might as well start now. <span id="more-3513"></span> ##### Get Android to use two passwords The first order of business is to actually get Android to use two different passwords for the disk and the screen. This used to be very easy in Android 4, but I am running CM12.1, which is a mod of Android 5, and here it's not all that easy. Either way, I recommend making a full backup, maybe like this: ```bash @echo off set ADB="%AppData%\..\Local\Android\sdk\platform-tools\adb.exe" set DTE=%date:~-4%-%date:~3,2%-%date:~0,2% set TME=%time:~0,2%.%time:~3,2%.%time:~6,2% %ADB% backup -f "android-%DTE%.%TME%.ab" -system -shared -apk -all ``` Once you have a nice backup of your phone, the following should <i>in theory</i> work on Android 5. I say <i>in theory</i> because I do not exactly remember how I did it. I am sorry. * Set the screen password to what you want to use, I will assume it is the PIN `1234`. * Encrypt the phone: The encryption automatically uses your screen password. * As superuser on your phone, execute the following command: ```bash vdc cryptfs changepw password HEXPASS ``` Here, `HEXPASS` should be a secure 16 character password in hex. For example, if your password should be `swordfish`, then the hex version is `73776F726466697368`. In python, you can get this as `''.join('%X'%ord(a) for a in 'swordfish')`. This command changes the password for the disk encryption, but it should not affect your screen password. * If the return code is `200 0 0`, you are fine. If your return code is `200 0 -1`, enter the following: ```bash vdc cryptfs changepw pin 1234 ``` Omitting this bricks my phone because I get `200 0 -1` all the time. However, adding the above line would yield the result that I aimed for: The screen password remains the PIN `1234` and the boot password is now `swordfish`. ##### Implement the lockout policy This is not as easy as it might sound, though it is pretty easy because I already <a href="https://github.com/lichtkegel/SleepyKitty" target="_blank">wrote an app that does this for you and put it in the public domain</a>. Open that up in your Android Studio, look at the source code inquisitively and deduce that it is a whoppin' 80 lines of code, none of which will steal all your data or do any harm to your device. Compile it and enjoy the kitty. ##### Avoid as many sidechannels as possible It is time to think like an attacker. Some stuff is really obvious: * Disable USB debugging. * Set your phone to <b>charge only</b> when attached via USB. * Do not use quick unlock for your PIN. Otherwise, the sleepy kitty can't do its job. * Obviously, do not display notifications on your lockscreen and disable all widgets. And I think this is all. I hope I did not miss anything. If you can think of any more side channels, please tell me.

Tags: - - - - - - - -

5 Replies to “Protect your Android and still enjoy it”

  1. PS. You might also try to use <a href="https://play.google.com/store/apps/details?id=org.nick.cryptfs.passwdmanager" target="_tlank" rel="nofollow"> the cryptfs password app</a> to unlink screen password and disk password. I just found this.
    Reply
  2. Have you thought it submitting this project to f-droid? It'd be great to have it added to the repository and enjoy automatic updates.
    Reply
  3. I had not thought about it yet, but it might be a good idea. I never submitted anything to F-Droid, it might take me some time to figure that out. However, if I succeed, I will post an update. Thanks for the suggestion!
    Reply
  4. I've had the problem that data couldn't be unmounted because there were open files. The culprit is dalvik-cache. I "solved" the problem by executing 'while true; do adb shell umount /data/dalvik-cache; done' before pressing the encrypt phone button.
    Reply
  5. I have recently installed [LineageOS](https://download.lineageos.org), version `lineage-14.1-20170731-nightly`, on my phone. Everything still works, but with a slight modification that I found in [this GitHub thread](https://github.com/xmikos/SnooperStopper/issues/8): You now simply have to enter ```bash vdc cryptfs changepw passwod [PIN] [PASSWORD] ``` where `[PIN]` is your current screen PIN and `[PASSWORD]` is your desired, long, plaintext HD password. No more hex encoding. Technically, the syntax is ```bash vdc cryptfs changepw passwod [OLD-PASSWORD] [NEW-PASSWORD] ``` where `[OLD-PASSWORD]` is your current HD password and, well `[NEW-PASSWORD]` will be the new one. If you encrypted the phone while you had a PIN set for screen security, it will be the old password. I mention this because if you ever want to change your HD password later, the syntax changes accordingly.
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Authors have copyrights. People say these things in footers.
All Hail the Great Yawgmoth, Father of Machines.