The recent debate in the US between law enforcement and tech giants over smartphone encryption has once again brought this issue into the spotlight. No one will argue that protecting your personal data is an important topic, so we're happy to tell you that Android offers the necessary tools to encrypt your smartphone right out of the box. If you're interested and want to know where to start, this guide will tell you how to encrypt your Android smartphone or tablet.

Device encryption and what does it do?
Before you encrypt your device, it makes sense to understand what encryption is and what the pros and cons of this solution are.

Device encryption is not a one-size-fits-all solution for protecting all of your data or information from prying eyes, especially when sent over the Internet. Instead, device encryption converts all data stored on the phone into a form that can only be read by the correct credentials. This solution provides better security than a password lock because data can be obtained without going through the lock screen using recovery programs, bootloaders or Android Debug Bridge.

Encrypted music, photos, apps, and credentials cannot be read without first decrypting the information, which requires a unique key. Thus, part of the procedure happens behind the scenes, where the user's password is converted into a key, which is stored in the "Trusted Environment" to remain inaccessible to third-party users in the event of a software attack. This key will be required to encrypt and decrypt files.

Android makes encryption simple from a user's perspective, as you enter your passcode whenever you unlock your device, making your files accessible. This means that if your phone falls into the wrong hands, no one else will be able to figure out the data on your phone without knowing the password.

And before you dive headfirst into encryption, there are a few things you should consider. First, opening encrypted files requires additional processing power, so encryption will impact your phone's performance. Memory read speeds may become significantly slower on older devices, but the performance hit for the vast majority of regular tasks remains very small, if noticeable at all.

Secondly, only some smartphones will offer the option to remove encryption from your smartphone. Encryption is a one-way solution for most smartphones and tablets. If your phone does not offer the ability to decrypt your phone data, the only option to perform a full rollback is to return to factory settings, which will erase all of your personal data. Check this point in advance.
Having understood the situation, let's see how to enable encryption.

Encrypting my device

Device encryption works the same on all Android devices, although the methods used to implement it may change slightly over time. Some devices come with active encryption out of the box, including the Nexus 6 and Nexus 9, and if your device isn't encrypted, it's very easy to do so using Android.

Android 5.0 or higher...

For Android smartphones and tablets running Android 5.0 or later, you can go to the Security menu under Settings. The path here may vary slightly depending on your OEM, but with stock Android you'll find encryption under Settings > Personal > Security.

Here you should see an option to Encrypt Phone or Encrypt Tablet. You'll be prompted to plug your device into a charger while encryption is happening to make sure your phone doesn't turn off during the process, causing errors. If you haven't already done so, you'll be prompted to set a screen lock PIN or password, which you'll need to enter when you turn on your smartphone to access your encrypted files. Be sure to remember your password!

Android 4.4 and older...

If you are using a smartphone running Android 4.4 KitKat or older, you must set a PIN or password before starting the encryption process. Fortunately, this is not difficult, go to Settings - Security - Screen Lock. Here you can either choose a pattern, enter a PIN or a mixed password to lock the screen. You will use the same password after encryption, so pay attention to it.

Once you're done with this, you can return to the Security menu and click "Encrypt phone." You'll need to plug your device into a charger and read warning messages, and you'll almost always have to confirm your PIN or password one last time for the encryption process to begin.

Encrypting your phone may take an hour or more, depending on how powerful your smartphone is and the large amount of data stored on the device. Once the process is finally completed, you can enter your PIN and continue working with your encrypted device as if nothing had happened.

Once you return to the Security menu, you'll also likely learn about the ability to encrypt files on your MicroSD card. This is a recommended step if you want to keep all your data safe, but not really necessary if you only use MicroSD to store music or movies that have no personal value.

With this decision comes several caveats. Firstly, you will no longer be able to use MicroSD cards with other devices without completely deleting the encrypted data, since other computers/devices will not know the encryption key. And while an encrypted MicroSD card can still be used to move files, this will only last as long as you access the encrypted files from the phone used to encrypt them. Additionally, if you reset your device before decrypting your files, the key will be lost and you will not be able to access the protected files on your MicroSD card. So think through the situation carefully.

When you've finished...

That's all you really need to encrypt your Android device. This is a great way to protect your data much more securely. There is a minor trade-off in terms of performance, but any differences should be very difficult to notice on modern mobile phones.

Additional options with third party applications

If you don't want to go through the encryption wringer on all of your device's data, there are a small number of Android apps in the Google Play store that offer a variety of selective features, including encrypting a single file, text, or folder.

SSE – Universal Encryption Application
version: 1.7.0 (Pro) (downloads: 176)
SSE has been in this market for quite a long time and still seems to be receiving small updates. Instead of implementing bulk encryption of your phone, SSE can be used to protect and decrypt individual files or directories that you need if you want to protect a few items selectively. You can set a password that will serve as a decryption key, and you can also create encrypted copies of files or completely replace them.

The app also has a text encryptor and password storage. A text editor can be used to store encrypted notes that can be shared across platforms. The vault is designed to store and manage all your passwords, PINs, and notes in one secure place, protected by a master password. The feature works similar to LastPass.

Final Thoughts
Considering the amount of sensitive personal information we contain on our mobile devices today, including banking details, encrypting Android devices becomes a smart decision. There are quite a few options that provide varying levels of security, from Android's broad encryption system to apps dedicated to encrypting specific files. Keep in mind, encryption doesn't provide complete protection against everything, but it does offer excellent protection in case your device is stolen.

The format doesn't kill cards. Death occurs randomly and during random operations with data. It’s just that people everywhere are trying to find connections, create a chain of events.

I’m not an expert, I can’t say for sure, perhaps at that time there was a problem with the card itself.

But I know for sure that my card died after it was formatted by a smartphone, and after:

Spoiler

Cards are divided into three categories: Micro SD, Micro SDHC and Micro SDXC. Cards Micro SD can be up to a maximum volume of 2 GB, MicroSDHC from 4 GB to 32 GB (now widely used) and Micro SDXC from 64 GB to 2 TB (theoretically, practically at the moment there are 64 GB and 128 GB cards). Cards differ not only in memory capacity, but also in different file systems. For example, Micro SD is a FAT system, Micro SDHC is FAT32, Micro SDXC is theoretically only exFAT (in reality this is not the case). In addition, the user's card reading device must support a certain type of card. The situation is simple: if a device supports SDXC cards, then it also supports earlier generations - SD and SDHC.

Recently, quite a lot of Micro SD cards with a capacity of 64 GB have appeared, but unfortunately, most Android smartphones do not officially support Micro SD cards with a capacity of more than 32 GB. In fact, the smartphone is able to read a 64 GB card and work with it correctly if you carry out simple steps with the card before installation. All well-known manufacturers of Micro SDXC cards initially format them into the exFAT system, since this is the system designed for large-capacity cards. Since this system was created by Microsoft, Android smartphone manufacturers must buy the rights to use it in order for the smartphone to be able to work with this system. Companies are still reluctant to incur extra costs, and therefore very few devices support the exFAT system on memory cards, and they work with the FAT32 system. For your smartphone to work with a 64 GB card, you just need to format it to FAT32. But it turns out that this is not entirely easy to do. The fact is that the FAT32 system itself theoretically only supports media (cards, partitions, etc.) up to 32 GB, but in practice it can work very well with media up to 64 GB. The only problem that you may encounter is a slight loss of speed when reading/writing from the card, but it will be almost unnoticeable. Next, we will look at how to CORRECTLY format a Micro SDXC card into the FAT32 system, so that a smartphone that does not support this type of card will see it and the card will NOT FAIL AFTER SOME TIME.

1. An SDXC CARD CAN ONLY BE FORMATTED IN A DEVICE THAT SUPPORTS THIS TYPE OF CARD. Those. your card reader must support Micro SDXC cards (or SDXC if you insert the card through an adapter). Under no circumstances should you format 64 GB cards in a smartphone that only supports a 32 GB card! Otherwise, your card will fail within a period of 1 day to several months. If you don't have a card reader that supports SDXC, you can purchase one separately.

So, format the SDXC card ONLY in a device that supports SDXC.

2. Since most users have the Windows operating system installed on their computer, we will consider the formatting option from it. If you have a Windows XP operating system, be sure to install an update on it that supports the exFAT file system. Windows 7 and Windows 8 already have this support.

3. It is possible that when you insert a new card into the card reader, Windows will display a message that the card is not formatted. In this case, first format it using the SDFormatter utility to exFAT.

4. Using the standard Windows method, formatting a 64 GB card into the FAT32 file system will not work, so we will use the Guiformat utility.
MicroSDXC 64Gb Card With Adapter & Card Reader

The program is specifically designed for formatting media larger than 32 GB into the FAT32 file system. If the utility gives an error before formatting, follow step 3 (first format with SDFormatter), which is still better to do. ATTENTION! In order for the smartphone to correctly see Micro SDXC, select the cluster size of 32 KB! It is better to use quick formatting (Quick); there is no need to perform a full one.

5. If you have done everything strictly in accordance with the above recommendations, then your card is ready. Your Android smartphone will see it and show the correct volume of 59.XX GB. You can work with the card, write/read files, but NEVER FORMAT it in your smartphone. The card will serve you faithfully for a long time.

She has been living there for several years now and there are no problems.

4 hours ago, Reanimax said:

There is only one thing you can do. If the data is valuable to you, make data duplication, media duplication, a convenient option for you.

Unfortunately, at that time it was not expected that such a situation could happen.

Edited December 25, 2017 JEI-DI

Google first allowed Android devices to be encrypted in Android Gingerbread (2.3.x), but the feature has undergone some significant changes since then. On some smartphones running lollipop (5.X) and higher, you can use the encryption function out of the box, while on some older or budget devices you will have to enable it yourself.

Why you might need to encrypt your Android device

Encryption stores your phone data in an unreadable form. To perform low-level encryption functions, Android uses dm-crypt, which is the standard disk encryption system in the Linux kernel. The same technology is used in various Linux distributions. When you enter a PIN, password, or pattern on the lock screen, the phone decrypts the data, making it understandable. Anyone who does not know the PIN code or password will not be able to access your data. On Android 5.1 and higher, encryption does not require a PIN or password, but is highly recommended, since the absence of them reduces the effectiveness of encryption.

Encryption protects sensitive data on your phone. For example, corporations with sensitive business data on company phones want to use encryption (with a secure screen lock) to protect the data from industrial espionage. An attacker will not be able to access the data without the encryption key, although there are advanced hacking methods that make this possible.

The average user thinks that he does not have any important information. If your phone is stolen, the thief will have access to your email, your home address and other personal information. I agree, most thieves will not be able to access personal information if a regular unlock code is installed on the smartphone, even without encryption. And most thieves are interested in selling your device, not your personal data. But it never hurts to protect your data.

What you need to know before encrypting your Android device

Most new devices have encryption enabled by default. If you have just such a device, then you will not be able to disable encryption. But, if you are using a gadget in which encryption is not enabled, then before using this function you should know the following:

• Slower operation: Once data is encrypted, it will need to be decrypted each time the data is accessed. Therefore, you may see a slight drop in performance, although this is not noticeable at all for most users (especially if you have a powerful phone).
• Disable encryption: If you enable encryption, the only way to turn it off is to reset it to factory settings.
• If the device has root rights, then they need to be removed: If you try to encrypt an Android device that has root permissions, you will encounter some problems. You need to first remove root rights, encrypt the device and gain superuser rights again.

This does not mean that we are discouraging you from encryption, we are trying to explain all the nuances of this process.

How to enable encryption on Android

Before you start, there are a few things to know:

• Encrypting your device may take an hour or more.
• The device must be charged at least 80%, otherwise Android simply will not perform the encryption process.
• Your device must be turned on during the entire process.
• If your device is rooted, be sure to remove it before continuing!

Make sure you have enough time and battery charge. If you interfere with the encryption process or complete the process yourself, you you can lose all your data. Once the process begins, it's best to just leave the device alone and let it do its thing.

Open the menu, go to settings and click on “Security”. Please note that this item may have different names on different devices. Some devices also allow you to encrypt the SD card, but by default only the internal memory will be encrypted.

If the device is not yet encrypted, you can click on the “Encrypt device” option to begin the encryption process.

There will be a warning on the next screen so you know what to expect after the process is finished. Most have already been described in this article. If you are ready to continue, click the “Encrypt device” button.

Another warning will appear asking if you really want to encrypt the device. If you have not changed your mind, then click on “Encrypt device”.

After this, the phone will reboot and the encryption process will begin. The progress bar and the time until the operation is completed will show how long you will be without your phone.

After the process is completed, the phone will reboot and you can use it again. You will need to enter your screen unlock password or PIN to complete the download process. If you did not have an unlock password or PIN enabled, the system will prompt you to set them before encrypting your Android device. To do this, go to Settings -> Security -> Screen lock and select the lock type.

Please note that if you have a fingerprint scanner installed, you still need to set a password, PIN code, or pattern, since they can be used to unlock the device upon first boot.

From now on, your device will be encrypted, but if you want to disable encryption, you can do so by performing a factory reset. If you have encryption enabled out of the box, then you can no longer disable it, even through a factory reset.

Protecting data on phones and tablets

based on Android.

ZhangisinaG. D., D.P.N.Professor( gul_ zhd@ mail. ru ),

Rakhmetullaeva E.A. student 3 – year, specialty – “5B011900-Radio engineering, electronics and telecommunications”,

Urumkhanova A.M., 1st year master’s student, specialty “Jurisprudence”,

Central Asian University, Almaty

If you use a graphic key to access your phone, then 99% of the time this is enough to ensure that no one can access the information on your phone without your knowledge. If the data on your phone is very sensitive, then you should use the phone's built-in full encryption feature. Today, almost all smartphones have become carriers of important personal or corporate data. Also, through the owner's phone, you can easily access his accounts, such as Gmail, DropBox, FaceBook and even corporate services. Therefore, to one degree or another, it is worth worrying about the confidentiality of this data and using special means to protect the phone from unauthorized access in the event of its theft or loss.

What information is stored on the phone and why protect it?

A smartphone or tablet often serves as a mobile secretary, freeing the owner’s head from storing a large amount of important information. The phone book contains numbers of friends, co-workers, and family members. Credit card numbers, access codes, passwords for social networks, email and payment systems are often written in the notebook. The list of recent calls is also very important. Losing your phone can be a real disaster. Sometimes they are stolen specifically to penetrate personal life or to share profits with the owner. Sometimes they are not stolen at all, but are used for a short time, unnoticed, but a few minutes is quite enough for an experienced malicious user to find out all the details. The loss of confidential information can turn into financial ruin, the collapse of my personal life, the breakup of my family. It would be better if I didn’t have it! - the former owner will say. - It’s so good that you had him! - the attacker will say. Accounts. This includes, for example, access to your gmail inbox. If you have set up synchronization with facebook, dropbox, twitter. Logins and passwords for these systems are stored in clear text in the phone profile folder /data/system/accounts.db. The history of SMS correspondence and the phone book also contain confidential information. Web browser program. The entire browser profile must be protected. It is known that the Web Browser (built-in or third-party) remembers all passwords and logins for you. This is all stored in open form in the program profile folder in the phone’s memory. Moreover, usually the sites themselves (using cookies) remember you and leave access to your account open, even if you did not specify to remember the password. If you use synchronization of a mobile browser (Chrome, FireFox, Maxthon, etc.) with the desktop version of the browser for transfer bookmarks and passwords between devices, then we can assume that from your phone you can access all passwords from other sites. Memory Card. If you store confidential files on your memory card or download documents from the Internet. Typically, photos and videos taken are stored on a memory card.

Who should you protect your phone data from?

From a random person who finds your lost phone or from an “accidental” theft of a phone. It is unlikely that the data on the phone will be of value to the new owner in this case. Therefore, even simple graphic key protection will ensure data safety. Most likely, the phone will simply be reformatted for reuse. From prying eyes (co-workers/children/wives) who can gain access to your phone without your knowledge, taking advantage of your absence. Simple protection will ensure the safety of your data.

Providing forced access

It happens that you are voluntarily forced to provide a phone number and open access to the system (information). For example, when your wife, a government official, or an employee of the service center where you took the phone for repair asks you to look at your phone. In this case, any defense is useless. Although it is possible, using additional programs, to hide the fact of the presence of some information: hide part of the SMS correspondence, part of the contacts, some files.

From targeted theft of your phone

For example, someone really wanted to know what was on your phone and made an effort to get it. In this case, only full encryption of the phone and SD card helps.

Built-in data protection on Android devices.

1. Lock screen with Pattern Key.

This method is very effective in the first and second cases (protection against accidental loss of your phone and protection from prying eyes). If you accidentally lose your phone or forget it at work, no one will be able to use it. But if your phone purposefully fell into the wrong hands, then this is unlikely to save you. Hacking can even occur at the hardware level. The screen can be locked with a password, PIN code and Pattern Key. You can select the locking method by launching the settings and selecting the Security -> Screenlock section. Pattern is the most convenient and at the same time reliable way to protect your phone.

None - no protection,

Slide - to unlock, you need to slide your finger across the screen in a certain direction.

Pattern is a Graphic Key, it looks something like this:

You can improve security in two ways.

1.Increase the Graphic key input field. It can vary from 3x3 dots on the screen to 6x6 (Android 4.2 is found in some models, depending on the Android version and phone model).

2.Hide the display of the points and “path” of the graphic key on the smartphone screen so that it is impossible to peek at the key.

3. Set the screen to automatically lock after 1 minute of inactivity on the phone.

Attention!!! What happens if you forgot your graphic key.

The number of incorrect attempts to draw a Graphic Key is limited to 5 times (in different phone models the number of attempts can be up to 10 times). After you have tried all your attempts but have not drawn the Pattern correctly, the phone is locked for 30 seconds. After this, you will most likely have a couple of attempts again, depending on your phone model and Android version. Next, the phone requests the login and password of your Gmail account, which is registered in the phone Accounts settings. This method will only work if your phone or tablet is connected to the Internet. Otherwise deadlock or reboot to manufacturer settings. It happens that the phone falls into the hands of a child - he starts playing, draws the key many times and this leads to the key being blocked. PIN is a password consisting of several numbers. And finally, Password is the most reliable protection, with the ability to use letters and numbers. If you decide to use a password, then you can enable the Phone encryption option.

Encryption of phone memory.

The function is included in the Android package version 4.0* and higher for tablets. But this feature may be missing in many budget phones. Allows you to encrypt the phone's internal memory so that it can only be accessed with a password or PIN code. Encryption helps protect the information on your phone in case of targeted theft. There is no way that attackers will be able to access your data from your phone. A prerequisite for using encryption is to set a screen lock using a password. This method ensures that user data located in the phone’s memory is saved, for example, the phone book, browser settings, passwords used on the Internet, photos and videos that the user received using the camera and did not transfer to the SD card.

SD card encryption is enabled as a separate option.

Encrypting memory can take up to an hour depending on the amount of memory on your device. The phone cannot be used during encryption.

What if you forgot your password?

Password recovery is not provided in this case. You can do a full RESET on your phone or tablet, i.e. reinstall Android, but user data from the phone or tablet will be erased. Thus, if an attacker does not know the password to unlock the phone, he will not be able to use it. It will also be impossible to see data from the phone’s memory using other programs by connecting the phone to a computer, because all internal memory is encrypted. The only way to make the phone work again is to reformat it. Attention, the full encryption function is present only starting from Android OS 4.0 - 4.1 and may simply be absent on some phone models. Most often found in phones from Samsung, HTC, LG, Sony. Some Chinese models also have an encryption function. For some phones, this function is located in the “Memory” section.

Flaws.You will need to constantly enter a fairly complex password (6-10 characters) even if you just want to make a call. Although it is possible to set a long time interval (30 minutes) during which the password will not be requested when you turn on the phone screen. On some phone models, the minimum password length can be 3 characters. On some phone models, it is not possible to disable encryption if you want to avoid constantly entering a password. Encryption can only be disabled by returning the phone to factory settings and deleting all data.

Encrypting an external SD memory card

The function is included in the standard Android 4.1.1 package for tablets. Absent in many budget builds. The function provides reliable data protection on an external SD card. Personal photographs, text files with commercial and personal information can be stored here. Allows you to encrypt files on an SD card without changing their names or file structure, while maintaining a preview of graphic files (icons). The function requires setting a lock password on the display of at least 6 characters in length. It is possible to cancel the encryption. When the password is changed, automatic re-encryption occurs. If the user has lost the memory card, the encrypted files cannot be read through the card-reader. If you put it on another tablet with a different password, then the encrypted data also cannot be read.

Other Encryption Properties.

Transparent encryption. If the card is inserted into the tablet and the user has unlocked the screen with a password, any application sees the files in decrypted form. If you connect the tablet via a USB cable to a computer, encrypted files can also be read on the computer by first unlocking the card from the screen of the mobile device. If you write some other unencrypted files onto the card via the card-reader, they will also be encrypted after inserting the card into the tablet. If you have an encrypted card, you cannot cancel the lock password. Data is encrypted at the file level (the file names are visible, but the contents of the file are encrypted).

Disadvantage of the program: not available in most Android builds

It should be emphasized that the best safety of data is a complete copy of it on your Computer in encrypted form. A smartphone is a fairly fragile, small device, which means there is always the possibility of it breaking or being lost. Increasing the convenience of using a secure smartphone Full encryption of the phone provides the most reliable level of protection, but constantly entering a 6-digit password complicates its use. But there is a solution. In the Android system from version 4.2*, it is possible to move some applications\widgets to the lock screen, and this way you can perform simple actions without constantly unlocking the phone (without entering a 6-digit password). The SimpleDialerWidget application allows you to make calls directly from the lock window (without having to unlock your phone). And also shows

Flashlightwidget - turn on the flashlight

GoogleKeep is a free notebook that provides a widget on the lock screen and it, in turn, allows you to create text and photo notes without unlocking your phone.

Facebook/WhatsUp/GooglePlus and other social network clients also provide their widgets.

Conclusion

The built-in and free features to protect your phone are very reliable. They are able to protect the user’s contacts, correspondence and calls, accounts in various programs and networks, as well as files and folders located both in the phone’s memory and on a removable SD card from prying eyes. Before purchasing a phone, you should make sure how the required protection works specifically in this phone model: the requirement to use an overly complex PIN code or password on the lock screen (Pattern Key is not suitable), irreversible encryption of the phone’s internal memory, i.e. The only way to refuse encryption is to completely reset your phone. Important! Make sure that if you forget your password or Pattern Key, you can restore access to the phone or you can easily restore the phone settings information in case you have to do a hard reset (resetting the phone to factory settings with the loss of all data). It is necessary to store a backup copy of confidential data only in encrypted form on your Computer, on a DVD drive or in the cloud.

Literature

1. http://www.rohos.ru/2013/06/android-security/

Data encryption in the Android OS is closely related to two problems: controlling access to memory cards and transferring applications to them. Many programs contain activation data, payment information, and confidential information. Its protection requires management of access rights, which are not supported by the typical FAT32 file system for cards. Therefore, in each version of Android, approaches to encryption changed dramatically - from the complete absence of cryptographic protection of removable media to their deep integration into a single section with on-the-fly encryption.

The special role of the memory card

Initially, Android developers intended to use the memory card only as a separate storage for user files. It was just a multimedia warehouse without any requirements for its protection and reliability. microSD(HC) cards with FAT32 coped well with the role of simple storage, freeing the internal memory from photos, videos and music.

The ability to transfer not only multimedia files, but also applications to a memory card first appeared in Android 2.2 Froyo. It was implemented using the concept of encrypted containers for each application, but this exclusively protected against the card falling into the wrong hands - but not the smartphone.

In addition, this was a half-measure: many programs were transferred partially, leaving some of the data in the internal memory, and some (for example, system ones or containing widgets) were not transferred to the card at all. The very possibility of transferring applications depended on their type (pre-installed or third-party) and internal structure. For some, the directory with user data was immediately located separately, while for others it was located in a subdirectory of the program itself.

If applications intensively used read/write operations, then the reliability and speed of the cards could no longer satisfy the developers. They deliberately made it impossible to transfer programs using standard means. Thanks to this trick, their creation was guaranteed to be registered in the internal memory with a large rewriting resource and high performance.

With the fourth version of Android, it became possible to choose where to place the application. It was possible to designate a memory card as a disk for installing programs by default, but not all firmware correctly supported this function. How it works in a specific device could only be determined experimentally.

In the fifth Android, Google again decided to return to the original concept and did everything to make it as difficult as possible to transfer applications to a memory card. Large manufacturers caught the signal and added their own monitoring functions to the firmware, detecting user attempts to force applications onto the card using root. Only the option of creating hard or symbolic links worked more or less. In this case, the application was determined by the standard address in the built-in memory, but was actually located on the card. However, confusion was caused by file managers, many of which did not process links correctly. They showed the wrong amount of free space because they believed that the application supposedly took up space in both the built-in memory and the card at the same time.

Adapt it!

Android Marshmallow introduced a compromise called Adoptable Storage. This is Google's attempt to keep the sheep safe and the soldiers happy.

The Adoptable Storage function allows you to combine a user partition in the built-in memory with a partition on the card into one logical volume. In fact, it creates an ext4 or F2FS partition on the card and adds it to the user partition of the internal memory. This is a purely logical merge operation, vaguely reminiscent of creating a spanned volume from several physical disks in Windows.

During the process of combining with internal memory, the card is reformatted. By default, its entire capacity will be used in the merged volume. In this case, the files on the card can no longer be read on another device - they will be encrypted with a unique device key, which is stored inside the trusted execution environment.

As an alternative, you can reserve space on the card for a second partition with FAT32. The files stored on it will be visible on all devices, as before.

The method for dividing the card is set either through the Adoptable Storage menu or through the Android Debug Bridge (ADB). The last option is used in cases where the manufacturer has hidden Adoptable Storage from the menu, but has not removed this function from the firmware. For example, it is hidden in the Samsung Galaxy S7 and top LG smartphones. Recently, there has been a general tendency to remove Adoptable Storage from flagship devices. It is considered a crutch for budget smartphones and tablets that do not come with a sufficient amount of built-in Flash memory.

However, it is not up to marketers to decide how we use our devices. Through ADB on a Windows computer, the Adoptable Storage function is enabled as follows.

1. We make a backup of all data on the card - it will be reformatted.
2. Java SE Development kit from Oracle website.
3. Install the latest version of Android SDK Manager.
4. Enable USB debugging on your smartphone.
5. Launch SDK Manager and write on the command line:
   

   $adb shell $sm list-disks

   
   where x:y is the memory card number.
6. If you want to leave a part for the FAT32 volume, then change the command from step 7 to this:
   

   $ sm partition disk:x:y mixed nn

   $ sm partition disk : x : y mixed nn

   
   where nn is the remaining volume as a percentage for a FAT32 volume.

For example, the command sm partition disk:179:32 mixed 20 will add 80% of the card’s capacity to the built-in memory and leave a FAT32 volume on it with 1/5 of its capacity.

On some smartphones, this method “as is” no longer works and requires additional tricks. Manufacturers are doing everything to artificially divide their products into market niches. Top models are available with different amounts of built-in memory, and there are fewer and fewer people willing to overpay for it.

Some smartphones do not have a memory card slot (for example, the Nexus series), but support connecting USB-Flash drives in OTG mode. In this case, the flash drive can also be used to expand the internal memory. This is done with the following command:

$ adb shell sm set-force-adoptable true

$ adb shell sm set - force - adoptable true

By default, the ability to use USB-OTG to create custom storage is disabled because unexpected removal could result in data loss. The likelihood of a memory card suddenly disconnecting is much lower due to its physical placement inside the device.

If problems arise with adding the volume of removable media or dividing it into partitions, then first remove all information about the previous logical layout from it. This can be done reliably using the Linux utility gparted, which on a Windows computer is launched from a boot disk or in a virtual machine.

According to official Google policy, applications can be directly installed or moved to a custom store if the developer has specified this in the android:installLocation attribute. The irony is that not all of Google's own apps allow this yet. There are no practical limits to “adapted storage” in Android. The theoretical limit for Adoptable Storage is nine zettabytes. There are not so many even in data centers, and even more so memory cards of larger capacity will not appear in the coming years.

The encryption procedure itself when creating an adapted storage is performed using dm-crypt - the same Linux kernel module that performs full-disk encryption of the built-in memory of a smartphone (see the previous article “”). The AES algorithm is used in ciphertext block chaining (CBC) mode. A separate initialization vector with salt (ESSIV) is generated for each sector. The convolution length of the SHA hash function is 256 bits, and the key itself is 128 bits.

This implementation, although inferior in reliability to AES-XTS-256, is much faster and is considered reliable enough for consumer devices. A nosy neighbor is unlikely to open an encrypted adapted storage in a reasonable time, but intelligence agencies have long learned to exploit the shortcomings of the CBC scheme. In addition, in reality, not all 128 bits of the key are completely random. Unintentional or intentional weakening of the built-in pseudo-random number generator is the most common problem in cryptography. It affects not only Android gadgets, but all consumer devices in general. Therefore, the most reliable way to ensure privacy is not to store confidential data on your smartphone at all.

If you perform a factory reset after merging the memory using Adoptable Storage, the data on the card will also be lost. Therefore, it’s worth making a backup of them first, or better yet, immediately assigning cloud synchronization.

Alternative encryption of data on a memory card

Now that we have dealt with the peculiarities of storing files on a memory card in different versions of Android, let’s move on directly to encrypting them. If you have a device with Android 6 or newer, then with a high probability you can activate the Adoptable Storage function in it one way or another. Then all data on the card will be encrypted, just like in the built-in memory. Only the files on the additional FAT32 partition will remain open if you wanted to create it when reformatting the card.

In earlier releases of Android, things are much more complicated, since before version 5.0, cryptographic protection did not affect memory cards at all (except for data from ported applications, of course). “Regular” files on the card remained open. To close them from prying eyes, you will need third-party utilities (which often turn out to be just a graphical shell for built-in tools). With all the variety of existing methods, four are fundamentally different:

• use of a universal cryptocontainer - a file with an image of an encrypted volume in a popular format that applications for different OSes can work with;
• transparent encryption of files in a specified directory via the FUSE driver and a third-party utility for creating/mounting an encrypted partition as a file;
• encryption of the entire memory card via dm-crypt;
• using a “black box” - a separate application that stores encrypted data in its own format and does not provide access to it for third-party programs.

The first option is familiar to anyone who uses TrueCrypt or one of its forks on a computer. There are applications for Android that support TrueCrypt containers, but their limitations are different.

The second option allows you to organize “transparent encryption”, that is, store all data encrypted and decrypt it when accessed from any application. To do this, all data from the selected directory is represented as the contents of a virtual file system with support for on-the-fly encryption. EncFS is usually used, which we will talk about in more detail below.

The third option is built-in dm-crypt. You can use it, for example, through LUKS Manager. The application requires root and BusyBox installed. Its interface is not for everyone.

LUKS Manager creates a crypto container on the card as a file. This container can be connected to an arbitrary directory and worked with it as with a regular one. The advantage is that this solution has cross-platform support. You can work with the container not only on an Android gadget, but also on a desktop: on Linux - through cryptsetup, and on Windows - through the program or its fork LibreCrypt. The downside is the inconvenience of using it in conjunction with cloud services. Every time in the cloud you have to resave the entire container, even if one byte has changed.

The fourth option is generally of little interest, since it greatly limits the scenarios for using encrypted files. They can only be opened by some specialized application and trust that its developer has succeeded in studying cryptography. Unfortunately, most of these applications do not stand up to criticism. Many of them have nothing to do with cryptography at all, since they simply mask files instead of encrypting them. At the same time, the description may mention strong algorithms (AES, 3DES...) and quotes from Schneier’s “Applied Cryptography”. At best, such programs will have very poor encryption implementation, and at worst, there will be no encryption at all.

There is no official client for Android for VeraCrypt and is not planned, but its authors recommend using the EDS (Encrypted Data Store) application. This is a Russian development, existing in a fully functional and lightweight version. The full version of EDS costs 329 rubles. It supports crypto containers of the TrueCrypt, VeraCrypt, CyberSafe format, as well as LUKS and EncFS. Can work with local, network and cloud storage, providing other applications with transparent encryption. On-the-fly encryption requires OS kernel support for the FUSE framework and root rights. Normal work with crypto containers is possible on any firmware.

The EDS Lite version is distributed free of charge and has functional limitations. For example, it can work exclusively with containers containing a volume with the FAT file system, encrypted using the AES algorithm with a 256-bit key length and using the SHA-512 hash function. It does not support other options. Therefore, it is worth focusing on the paid version.

Crypto container is the most reliable and universal way. It can be stored in any file system (even FAT32) and used on any device. All data that you encrypted on your desktop will become available on your smartphone, and vice versa.

EncFS

In 2003, Valient Gough (a software engineer from Seattle who wrote software for NASA and later worked for Google and Amazon) released the first release of a free file system with a built-in transparent encryption mechanism - EncFS. It interacts with the OS kernel through a callback layer, receiving requests through the libfuse interface of the FUSE framework. At the user's choice, EncFS uses one of the symmetric algorithms implemented in the OpenSSL library - AES and Blowfish.

Since EncFS uses the principle of creating a virtual file system, it does not require a separate partition. On Android OS, you just need to install an application that supports EncFS and just point it to a couple of directories. One of them will store the encrypted content (let it be called vault), and the second - temporarily decrypted files (let's call it open).

After entering the password, the files are read from the directory vault and are stored decrypted in open(as in a new mount point) where all applications can access them. After finishing work, click the Forget Decryption button (or its equivalent) in the application. Catalog open will be unmounted, and all decrypted files from it will disappear.

Disadvantages: EncFS does not support hard links, since the data is bound not to the inode, but to the file name. For the same reason, file names up to 190 bytes in length are supported. In the catalog vault file names and contents will be hidden, but metadata will remain available. You can find out the number of encrypted files, their permissions, and the last time they were accessed or modified. There is also a clear sign of using EncFS - this is a settings file with the encfs prefix and the version number in its name. The file contains encryption parameters, including the algorithm, key length, and block size.

A paid audit of EncFS was performed in February 2014. It concludes that "EncFS is likely to be secure as long as the attacker has only one set of encrypted files and nothing more." If more data is available to the attacker (for example, two snapshots of the file system taken at different times), then EncFS cannot be considered reliable.

Once installed, EncFS will be visible as a separate userspace file system through the FUSE driver. Access to it will be realized through some third-party application - for example, the Encdroid or Cryptonite file manager. The latter is based on the EncFS source code, so we will focus on it.

Cryptonite

The latest version of the Cryptonite application is 0.7.17 beta dated March 15, 2015. It can be installed on any device with Android 4.1 and higher, but some functions work more stably in Android 4.3 and later versions.

Most operations in Cryptonite do not require root or any specific components. Creating EncFS volumes and synchronizing with Dropbox can be performed on both official and custom firmware.

Cloud synchronization of encrypted files

However, a number of operations will require mounting EncFS volumes, which requires root rights and support for the FUSE framework by the OS kernel. The use of FUSE is necessary to organize “transparent encryption”, that is, so that other applications can access encrypted data and receive it already decrypted. Most older firmwares do not support FUSE, but it is available in CyanogenMod, MIUI, AOKP and other custom ones. Starting with Android 4.4, FUSE is standardly used to emulate an SD card in the built-in memory.

Disadvantages: When you click “Decrypt” and successfully enter the password, Cryptonite creates a temporary copy of the decrypted file in /data/data/csh.cryptonite/app_open/. A copy of the file is marked as world readable (readable and executable for everyone). You can delete decrypted files by clicking the Forget Decryption button.

conclusions

The method of encrypting data on a memory card should be chosen based on two main criteria: the usage scenario and the Android version. On modern gadgets with Android 6.0 and higher, the easiest option is to use Adoptable Storage, attach the card to the internal memory and transparently encrypt the entire logical volume. If you need to make files available on other devices or add encryption of data on a card in older devices, crypto containers of proven formats are suitable. It is better to avoid third-party “thing-in-itself” utilities altogether, since instead of real data protection, they often only imitate it.