Eugene
Raynor

Everything you need to know about Android encryption

Eugene Raynor

May 20, 2021

11 min read

Encryption for Androids can be a confusing subject, with a broad set of manufacturers and tons of device models out in the market. Depending on the operating system of the device, each of these models may follow different methods when it comes to Android encryption.

In this blog, we’ll blog provide a basic overview of the encryption technologies used on Android, the need for Android encryption, and the best practices to follow when encrypting Android devices.

What is Android encryption?

Definition

Android encryption, or encryption in general, is the process of encoding data into an indecipherable format to make it incomprehensible to users without the proper credentials.

Once an Android device is encrypted, the system automatically encodes all user data on the device lock. Depending on the type of encryption, the device decrypts this data only after it successfully boots up, or after the user unlocks it with the correct password/touch ID/face ID/screen lock.

Why must you encrypt your phone?

Be it personal or corporate data, when using your Android device to store and access sensitive information, it is crucial to ensure that the device is encrypted. In today’s corporate environment, data breaches are on the rise. According to a 2020 data breach report by RiskBased security, almost 36 billion corporate records were breached in the first half of 2020.

Android encryption in the office
Android encryption in the office
 

Also, with employees gaining access to corporate files on their mobile devices, it becomes even more crucial to encrypt these devices. According to a 2021 financial data risk report from Varonis, nearly two-thirds of organizations have more than 1,000 sensitive files open to every employee. These figures point out the importance of setting up encryption policies in the enterprise.

Is it safe to encrypt my Android device?

It is generally safe to encrypt your Android devices. For the older device models, encrypting your Android can result in a drop in system performance. However, this performance drop becomes unnoticeable in the newer Android models. Also, it is worth mentioning that the encryption process is irreversible. Once performed, it can only be removed by a complete factory reset of the device.

What are the types of encryption used on Androids?

Android encryption generally falls under two categories. Full-disk encryption (FDE) and file-based encryption (FBE).

Full disk encryption

Full-disk encryption (FDE) requires encoding all the data on your device, including essential apps and services, and transforming it into illegible code. This data can then be decrypted only after the user successfully unlocks the Android device after booting up. The highlight when it comes to this technique is that all the data is encrypted using a single key.

Encryption enabled mobiles at work
Encryption enabled mobiles at work
 

In the case of full-disk encryption, the core functionalities of your Android device – including the alarms, accessibility services, and the ability to view caller IDs when receiving calls – are restricted until the device is unlocked with the correct credentials. When compared to file-based encryption, this technique provides greater security, at the cost of user convenience.

Android OS requirements for FDE

Android devices running OS versions above 3 supports full-disk encryption. However, FDE support has been discontinued for Android OS 10+ and is now completely replaced by FBE.

File based encryption

File-based encryption (FBE) on the other hand, ensures that the essential and non-essential apps and data are separated and encrypted with different keys. When it comes to FBE, the Android system provides two types of locations for storing encrypted data.

Device encrypted storage

The data in this location get decrypted only after the device completes boot up and reaches the lock screen. Only the essential apps, services and data – such as SMS apps, accessibility apps and Alarm apps – will be decrypted at this point.

Credential based encrypted storage

The data in this location, usually comprised of user data and apps, is decrypted only after the user has successfully unlocked the device from the lock screen, with the required credentials. However, it is worth noting that once the user has unlocked the device, the apps and data stored in this location do not get encrypted for the subsequent device locks. This data is re-encrypted only after a complete restart of the device.

Device encrypted storage ensures that access to essential apps and services are made available as soon as the device is successfully booted up.

Credential based encrypted storage ensures that until the device is unlocked with the proper credentials, the user apps and data on the device remain encrypted.

Overall, file-based encryption is usually preferred over FDE for commercial Androids due to the better convenience it offers for the users.

Android OS requirements for FBE

  • Android devices running OS versions above 7 support file-based encryption.
  • For Android devices 7 to 9, IT can set up either FDE or FBE, depending on enterprise requirements.
  • For Android 10+ devices, only the FBE encryption technique is supported.
  • However, for Android 9 devices that are updated to Android 10, it is not necessary to convert the encryption mode to FBE.

Is my Android device encrypted out-of-the-box?

Encryption for Android devices was introduced with Android OS version 3. However, for older models, Android encryption would have to be enabled manually. This was usually done because the encryption process for the older models would considerably reduce device performance.

With the introduction of newer models, Android devices began to be encrypted out-of-the-box. Today, any Android device with an OS version above 6, that has a legal license of GMS (Google Mobile Services), will always be encrypted out-of-the-box. These devices also support enrollment in the Android Enterprise program.

Out-of-the-box encryption for Androidss
Out-of-the-box encryption for Androids
 

It is worth noting that any device enrolled in the Android Enterprise program must have encryption enabled mandatorily. If the device is not encrypted, the encryption process will automatically be enforced when enrolling in Android Enterprise.

Also, Android Enterprise devices with OS versions above 7, set in Profile Owner mode have the option to set up separate encryption keys for the personal and work container. This can be done by setting up a work profile password for the device.

  • Android 5 devices updated to Android 6 do not require compulsory encryption.
  • Android devices that use the AOSP (Android Open Source Project) framework may or may not be encrypted out-of-the-box, depending on the developer preference.

How do I manually enable Android encryption?

Morden Android devices are always encrypted out-of-the-box. However, in the case of older Android models, the device may or may not be encrypted. You can check the encryption status for Android devices by navigating to Settings > Security > Encryption. This tab shows whether the device is encrypted or not. In case the Android device is not encrypted, you can enable encryption from the same tab.

Before enabling encryption, there are a few things that the user must note to maintain a smooth encryption process.

Android encryption pre-requisites

  • The device must have a charge of over 80%.
  • The device must be plugged in before the encryption process begins.
  • Rooted devices must temporarily be un-rooted to enable encryption. However, the device can be rooted after the encryption process is completed.
  • The encryption process will take about 1-2 hrs, during which no work can be performed on the device.

Important!

If the device accidentally shuts down before the encryption process is completed, the device is left in a partially encrypted state. In such cases, encryption must be performed again after factory resetting the device.

How do I choose between FDE and FBE on my Android?

Android devices with OS versions 7 to 9, comes equipped with the feature that allows users to choose between full-disk encryption and file-based encryption techniques to implement on their device.

To choose between full-disk encryption and file-based encryption methods, you will first need to enable ‘Developer options’ on your Android mobile.

How do I enable Developer options on Android?

To enable Developer options,

  • Navigate to Settings>About phone, and tap on ‘Build number’ 7 times. You may also be asked to enter your password. On a successful attempt, a message will appear on your screen titled, ‘You are now a Developer’.
  • You can now navigate to Settings>Additional settings>Developer options. (The location of the Developer options tab may vary depending on the device.)

Once you are at Developer options, select the tab, ‘Convert to file encryption’, and tap on ‘Wipe and convert’. The conversion process will take about 1-2 hours to complete.

Important!

Converting from FDE to FBE or vice versa will require a complete factory reset of the device. Make sure to back up your data before conversion. You must also ensure that the device does not accidentally turn off during the conversion process.

Is it necessary to set a password to encrypt your Android device?

Unlike its desktop encryption counterparts like BitLocker for Windows and FileVault for macOS,

When it comes to encrypting Android devices, it is not mandatory to set up a device password.

However, the lack of a password will reduce the effectiveness of encryption on your Android device, and it is generally not advisable to set up encryption without a password.

For further clarity, let’s observe the effect of setting up a password on an encrypted Android device. We’ll consider the case for both full-disk encryption and file-level encryption solutions.

When enabling encryption using FDE, if a password is not set, the Android device is encrypted by a randomly generated key, hashed by a default password (“default_password”). This key is also signed by a trusted execution environment (TEE).

What is a Trusted execution environment?

A Trusted execution environment (TEE) is a secure part of the device that executes code with a high level of trust. Due to this factor, the data loaded in TEE can be executed, while ignoring the threats from the rest of the device. Hence, an app, data or software signed by a TEE may have a higher level of trust concerning validity and access control, when compared to other general-purpose software.

Encrypting a mobile device
Encrypting a mobile device
 

But, if a password/pattern/PIN is later set up by the user, the master key gets re-encrypted. However, no change in encryption occurs on any of the apps and user data.

In the case of FBE, files are encrypted with different keys that are unlocked separately. This includes the files in – device encrypted storage and credential-based encrypted storage.

In case a password is not set by the user, the data in credential-based encrypted storage is encrypted by a similar randomly generated key, signed by a TEE. When a password/PIN/pattern is set, this key is re-encrypted, ensuring that the encryption for apps and data remains unchanged.

What are the best practices for Android encryption

When enforcing encryption for Android devices, following certain practices will ensure that your Androids are secured and managed in the best possible way.

Use strong passwords

Enforcing a strong password on your Android device is a crucial factor when setting up Android encryption. Protecting your device with a password/PIN/pattern/touch ID/face ID further strengthens the security on your Android. Hexnode’s UEM solution enables you to enforce strong password policies on your managed Android devices, thereby protecting your data from potential breaches.

Monitor and manage encrypted devices

Once encryption has been completed, it is necessary for enterprises to manage these encrypted devices and monitor their status periodically. With Hexnode’s UEM solution, enterprises can easily manage and view all their encrypted devices from a remote centralized console. IT can also force encryption via Hexnode when enrolling devices in Android Enterprise, and mark unencrypted devices as incompliant.

Regularly back up data

Backing up your data at regular intervals ensures that the data remains safe even in the case of a corrupted drive or a device malfunction.

Share
  •  
  •  
  •  
  •  
  •  
Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts