Android Device Security

Overview

All mobile devices with Client data need to be encrypted and password protected. With Android, this is very simple from a user’s viewpoint. You just enter your passcode whenever you boot up or unlock the device and all of your files will be accessible.

  • Encryption is useless without a password set: Passwords or codes should be set on all devices that hold PHI/PII.
  • If you’re using an Android version less than Android 7, you’re going to have a really hard time with encryption and it is not recommended.
  • Android 10+ encrypts the device by default. (Recommended)
  • BAO Devices should be using Android 7 or higher with encryption on by default or explicitly set.
  • Samsung’s Knox adds extra layers of protection but on budget devices there isn’t much that can be seen or configured.
  • If you’re using an SD card as extra storage it must be explicitly encrypted via Settings > Biometrics & Security > Encrypt SD Card.

Encryption won’t give you complete protection from everything, but it offers excellent protection in the case of stolen or lost devices.

Android Device Encryption: A Brief history

https://www.androidauthority.com/how-to-encrypt-android-device-326700/

Android 7: Direct Boot

As mentioned, most new Android smartphones have device encryption turned on automatically. A big change that was introduced a couple of years ago with Android 7.0 Nougat was Direct Boot. Before Direct Boot, your entire encrypted phone would be locked down until you enter the password. Since Nougat, the system allows a small selection of software to run as soon as you turn on your phone. This means that phone calls, alarms, and the like can right away from boot, while apps that you download and more personal data won’t work until you enter the password.

Android 10: Default Encryption for all devices

With Android 10, Google took things a step further. All phones running the latest version of Android have to be encrypted by default, including entry-level devices.

….

Android 10 also adopts TLS 1.3, which encrypts and secures the traffic from your phone to whatever internet-based service you are connecting to.

Encryption on Android

This section copied from https://source.android.com/security/features 06/08/2022 (Android 11)

Encryption is the process of encoding all user data on an Android device using symmetric encryption keys. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk and all reads automatically decrypt data before returning it to the calling process. Encryption ensures that even if an unauthorized party tries to access the data, they won’t be able to read it.

Android has two methods for device encryption: file-based encryption and full-disk encryption.

File-based encryption

Android 7.0 and later supports file-based encryption. File-based encryption allows different files to be encrypted with different keys that can be unlocked independently. Devices that support file-based encryption can also support Direct Boot, which allows encrypted devices to boot straight to the lock screen, thus enabling quick access to important device features like accessibility services and alarms.

With file-based encryption and APIs that make apps aware of encryption, apps can operate within a limited context. This can happen before users have provided their credentials while still protecting private user information.

Metadata encryption

Android 9 introduces support for metadata encryption, where hardware support is present. With metadata encryption, a single key present at boot time encrypts whatever content is not encrypted by FBE, such as directory layouts, file sizes, permissions, and creation/modification times. This key is protected by Keymaster, which in turn is protected by verified boot.

Full-disk encryption

Note: Full-disk encryption is not allowed on new devices running Android 10 and higher. For new devices, use file-based encryption.

Android 5.0 up to Android 9 support full-disk encryption. Full-disk encryption uses a single key—protected with the user’s device password—to protect the whole of a device’s userdata partition. Upon boot, the user must provide their credentials before any part of the disk is accessible.

While this is great for security, it means that most of the core functionality of the phone is not immediately available when users reboot their device. Because access to their data is protected behind their single user credential, features like alarms could not operate, accessibility services were unavailable, and phones could not receive calls.

https://docs.samsungknox.com/admin/knox-platform-for-enterprise/kbas/kba-360039577713.htm

Samsung Devices & Samsung Knox

Samsung has its own enhanced android security measures on their devices – it is known as Samsung Knox. Samsung Knox is a multi-layer security platform built into Android on Samsung devices, including software and hardware isolation for sensitive data.

Samsung Knox is built into the software of most Samsung devices that release using Android, so if you have a Samsung from the past couple of years, there's a good chance you benefit from these protections.

Check here to see if the device you are using is covered by Samsung Knox - be sure to confirm serial numbers.

https://www.samsungknox.com/en/knox-platform/supported-devices

Samsung devices encrypt all user data by default, so when your mobile device is off, the data cannot be read (as plain text) until your password has been entered. Data-at-Rest (DAR) is simply encrypting data when it is stored and this protection happens automatically, in the background, without the user needing to do anything different than to unlock the device.