[Q] Serious problem with Android's built-in encryption?

1 posts
Thanks Meter: 0
By timli0, Junior Member on 9th May 2014, 05:26 PM
Post Reply Subscribe to Thread Email Thread
I came across a problem with Android's built-in encryption function and typical sdcard data. I searched everywhere on the internet and this is what I could collect so far:


Also, from my research, while I cannot confirm this, I have read that prior to 4.2, external (public) storage in Android was /mnt/sdcard/ (if you are not familiar with the Android file system, "sdcard" refers to public storage that is internal...not necessarily an external sdcard), but this was just a symbolic link from the protected /data/ directory. At the time, Android only encrypted /data/, which was fine because the symbolic link would also encrypt any personal files in the public directory.
After 4.2, due to multiple profiles, the public storage was moved to /storage/emulated/legacy. That means if Android's "full disk encryption" only encrypted /data...then any sensitive data in the public directories is not encrypted (this could be downloads from work, private photos, etc).

Source and full topic: https://productforum...xus/Lzsje-4QfTQ


This can be OEM dependent indeed, but /mnt/sdcard is now just a symlink to
a 'virtual' SD card that lives under /data. So downloaded documents, media
etc. are encrypted along with private data, etc. From the boot script:

# create virtual SD card at /storage/sdcard0, based on the /data/media directory
# daemon will drop to user/group system/media_rw after initializing
# underlying files in /data/media will be created with user and group
media_rw (1023)

If one some device /mnt/sdcard (external storage) is independent from /data,
it might not get encrypted. But then again they may modify the
firmware to encrypt it.

Source and full topic: https://groups.googl...uss/-mE-XTot0Gg (This is also only referring to Android versions =< 4.0)

1.) I checked a CM 11 installation on a Huawei Ascend Y300 and I could find the same internal SD card data in

/internal_sd -> /storage/sdcard0 (fuse)
/mnt/internal_sd -> /storage/sdcard0 (fuse)
/mnt/media_rw/sdcard0 -> /mnt/media_rw/sdcard (vfat)

2.) /data/media does not contain the files as the others in 1.).

3.) /internal_sd is the only partition visible via TWRP file manager, which could mean that the others are created during the start of Android itself.


So the actual physical storage place is still /data/media. /storage/sdcard0 is a "virtual" SD card. /sdcard and /mnt/sdcard are symbolic links of /storage/sdcard0.


I'd guess that the virtual sdcard exists because /data/media is part of an ext# partition, so they use fuse filesystem and virtual sdcard to make it look like fat to apps, many of which don't understand ext# filesystems.

I'd assume the actual physical storage place is /storage/sdcard0 now, but I'm not sure.

Conclusion: To make the encryption include typical "sdcard data" again, we would have to somehow change it back to this:


So the actual physical storage place is still /data/media. /storage/sdcard0 is a "virtual" SD card. /sdcard and /mnt/sdcard are symbolic links of /storage/sdcard0.

Are my thoughts on this correct so far or does anyone have an idea?
Does this mean older Android versions (pre-4.2) did not actually have this problem?
Last edited by timli0; 9th May 2014 at 05:58 PM.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes