xda-developers Samsung Galaxy S II I9100 Galaxy S II Themes and Apps [APP] Enable full Device Encryption *without* needing an Exchange account! by HellcatDroid
FORUMS
Remove All Ads from XDA
Win Honor 9 Lite

[APP] Enable full Device Encryption *without* needing an Exchange account!

1,043 posts
Thanks Meter: 779
 
By HellcatDroid, Senior Member on 22nd December 2011, 04:45 AM
Post Reply Email Thread
Page 1 of 7 1 2 3 Last
With ICS on the horizon this might not be needed anymore....
But ICS having this feature as an Android feature, it made me looking again into finding out how to enable the device encryption Samsung added to it's Gingerbread ROM.

And I succeeded



And so I can present to you a little app that "just lets you enable device encryption" without the need for adding an Exchange 2010 account.

Like it? So do I
Don't care? Then move along

(i) some information regarding custom kernels in combination with device encryption can be found here!

Quote:

Enable full device encryption on the Galaxy S / Splus / S2 *without* the need to add an Exchange 2010 account!

/!\ This works ONLY on:
- Samsung Galaxy S
- Samsung Galaxy Splus
- Samsung Galaxy S2
and ONLY on 2.3.x (Gingerbread), not 4.0.x ICS

/!\ This does *NOT* work on custom ROMs, it REQUIRES a stock Samsung ROM
--- There is NOTHING this app could do against this requirement!!!

/!\ This does NOT work with custom kernels, it REQUIRES a stock Samsung kernel
--- There is NOTHING this app could do against this requirement!!!

(i) Since the userdata is not yet mounted so early (or not yet decrypted) during bootup, your language setting *WILL* revert to the default language of your ROM/FW for the boot-up password entry as the language setting is not yet accessible to the system!
-- There is NOTHING this app could do against this!!!


*** PLEASE ONLY INSTALL THIS APP IF YOU HAVE READ AND UNDERSTOOD THE ABOVE WARNINGS ***


If you have passed that challange, this app will let you enable the full device encryption feature Samsungs added to it's Android 2.3 build for the Galaxy S2.

What will be encrypted:
- userdata containing all apps, app's settings and data, system settings and other misc. user data
- internal storage (the "internal SD card")

Once encrypted the current lock password needs to entered on boot up to unlock the encryption, without the password it is not possible to access any of the (encrypted) data´, no even with rooting or custom kernel methods!

PRO verstion offers the following additional features:
- encryption of the external SD card can be enabled
- setting of additional policy settings like:
* minimum password lenght required
* maximum time allowed to be set for screen auto-lock
* maximum failed attempts to unlock before auto-wipe
* allow use of camera
* allow use of bluetooth
* allow use of WiFi
* allow use of internet sharing (WiFi/USB tether)
* allow use of text messages (SMS)


Please only complain or comment if you have read ALL of the notes and warnings above and in the app itself, you knew everything that needs to be known BEFORE you installed the app - given you read all the available information provided.

After that, ENOJOY! :)


Market links:

[ SGS2 Device Encryption (FREE) ]
[ SGS2 Device Encryption (PRO) ]


Screnshots:




Hope some like it
Submit to XDA Portal Quick Reply Reply
The Following 15 Users Say Thank You to HellcatDroid For This Useful Post: [ View ] Gift HellcatDroid Ad-Free
 
 
22nd December 2011, 09:45 AM |#2  
Member
Thanks Meter: 8
 
More
Great work Hellcat, going to buy the app but just need to clarify something.

You say no custom ROM but does this include non stock kernels? Apart from a kernel my S2 is stock.

Sent from my GT-I9100 using Tapatalk
Submit to XDA Portal Quick Reply Reply
22nd December 2011, 10:06 AM |#3  
HellcatDroid's Avatar
OP Senior Member
Flag Cologne Area
Thanks Meter: 779
 
Donate to Me
More
Unfortunately it really needs a stock kernel as well.

The device encryption makes use of the recovery binary (even in normal OS boot mode) to "unlock" the encryption when turning on the phone.

Even having the usual busybox symlinks (while having the original recovery binary) in /sbin breaks it and it just gets stuck, doesn't even show the password prompt.

What DOES work as far as custom kernels go, if it is stock kernel based (a total MUST, because of the crypto drivers), has stock recovery (NOT CWM!) and NO busybox symlinks in /sbin.

I made a "modded" version of my own kernel that indeed does work that way.
(That alone took me three days to figure out, WHY it breaks on custom kernels.)

So, unfortunately this is an "either, or" situation.
Either you use the device encryption and stay all stock - OR you go custom kernel/ROM but can't use device encryption.

It's a matter of personal priotities/preference, I for my part are going with the device encryption - I just love making digital fortresses out of my things (and yes, I DO use truecrypt on all of my computers ) - fortunately a rooted system stays rooted, no matter of the kernel.


So, I can see this isn't for everyone, but at least we have the option now
Submit to XDA Portal Quick Reply Reply
The Following 3 Users Say Thank You to HellcatDroid For This Useful Post: [ View ] Gift HellcatDroid Ad-Free
22nd December 2011, 07:30 PM |#4  
Member
Thanks Meter: 8
 
More
It is a tough choice, although I would like full encryption. Though it is obvious as it would likely be less secure.

Sent from my GT-I9100 using Tapatalk
Submit to XDA Portal Quick Reply Reply
22nd December 2011, 10:35 PM |#5  
Junior Member
Thanks Meter: 0
 
More
I'm glad that somebody is looking into Android security today rather than wait for ICS to fix it. Is this doing a block level encryption on the data?
Submit to XDA Portal Quick Reply Reply
22nd December 2011, 11:28 PM |#6  
HellcatDroid's Avatar
OP Senior Member
Flag Cologne Area
Thanks Meter: 779
 
Donate to Me
More
Quote:
Originally Posted by looslip

I'm glad that somebody is looking into Android security today rather than wait for ICS to fix it. Is this doing a block level encryption on the data?

Yep.

It encrypts only used space at first (to not take about 2 hours, because it might take that long if your int. and ext. storage is rather full, like in my case) and after that the partitions are mounted via "mapper devices", so yes, the whole partitions are encrypted block-wise.

You also can't mount them anymore (like when you adb shell to it) due to the encryption and "mount" not finding any recognized filesystem (you can mount the mapper devices in /dev/mapper instead once the correct password has been entered, that's how the system does it on boot after password entry).


And you got to thank Samsung for this (IMO) amazing feature, they are the ones who put it in
I just figured how to enable it without an Exchange account.
Submit to XDA Portal Quick Reply Reply
23rd December 2011, 12:32 AM |#7  
Junior Member
Thanks Meter: 0
 
More
Thumbs up
Do you have any reading that I can do on how encryption keys are used and stored? I'm in the information security space and want to see how viable something like this would be in an enterprise setting.

Thanks for doing this and sharing the knowledge with us!
Submit to XDA Portal Quick Reply Reply
23rd December 2011, 01:11 AM |#8  
HellcatDroid's Avatar
OP Senior Member
Flag Cologne Area
Thanks Meter: 779
 
Donate to Me
More
How and where keys are stored depends on the implementiation.

Samsung's device encryption is actually aimed at use in enterprise environments, and IMO it's rather well implemeted.

The actual "device encryption key" used to crypt the paritions is stored in /efs/edk_p and is itself encrypted with the user's unlock password.

So, even if you gain access to the device, the edk_p file and everything, you can't do a thing without the user's password.


The whole thing even supports (optional, must be explicitaly enabled) password recovery (in case you forgot your's) but when that's to be used it wants to mail you the reset password - but since we're doing it here without a linked/added Exchange account, that doesn't work.

But maybe I get an idea how to still make use of this....


I hope this answers your question a bit
Submit to XDA Portal Quick Reply Reply
The Following 2 Users Say Thank You to HellcatDroid For This Useful Post: [ View ] Gift HellcatDroid Ad-Free
23rd December 2011, 01:39 AM |#9  
Junior Member
Thanks Meter: 0
 
More
Absolutely! Thank you for the reply.
The inherent weakness in most one-off device encryption tools is key management and the security of how the keys are derived and kept, especially if stored on the device that its encrypting.

Anyhow, this is much much better than what the community already had in the first place. No solution is completely fool-proof but this is big step in the right direction.

Thanks again.
Submit to XDA Portal Quick Reply Reply
23rd December 2011, 02:26 AM |#10  
Recognized Contributor
Flag Delhi
Thanks Meter: 1,930
 
More
Great work! Will help a lot of people (not me though, can't let go of custom ROMs and kernels )
Submit to XDA Portal Quick Reply Reply
23rd December 2011, 02:48 AM |#11  
HellcatDroid's Avatar
OP Senior Member
Flag Cologne Area
Thanks Meter: 779
 
Donate to Me
More
Quote:
Originally Posted by kalpik

Great work! Will help a lot of people (not me though, can't let go of custom ROMs and kernels )

Yeah, it's kinda "sad" this is so bound to being stock.

I am thinking about doing an at least similar thing that is more "generic" and would best case work on any Android on any device, but all ideas I came up so far (and that make half way sense) always require some level of kernel supprort....

Well, maybe I'll be hit by a bolt of ideas when under the shower one day....
Submit to XDA Portal Quick Reply Reply
Post Reply Subscribe to Thread
Page 1 of 7 1 2 3 Last

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread


Top Threads in Galaxy S II Themes and Apps by ThreadRank