4 comments

[ 2.8 ms ] story [ 24.5 ms ] thread
To this they I still can't wrap my head around how can data on an Android phone be considered secure without requiring a long password at boot. Veracrypt style.

Storing it on a security coprocessor is no good when the entity you want to protect against has most of the world's chipmakers wrapped around their fingers(in the case of US citizens). Software based solutions at least have a chance of being verified.

> To this they I still can't wrap my head around how can data on an Android phone be considered secure without requiring a long password at boot. Veracrypt style.

it is considered secure only by Google. Android has DOS style security: an app which has access to storage has access to all your files.

> Storing it on a security coprocessor is no good when the entity you want to protect against has most of the world's chipmakers wrapped around their fingers(in the case of US citizens). Software based solutions at least have a change of being verified.

> > To this they I still can't wrap my head around how can data on an Android phone be considered secure without requiring a long password at boot. Veracrypt style.

> it is considered secure only by Google. Android has DOS style security: an app which has access to storage has access to all your files.

That's true for most full-disk or file-based encryption systems, including VeraCrypt mentioned by GP - as soon as you unlock the given storage, any application that has read access to your storage has access to all your files.

I should've clarified... I was imagining attack scenarios like a search warrant. i.e. the attackers finding your device in a powered off state. In the case of veracrypt, its reasonable to assume that your memory is the only thing holding the keys to the castle. Whereas in the case of android phones you are 100% at the mercy of whoever designed the security coprocessor.