[guardian-dev] Android Emergency Wipe or Shutdown / PanicKit / PanicButton
Hans-Christoph Steiner
hans at guardianproject.info
Fri Aug 17 05:39:55 EDT 2018
An nice layer of protection for cases like this is to use app-specific
encrypted containers. Our IOCipher library provides full protection
including all the metadata (file names, sizes, etc). It just looks like
one binary blob on disk. The app key can be wiped a lot quicker than
the FDE key.
The latest versions of Android have some of these features built-in with
the new File-Based Encryption. That doesn't protect all the metadata
though.
https://source.android.com/security/encryption/file-based
.hc
Peter Prockers via guardian-dev:
> Like any full disk encryption for linux and also android can only be really
> effective if the device is shutdown. This is because:
>
> - the disk encryption key is in RAM and can be extracted from there (see
> cold boot attack - while I haven't heard about cold boot attacks against
> android, it's better to be careful since an attacker could just keep the
> android connected to power and shielded from any internet and it would
> never shut down
>
> - the bootup disk encryption password is probably a lot longer and more
> complex than any lockscreen password for reasons of practicality
>
> Before an Android is taken away there might be enough time for an emergency
> procedure.
>
> - For example a very long press of some physical key such as the off key
> could result of the disk encryption masterkey (luks header) being wiped and
> the device shut down. That would make any attempts to extract the key from
> RAM as well as brute force attacks against the disk encryption futile. Of
> course some safeguards against accidental wipe would be nice such as being
> able to abort the procedure by having a configurable timeout of a few
> seconds to enter a PIN which aborts.
>
> - If one is forced to reveal an unlock PIN, one could reveal a PIN which
> actually wipes the encryption masterkey (luks header) and shuts the device
> down.
>
> - A voice command for triggering the emergency procedure.
>
>
>
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email: guardian-dev-unsubscribe at lists.mayfirst.org
>
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the guardian-dev
mailing list