[Q] Full device encryption in Sensation with official ICS? - HTC Sensation

Hi!
First time post, but long time lurker here
Long background:
We have a bit of confusion here at work after the official relase of ICS for the HTC Sensation. We currently have a third party mail solution (DME) that is used to make sure all mail data is encrypted on the device in case of theft. Therefore the full device encryption in ICS has been very much on our "need to have list" to be able to enforce the Exchange policy of "require encrypted device" to make it possible to user ActiveSync instead of the painful DME solution....
So, on the Galaxy Nexus we have the option of "Encrypt phone" for full device encryption (not sure if this is the exact name in English as we have Swedish localization). After that it works fine to connect via ActiveSync to the Exchange server that has the policy of "require encrypted device" (and "require encrypted SD card too - as the Nexus does not have one)...
On the HTC Sensation however, we cannot find the option to "Encrypt the phone" (full device encryption), but only the option of "Encrypt SD card". The Exchange server does not allow the Sensation to sync if just the SD card is encrypted, and our security department will not allow it if the whole device is not encrypted...
So - the question:
Is it not possible to enable full device encryption in HTC:s implementation of ICS? Encrypting the SD card will not be good enough as the mail data is stored in the internal memory and not the SD card? Besides, the people here with Sensations are having problems accessing the data on the SC-card after encrypting it - but that's another question
Any ideas?

I found and posted the official not yet realeased Sensation ICS users guide:
http://forum.xda-developers.com/showthread.php?t=1546297&highlight=user+guide
It ha sa section on encryption, it might help

I have read that manual (its for HTC Sens. XE) and it says:
1. From the Home screen, press , and then tap Settings.
2. Tap Storage.
3. Tap Storage encryption to encrypt the phone storage or SD card encryption
--The option "Storage encryption" does not exist on the HTC Sensation.
So the question still remains unsolved. Is it possible to do a full device encryption on the HTC Sensation?
Any takers?
/Naper

There are two options for the ICS Sensation, you will need to enable both
Settings->Storage
Storage Encrytion = Encrypt applications and settings
SD Card Encrytion = Requires SD card to be encrypted. Non-encrytped SD card will be read only.

Hi,
like i said, the option "storage encryption" is not available on my ICS Sensation,
and not on my collegues either.
so other ideas?

What version of ICS are you running?
One thing I noticed is that if you have connected to an exchange server some security settings disappear once a policy has been set, ie install from unknown sources is one I saw remove after connecting to my mail server. It could be that your policy is actually active and has been removed from the menu.
The only way to check would be to factory default your handset and check for the settings, then connect to your exchange server and check again.

Hi,
reply from HTC:
----
Storage encryption is an option that that the 2.3.5 update with HTC sense 3.5 had and is something you cannot find in either the Sensation or Sensation XE after updating to ICS. After the update the device will use this function automatically if it is required to.
----
Unfortuneately using exchange 2010 with both sd card encryption and storage encryption policy does not work. When syncing phone with exchange, it tells you that you ppolicies needs to be applied. First sd-card. when its done and in the next sync it tells you yet again there still are polices that needs to be applied on the moblie. Pressing ok and nothing happens after that. This dialog reappear the next time the phone sync and so on...

Any solution yet?
Did you find a solution to your Exchange problem?
It sounds like the same problem as I described here: http://forum.xda-developers.com/showthread.php?t=1541079
I have send a support request to HTC about this 14 days ago, but no solution yet.

Bumping because this is a huge issue for me. If I had known I would not have upgraded.
MobileIron is having a fit because it wants device encryption enabled, but the option to turn it on is not in the OTA update I have received. It worked fine in Gingerbread OTA because Gingerbread did not support encryption, but for devices that support encryption it is mandatory. Because of this I can't receive work e-mail on my phone. The value my phone provides is severly diminished.
I see three options:
1. Something I'm missing that fixes this.
2. Flash back to Gingerbreat OTA (Is this even possible without root? MobileIron will not allow me to receive work e-mail if the device is rooted.)
3. Flip T-Mobile the bird and go to Sprint, and sell the Sensation to make back some of the ETF.
Anyone else have anything?

If you use the ICS skin mod, the option appears to use it. I tested it on the non tmob rom.
I think if I got rid of sense and used the usual launcher it worked. Why it isn't there is beyond me. I tested it and it did work, but do a backup first.
http://forum.xda-developers.com/showthread.php?t=1470497
Well, of course, if you are running the official rom it won't work, cause you need to be running something like ARHD to use that mod

Hi!
I have an HTC Sensation XL, and recently after I updated to ICS, everything was there, including the "storage encryption" option which is automatically enabled for apps and settings. If you were prompted to add a pin code and so, then it means your phone is probably already encrypted.
One thing you should note though is that, the "phone storage encryption" will wipe out all the data in your phone storage first and then encrypt the storage, so doing a backup first would be helpful. I didn't know about this when I performed the encryption process, and so all my precious photos were wiped out...and no way to recover even with a data recovery software
If anyone could help me out with this, it would be greatly appreciated

I am running AOSP and "Encrypt Phone" is under the security tab in settings. Maybe HTC removed it in sense.

Related

[Q] There's GOT to be a more secure setup... right??

Spent most of today trying to figure out how to secure my data on tp2 with SD card. Here's my thoughts and conclusions:
I can implement windows encryption on the SD card... but that becomes a huge obstacle to flashing / hard-resets (encryption key cannot be exported and card becomes unreadable after hard-reset).
I can buy some encryption software, but my impression is that the few I have found are either way expensive or only encrypt SD card (and it seems there is no reliable option for changing the location of Outlook data storage - other than e-mail attachments - to the SD card).
But even if I find encryption software, what is to prevent someone from taking my phone and using WMDC to create a partnership and synch the contents from the phone to their desktop?
And then there is the locking of my phone: setting the phone to require a password upon startup is tolerable, but it gets old pretty fast when I have to type the password each time the phone has been inactive for 7 minutes, so I'm looking at pattern locking software (throttlelock) instead. (i.e. I require security upon startup and after 7 minutes of inactivity).
Anyone figured out how to address all these issues? Any other possible breaches in security I have not mentioned?
With Regards-
Sam
HTC TP2, T-Mobile 6.5 ROM, Vista Ultimate 64
The other problem with encryption is corruption (although not very common it does happen) Try taking a look at this list and you might also want to try this which is a free alternative, hope this helps and best of luck!
Thanks -
Anyone else have any thoughts on this?

[Q] Nexus S Stock ICS "Encrypt Phone" details?

Hi all,
So I've got a new Nexus S, and I'm running the stock 4.0.3 from Google. This phone hasn't yet been rooted or had the bootloader unlocked.
I'm a big security fan, and I've read about how tools exist that can simply slurp all the data off a phone without even breaking a sweat, and I'd like to be able to defeat such abilities. Ideally, I'd even like to be able to have su access to a device as the authorized user and owner (This is a Wind Mobile Canada phone, the carrier has no stake in it at all). I remember hacking away at my T-Mobile G1, and being a little concerned that merely pressing a button to get into the recovery at boot-time would enable full access to everything on the device for a knowledgeable attacker.
So I see under "Settings - Security" there's an "Encrypt Phone" option. Google has documentation here for the Galaxy Nexus, but it lacks specifics.
Can anyone here provide or point me to proper details? What is encrypted, how is it encrypted, how strong is the encryption, how much impact does this have on performance and battery life?
*edit - I just found this. If I'm reading this right, this is FDE on the /data partition, which is very good. Still doesn't do anything for the sdcard/usb partition though.
Have you tried it? On my Nexus S 4g (which is, I grant you, slightly different) it DOES encrypt the sdcard as well. I'm interested in other's experiences with FDE. Particularly weaknesses and developing procedures for restoring/flashing after enabling FDE.
Hi,
As part of setting up a work email account, I had to encrypt my Nexus S including the SD card. Unfortunately, that meant that I could not access the SD card to transfer music, photos...or most importantly, new ROMs to flash. I did a factory reset, which seemed to be the only option to get rid of it.
I have now gone back to Gingerbread as it does not have full encryption as an option ( so allows me to keep my work exchange account with just a pin password) But I am keen to try ICS again.
Does anyone have any solution for accessing the SD card on an encrypted phone?
Cheers
What would be really interesting if there is a way to password protect the bootloader. Does anyone know?
Best regards,
SuperMaz

[Q] Broke the glass on my screen, now I have to give my phone to a technician...

Don't worry, it's a security question alright.
I live in Eastern Europe, which is on the far side of the Samsung support network and I have samsung galaxy s3 phone (GT-9300 i guess). My repair options look a little bit bleak. I must either ship it back to France, from where it is bought, or I must seek help of non-licensed technicians. Thank God, there are quite a lot around here and for problems like this they do wonders.
I am worried though that the technicians may try to meddle with the software of my phone and do something nasty with it while the phone is in their possession. I use the phone quite a lot to access various servers trough ssh and the servers contain semi-sensitive information about customers, phones, the equivalents of social security numbers in my country and etc. Of course I will delete my present information, but how about the future. If someone has hacked versions of the firmware, it will be a child game to get the passwords for my servers.
So I need to secure the software of my phone somehow and I'm not sure of my options, so I'm asking for advice which is better. I have experience with Linux, but about Android I'm a quite noob. I had my Amazon FireHD Tablet rooted and installed with CyanogenMOD, so I know a little bit about ROM images. The phone itself is unrooted with original software and is not locked to a carrier.
Should I:
1. Try to back up my entire ROM image?
There are various questions here. It looks that I cannot download standalone original ROM image directly from Samsung so I must back up mine. But in the bootloader (which opens with volume up/down + home + power) it seems that there are no options for backing up rom image, only for restoring trough ADB of SD card. Should I try to root, install alternative bootloader and then back up everything.
There is one very important sub-question here: Will the phone signal me somehow If someone replaces the original bootloader with say, non-signed one? What If someone changes the bootloader as well as the system image?
2. Should I try to ecrypt my phone.
I cannot get easily information about what exactly is encrypted. Pretty sure that the bootloader itself cannot be encrypted anyway. How about the system image. Is it encrypted ?
I'll be thanful for any help about these two ideas as well as any others?
If you are paying to have the repair done by an entity other than Samsung then you have a great option available. Just out of curiousity, what version of android are you running? If I were in your shoes, I would root the phone and install a custom recovery (either TWRP or Philz). This will allow you to take a complete nandroid backup of the phone to the external SD Card. Confirm the nandroid backup has been saved to the SD Card then remove the card from the phone and store it somewhere safe. Then perform a factory reset to completely wipe the phone and have your phone sent out to be fixed. When you get your phone back, insert the SD Card and restore from the backup. It will be just as you left it and the possibility that anyone has been able to access or tamper with your phone is almost nil... Apart from possibly large national security agencies whom are known for having catalogs of common electronic items that have been compromised in various ways.
I can't speak for your exact phone, but I am quite familiar with encryption as well as the US-model Galaxy S3's. Unfortunately Samsung is known for running their own encryption schemes with are different and most often weaker than the stock. Custom ROMs with generally have an implementation based on AOSP sources. A 4 digit PIN or common passphrase can be easily broken with either, but a sturdy encryption passphrase will almost certainly provide sufficient protection.
Without knowing the specifics of your phone and whatever TouchWiz it's running, I can say this much. If you enable encryption on your phone, it will encrypt /data (application data) at a very minimum. This will almost definitely not include /system. It will probably not include the external SD card or any of the actual applications (the .apk files). The encryption would keep your data secure at rest, but it wouldn't prevent a motivated attacker from installing a hidden malicious application in the system.
You are correct in that the bootloader cannot be encrypted.
84598432951
fadedout said:
If you are paying to have the repair done by an entity other than Samsung then you have a great option available. Just out of curiousity, what version of android are you running? If I were in your shoes, I would root the phone and install a custom recovery (either TWRP or Philz). This will allow you to take a complete nandroid backup of the phone to the external SD Card. Confirm the nandroid backup has been saved to the SD Card then remove the card from the phone and store it somewhere safe. Then perform a factory reset to completely wipe the phone and have your phone sent out to be fixed. When you get your phone back, insert the SD Card and restore from the backup. It will be just as you left it and the possibility that anyone has been able to access or tamper with your phone is almost nil... Apart from possibly large national security agencies whom are known for having catalogs of common electronic items that have been compromised in various ways.
I can't speak for your exact phone, but I am quite familiar with encryption as well as the US-model Galaxy S3's. Unfortunately Samsung is known for running their own encryption schemes with are different and most often weaker than the stock. Custom ROMs with generally have an implementation based on AOSP sources. A 4 digit PIN or common passphrase can be easily broken with either, but a sturdy encryption passphrase will almost certainly provide sufficient protection.
Without knowing the specifics of your phone and whatever TouchWiz it's running, I can say this much. If you enable encryption on your phone, it will encrypt /data (application data) at a very minimum. This will almost definitely not include /system. It will probably not include the external SD card or any of the actual applications (the .apk files). The encryption would keep your data secure at rest, but it wouldn't prevent a motivated attacker from installing a hidden malicious application in the system.
You are correct in that the bootloader cannot be encrypted.
Click to expand...
Click to collapse
Thank You for the informative answer!
I had to do this once and what I did was:
- Root phone (which I always wanted to do)
- Perform a full backup to SD card
- Remove SD card and perform a factory reset of the phone
Then off to repairs.
Once back, I did again a factory reset (just in case) and then restore the lot
Seems a lot to do, but I have some sensitive data on it and didn't want to risk it too much. Besides during the restore I took the opportunity to upgrade to 4.3 (at the time)
glass
why dnt you buy a chinese glass and change it yourself its so easy and cheap, around 10 euros or so? i did the same for my old phone

[Q] OnePlus Encryption & WiFi won't turn on - HELP!

When I setup my work email via the built-in email app, my company's sync server asked that I give it permission to encrypt the phone and after I gave it permission, it rebooted (it will only allow you to encrypt if the battery is like almost or fully charged), started the encryption on reboot. After the encryption, when it came back up, it asked the pin/password - which I entered - to decrypt the storage.
But the phone came up as brand new - all the apps that were installed on the device were wiped out, it asked for my Google password again to restore the account. But what was strangest of them all was, it came up in a state where WiFi cannot be turned on now While booting it says Turning on WiFi and it gets stuck there, but then I have to press Skip for it to proceed.
I am now stuck with a OnePlus device with an encrypted storage but no WiFi. Anybody run into this situation? If so, how did you resolve this?
sgwd said:
When I setup my work email via the built-in email app, my company's sync server asked that I give it permission to encrypt the phone and after I gave it permission, it rebooted (it will only allow you to encrypt if the battery is like almost or fully charged), started the encryption on reboot. After the encryption, when it came back up, it asked the pin/password - which I entered - to decrypt the storage.
But the phone came up as brand new - all the apps that were installed on the device were wiped out, it asked for my Google password again to restore the account. But what was strangest of them all was, it came up in a state where WiFi cannot be turned on now While booting it says Turning on WiFi and it gets stuck there, but then I have to press Skip for it to proceed.
I am now stuck with a OnePlus device with an encrypted storage but no WiFi. Anybody run into this situation? If so, how did you resolve this?
Click to expand...
Click to collapse
I'm in the exact same boat. Encrypted the phone, reset all data, and now, no wifi.
Same Problem
khaspir said:
I'm in the exact same boat. Encrypted the phone, reset all data, and now, no wifi.
Click to expand...
Click to collapse
I did my encryption today due to the company policy and facing the same wifi problems. Please let me know what the resolution for this?
Same problem here, running latest OTA.
Valme00 said:
Same problem here, running latest OTA.
Click to expand...
Click to collapse
Lost all my data yesterday after trying to encrypt my phone. Formatted /data to restore ext4 and made a clean Reset/Flash.
As all my data was lost anyway, this was the cleanest solution back to a working phone.
I want to have my phone f*cking encrypted. I can tolerate that this is an issue with custom roms made by private fellas in their free time for fun.
But as a company...?! At least removing this point from the menu would have been an option
I had the same issue with work email and my new OnePlus One. Here's how I fixed it:
1. Factory reset the One.
2. When you turn on the phone for the first time, don't set anything up, just go straight into settings and encrypt the phone.
3. After the encryption is complete, you'll have to set up your phone again.
4. Before installing anything else, set up your work email. You'll still be prompted for the security administrator privileges, but when it gets to the point where it would normally demand that you encrypt, it sees that you are already encrypted, and nothing bad happens to your wifi.
I hope this helps, it took me a whole day of fiddling to figure it out.
sgwd said:
When I setup my work email via the built-in email app, my company's sync server asked that I give it permission to encrypt the phone and after I gave it permission, it rebooted (it will only allow you to encrypt if the battery is like almost or fully charged), started the encryption on reboot. After the encryption, when it came back up, it asked the pin/password - which I entered - to decrypt the storage.
But the phone came up as brand new - all the apps that were installed on the device were wiped out, it asked for my Google password again to restore the account. But what was strangest of them all was, it came up in a state where WiFi cannot be turned on now While booting it says Turning on WiFi and it gets stuck there, but then I have to press Skip for it to proceed.
I am now stuck with a OnePlus device with an encrypted storage but no WiFi. Anybody run into this situation? If so, how did you resolve this?
Click to expand...
Click to collapse

Enter password to decrypt

Hi!
I've gotten my new HTC One A9 last Friday on the release-date here in Denmark. Everytime i restart the phone, it asks me to enter my 4 digit pincode (from the Android security settings) to decrypt the phone (which doesn't happen actually) - it then shows a green Android and boots up to Android. I've sent a mail to HTC Support but haven't recieved an answer yet (still waiting), but thought I would ask you guys if you know what it could be
Tobseren said:
Hi!
I've gotten my new HTC One A9 last Friday on the release-date here in Denmark. Everytime i restart the phone, it asks me to enter my 4 digit pincode (from the Android security settings) to decrypt the phone (which doesn't happen actually) - it then shows a green Android and boots up to Android. I've sent a mail to HTC Support but haven't recieved an answer yet (still waiting), but thought I would ask you guys if you know what it could be
Click to expand...
Click to collapse
The encryption is probably enabled in settings --> storage --> phone storage encryption. If its like the previous HTC models, the only way to remove encryption is with a factory reset. Afaik, Encryption is know enabled by default on all 6.0 phones that are fast enough to support it without a noticeable performance drop.
alray said:
The encryption is probably enabled in settings --> storage --> phone storage encryption. If its like the previous HTC models, the only way to remove encryption is with a factory reset. Afaik, Encryption is know enabled by default on all 6.0 phones that are fast enough to support it without a noticeable performance drop.
Click to expand...
Click to collapse
Well, I got an explanation from HTC Denmark. The rep. said it's enabled as an extra security feature, when I've enabled finger-print + pincode as a lockscreen security. If I turn the extra security off and delete the fingerprints saved in the phone, it doesn't ask me to put in the pincode to decrypt the phone when booting it. It's apparently something new on HTC phones, the rep. said.
Tobseren said:
Well, I got an explanation from HTC Denmark. The rep. said it's enabled as an extra security feature, when I've enabled finger-print + pincode as a lockscreen security. If I turn the extra security off and delete the fingerprints saved in the phone, it doesn't ask me to put in the pincode to decrypt the phone when booting it. It's apparently something new on HTC phones, the rep. said.
Click to expand...
Click to collapse
interesting, thanks!
Tobseren said:
Well, I got an explanation from HTC Denmark. The rep. said it's enabled as an extra security feature, when I've enabled finger-print + pincode as a lockscreen security. If I turn the extra security off and delete the fingerprints saved in the phone, it doesn't ask me to put in the pincode to decrypt the phone when booting it. It's apparently something new on HTC phones, the rep. said.
Click to expand...
Click to collapse
I believe it's a security feature of Marshmallow 6.0, not specific to HTC all Android 6.0 phones are encrypted by default, they also must provide a secure erase feature when factory resetting the phone from the settings menu. Progress, if you ask me
gheymann said:
I believe it's a security feature of Marshmallow 6.0, not specific to HTC all Android 6.0 phones are encrypted by default, they also must provide a secure erase feature when factory resetting the phone from the settings menu. Progress, if you ask me
Click to expand...
Click to collapse
Hardware encryption(supported by almost all decent smartphone)=strong key pair
If the private key is deleted, then no way to decrypt. So it will be OK even if you don't erase the flash with garbage data.

Categories

Resources