[Q] How do YOU manage sensitive data? - General Questions and Answers

I am looking for a secure & simple method to keep sensitive data on my phone that will survive wipes/rom flashes. I used to keep a password list in my Google Docs, but I misplaced my tablet at work (fortunately a coworker locked it up until I could retrieve it), so I nuked that idea.
I tried mSecure and spent half an hour saving all my personal info, and lost it the next time I flashed a rom (I also keep the info on my desktop computer, so no big deal). Maybe mSecure has an option to keep an encrypted file on external memory, I didn't play with it enough to see.
Cloud services are ok I suppose, but I really prefer having the info on the phone itself, for those rare times I don't have a data connection but need access to passwords, etc.
Some people use a method of encrypting/decrypting files on their device. That sounds pretty ideal to me ― just decrypt it when needed and encrypt when done. If you lose the device, hopefully the encryption is strong enough to prevent anyone from stealing your info.
How do YOU manage sensitive data?

KeePassDroid for passwords. You can sync database to cloud if you want. PC comatibile.
EDS Lite for data, it's truecrypt container compatibile(in specific settings), so you can mount it also on PC.

Use TrueCrypt on a PC to create a container sync'd to DropBox (or similar), but pay attention to the settings to make it accessible on Android using EDS Lite.
Sync the encrypted container Android device using DropBox/Dropsync.
Use EDS lite on Android to access the sensitive data, when needed.
Use some kind of backup system (e.g. CrashPlan) to back up the DropBox folder, just in case the secure container gets deleted on a device and the deletion gets mirrored by DropBox. (You can normally recover deleted files on DropBox, but there may be a one month limit for free accounts, and it's best to have a secondary backup system, just in case!).

Related

SECURITY: passwords storing

I would be really pleased if someone could give me a technical description (a cryptographic one) about how ANDROID stores the user´s private passwords. I mean, how are they are encrypted (if it does)? ¿using what algorithms and keys?
The reason is easy to understand. A normal user gives it´s phone 2 types of passwords that should be protected:
1.- One, is the Google´s main password used by the phone to sync (GMail, Calendar, etc)
2.- The second are the passwords that have been marked in the ANDROID´s browser as: "remembered"
Isn´t hard to imagine a situation in what you phone becames lost and it arrives at hands of someone that (before formatting it) wants to take advantadge or obtain all the phone´s stored passwords.
In fact, reading the internal file system or the SD one, must be almost trivial, and from there obtaining the passwords. ¿How does ANDROID protects the user against it?

WM user looking at Android - some feedback pls ?

Hi,
Just as the title says, I am a very long time (since 2002) WM user. My current phone is also a WM device. I will keep it for another year, and I want to be prepared once my phone is due for an upgrade.
I use the phone both for personal stuff and for work - mainly scheduling, working with project related info, task lists, excel spreadsheets etc. Ability to share PIM data and files across multiple computers at work and at home is essential, as well as syncing to online calendar (I use Google).
Most of my work and some personal info was in ListPro database files and Excel spreadsheets. However, ListPro doesn't really work well when one has to joggle info between different computers all running different OS, plus AFAIK there's no Androind app yet. Anyway, to make life simple, and to be able to bring my data with me on a USB stick to any computer, I recently migrated most of it out of ListPro files into DOC files (can be easily converted to RTF) and Excel spreadsheets. So far, I had no problems using it on any Windows or Linux system. I also sync much of this data to my phone where I can quickly access it via Pocket Office. I prefer to use formatted text as it makes it easy to work with information, and applying formatting in Pocket Word is fast.
Finally the next big thing is information backup, especially PIM data. Don't know if this problem is specific to ActiveSync on WM, but every now and then the calendar gets completely out of whack and needs to be restored from backup which I run daily on the phone.
Anyway, sorry for the long winged intro. Here are some questions:
How easy is it to sync files on an Android phone to a computer via a direct connection (USB / BT / WiFi, i.e. not via cloud) ?
I was looking online for a good free Android editor capable of working with either RTF or Word Doc files, and couldn't find any - all I found was some paid soft. It has to be one of these formats so that I could send files to other people. Can you recommend an app ?
Can you work with PIM data on Android phone offline ? (I assume yes). Does it have to be connected to the internet at all time ? (I assume not)
Is there a free Excel compatible application other than Google Docs ? I.e. an app that can work with native Excel files and would output a file that Excel users can open on the computer.
How does backup work on Android - is there a way to automatically backup Google Calendar, Contacts, ToDos ? (I know I can download ICS files manually).
Any other things I may have overlooked ?
Thanks !
1. It is quite easy to sync files between an android phone and pc. It depends on your phone brand.e.g. - If you have an HTC Android phone, you could simply download and install HTC Sync on your pc and easily sync anything.
2. For document editing and excel format dealings, you could download and install quickoffice pro to easily deal with word, excel, powerpoint, and pdf documents.
3. Accounts and syncs (online) can easily be set to run in the background and you can download backup applications.
Good luck.
Your PIM data is backed up to Google contacts and calendar automatically. Any change made on your phone or PC syncs to the other next time you connect. As far as backups go, you can use things like Titanium Backup to back up individual/all system apps, installed apps, and their data to either the local SD card, online to DropBox, or both. And, if you root, you can take backup snapshots of your entire system and restore your entire OS and all the configuration of installed apps and widgets in just a couple of minutes. I do the full app backup nightly and the full OS backup about once a week.
Syncing is easy as your computer mounts the SD card as a drive letter on your device. There are lots of sync options out there that can be used to automatically sync files or entire folders to removable drives when they are connected. You can use them to sync documents to and from as well as things like syncing your phone backups to the computer. Both HTC and Motorola have sync software as well that acts somewhat like iTunes or Windows Media Player in syncing things like music libraries to your device. Personally, I prefer the old file explorer method.
As far as your RTF and Excel files go, there are a couple of different apps out there that work with Google Docs. If you don't want to sync with Google Docs at all or use their editors, your best bet is one of the office suite packages. I know of three or four of them that are available. Some offer free readers, but you need to purchase the pro version to edit. There is an Excel editor that I saw that was only $2 though, so there ARE cheap options out there if you don't want to go the free Google Docs route. Personally, I just sync my docs folder on my laptop with Google Docs and do any small edits I need on the Android using Google Docs. If I want to do a lot of heavy editing, I use the big screen of the laptop anyway.
If you have any other questions, I'll be following this thread and will respond with whatever I know. I know the stress of deciding to move to another platform. I've been on Palm, Blackberry, WM, iOS, and now Android. And, I have to tell you, I like the Android best of all and can't think of a single thing that I used to do on those other devices that I cannot do on this one.
Thanks, guys !
The reason I don't like using Google Docs is twofold. First, and foremost, the access to GD service via our corporate internet is blocked. I work for a major corporation, and as far as I know, at least two of our biggest competiors block GD as well. (We at least can access gmail and calendar). They see it as a potential security issue. Actually for me it's a security issue as well - if anyone ever got hold of my Google password, I definitely don't want them browsing through some of my personal spreadsheets, or any of my work-related stuff. It may be ok for them to see the list of invites to my kids' party, but definitely not my 401K rebalancing sheet . I do use Docs as dropbox, but I upload excel files saved inside AES encrypted zip archive.
Second, I need Doc and Excel since many of my work docs get shared with other people, and I like to be able to email them right away in a useful format.
Thanks ! I will keep reading up on the subject. My wife does have an Android phone but I don't have time to play with it at home.
Added: another thing that bugs me about Android, is that whomever steals your phone has full access to all of your Google services. The way it works on WM, they would only be able to see a few days' worth of emails (I do not save passwords to sensitive sites in browser cookies). The way Android phone is fully integrated into online Google, however, makes it a perfect key to all your Google data. I password protected her phone but I don't put too much trust into a 4-digit PIN.

SplashID v7 upgrade security issue

Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
sejtam said:
Besides the issues SplashData has with their SplashID v7 android upgrade losing many customers data, there is also a very worrying security issue which splashdata ignores = and actively censors, my messages regarding this on their FB page have been deleted and I am blocked from commenting our writing there)
Here is the issue:
The new SplashID version 7 had a cloud sync feature (30 day free trial, then for a fee). When first starting the upgraded version (which may have been installed automatically on Android if one allows auto upgrades!), one first has to again enter one's email address/username, and then the password (which is the one used to encrypt one's database containing all one's private, sensitive data!). Then the upgrade asks whether one wants to try the cloud sync feature.
Even if one declines and opts to stay with the existing Wi-Fi sync feature only(which does not need a cloud account), the upgrade goes ahead and automatically creates such a cloud account on splashdata's servers.*and it uses the same password* for this. (In fact as further part of the upgrade procedure one needs to log into those cloud servers using that password after receiving an activation link in email.
So, splashdata leaks the master password which one uses to secure one's most private data (credit card pins, login password etc) into their cloud, without telling that this will be fine, not asking permission.
There is no info whether the password is stored securely (doubt it), whether it is in ask cases transmitted securely (doubt that too) and anyhow, once this has happened one had lost control over that most important password. It's burnt.in the wild, out of one's own control
Note that changing the password on one's own copy of SplashID us a good idea after that, but any old copy of one's encrypted database that might still live on any old disk backup, cloud service (dropbox etc) or SD card somewhere, us now vulnerable.
And because splashdata in their 'wisdom' associated one's email address (and thus identity) with that password, it's easier for hackers to fund it.better companies than splashdata have lost password in the past.
It is even a very bad idea to user the same password for s cloud service as one uses for securing one's private data. Forcing this into users without permission or warning is almost criminal.
Sent from my GT-N7000 using Tapatalk 2
Click to expand...
Click to collapse
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
pulser_g2 said:
Ouch, that sounds a bad idea. If the user doesn't want a remote account made, they should respect that. Can you give me any more details about this, I would like to contact them and request some proper response to this. While they might not be leaking the plaintext password, anything that can be "opened" with your password is a significant enough leak, as it would allow an attacker to verify they have the right password.
Click to expand...
Click to collapse
Not much more that I already said. I am a long-time user of their SplashID (Mac) Desktop and Android app to store all my credit card, bank acount and yes, many systems passwords in.
The database they use is encrypted with a 'master password' which one has to enter on ones' Android (or iPhone, etc) or Desktop everytime to
unlock and decrypt (in memory), so that one access the data.
The same password is used on both the mobile and desktop of course.
A few days ago, an upgrade to SplashID v7 was made available on the Google Play store. I don't allow 'automatic' updates (though I am sure a lot of folks do!), but this time I also did not really check what the upgrade offered, and clicked 'UPDGRADE ALL' when it was offered along with a nunber of other upgrades. So it got installed.
When i subsequently opened SplashID again, it told me about all the shiny new features (cloud sync etc) and as normal asked me for my password (it also asked for my email address. I though that this was for them to check my purchase/license ans what features woudl be enabled)..
I thought that it would then show me my data. But wrong. Instead it offered me a selection whether I want to use the new 'cloud sync' feature (30 day free trial, later for $$), or stay with the normal 'wifi sync'.
I opeted for the latter (because I don't trust having my data sent to the cloud).
Anyway, the next thing I get is a message: (paraphrasing) "we have created your cloud account, you will get an email and will have to verify your email). Sure enough, I get an email:
Thank you for signing up for SplashID Safe Personal Edition!
To activate your account, please verify your email address by clicking the link below: Verify Email
Then check your email for our SplashID Safe Welcome message.{/QUOTE]
The link goes to: https://www.splashid.com/personal/webclient/login.php
I had to again ther enter my email address, and *the same password* that I entered before (which I thought would be for my private data-store).
Yes, that same password was used to create my account on their cloud server, even though I opted for the Wifi Sync *only* and never
asked for a cloud-sync.
Nor did the app tell me that the same password would be used to secure that aco****.
The issues with this are self-evident:
a) my most secure password, the one used to secure my data on my mobile and on my desktop is now 'leaked' to their cloud account
b) I have *no* idea how secuerly that password was transferred (in clear, encrypted, just a hash), nor how securely it is stored
c) it clearly is linked to my cloud-account on their website, so
- someone somehow learning that password could 'verify' it by accessing that account
- if someone hacked their system and accessed their database, that link would be apparent to them
d) I have nost *all control* over securing that password myself. It is 'burnt', 'in the wild'
e) Any pass backups of my secure SplashID database that may live on SD cards of mine, on backup disks, which may have
been copied to the cloud (dropbox, others) are now vulnerable. It is no use for me to change this password here now, as
old copies that may still exist somewhere are still encrypted with this password (and I cannot change them back).
Yes, I am trying to limit exposure for that password data file as much as possible, but eg Titatium Backup may have at some point in teh past backed it up and copied a backup to the cloud (yes, that is also encrypted, but once that featire failed).
More that that, of course users who are not as security conscious may have opeted for 'could sync'.
While I have not tried this feature myself, it sounds to me like thsi does copy the teh data to SplashID's cloud and
there secures it too only with that one single password.
So many users wh may not have thought all this out may have opted for the 'CloudSync' trial, and not only have their
password 'leaked'/'burnt' now, but also have all their data in the cloud, again secured only with a password that is no longer in their sole possession.
In fact, any secure, trustworthy system would have
a) been *very* upfront about what they are going to do with the password and the cloud account
b) used a separate password to secure the cloud account
c) only stored my encrypted copy of the database in their cloud, without *them* having the password for it
d) done any syncing on the client (ie, transfer the complerte encrypted password to the mobile or desktop where the comparisonupdates would happen) and then copied back again a secured file, that was encrypted on the mobile).
Click to expand...
Click to collapse
More discussion on SplashID's own site: http://forum.splashdata.com/showthr...ically-send-in-background-to-splash-id-server

How do you backup the photos/videos? Looking for an easy and robust way

How do you backup the photos/videos from the phone? Is there any easy and decent (not locked in to one service, etc.) way?
Until 2019 Google Photos was syncing with Google Drive. But now they removed it, and storing just in Google Photos doesn't sound great, no easy way to sync with PC, etc.
For now I am thinking to sync between the phone and PC via 100-200 GB Google Drive, and when it fills up move some photos/videos to other HDDs, etc. (I also backup to Backblaze B2 from my PC)
Is it possible to automatically sync the photos/videos taken by the phone (Huawei P30) using the standard Google Drive app? Or do I need something like FolderSync?
I had been searching for several days to find a user-friendly application which I could use to simply back up and save readable versions of the file in my phone(Huawei Mate30). There are various tools available, many of them free and others which bear a small price tag,which will perform basic back-up and restore. I tried a few which did indeed create backup files. Some of them were useful for sending the backup files to a Google account, a Dropbox account or even directly to my computer via a USB connection. But it was often difficult if not impossible to translate the file into something readable. Then I found an application developed by the Mobikin company called “Backup Manager for Android”. I installed it on my trusty Windows, connected my phone via USB and it worked as I expected. This is the most satisfying one I have ever used and is worth trying.

Question Backup options for Stock+Unrooted+Locked Pixel 6a

I have a new 6a here, never turned on before. I'm planning to use the stock image without root on this phone, so I can keep receiving OTAs, etc. I want this phone to just work with minimal maintenance effort.
Going forward, what is the best way to back up the data on this phone? I'm mostly trying to protect against hardware failures.
My goal would be to quickly restore the previous state on a new Pixel 6a, if the hardware stops working for whatever reason. (Which happens 1-2 per year in my case, oops.)
My understanding is that the Google Cloud backup would be the most convenient option, but that it's not end-to-end encrypted. Correct? That's a K.O., unfortunately.
EDIT: Seems Google Cloud Backup DOES have E2E? Can someone confirm? The dialog that Android shows is very ambiguous.
Thank you!
What do you mean end-to-end?
I do use the google backup and it's pretty legit. It's not a 100% "image" back up...but does include all your settings, apps, text messages, google photos etc. You can set it up to auto-backup every day or so when charging/on wifi at night...backs up to your Drive app.
When I reset the phone or add a new rom - it's about perfect. The only thing I "lose" or have to move back to the phone that google doesn't cover is data that the app doesn't automatically restore. So like - a stand-alone music library. But all my other apps automatically restore all their data as well.
So if an app uploads/auto-restores the data from their servers, you'll get everything back 100%. If an app only saves to your sdcard, you'll lose that data. I really only have 1 app that does that so not a big deal.
mmead1143 said:
What do you mean end-to-end?
Click to expand...
Click to collapse
End-to-end encryption - Wikipedia
en.wikipedia.org
Encrypt the backup in a way that only the owner of the device can read it, but not Google or anyone else with access to Google's servers.
iCloud backups are not E2E encrypted, for example, so anyone with access to Apple servers could read your data. Apple just announced that they are going to change that, though, as far as I remember.
QUESTION:
I noticed that there's an option in the Developer options that allows me to set a DESKTOP BACKUP PASSWORD. What software would I then use to create the backup on my computer?
Sounds like iTunes local backup... I liked that option, I don't need it in the cloud.
EDIT: Found something here https://forum.xda-developers.com/t/ics-psa-how-to-full-desktop-backup-no-root-needed.1607254/
Why are people not using / recommending this? Sounds great?
@V0latyle @simplepinoi177
Google say their backups are encrypted:
Where your phone data is stored​Backups are uploaded to Google servers and they're encrypted with your Google Account password. For some data, your phone's screen lock PIN, pattern, or password is also used to encrypt your data so it can be backed up safely.
Back up your device - Android - Google One Help
Where your phone data is stored Backups are uploaded to Google servers and they're encrypted with your Google Account password. For some data, your phone's screen lock
support.google.com
MrUrgit said:
Google say their backups are encrypted:
Where your phone data is stored​Backups are uploaded to Google servers and they're encrypted with your Google Account password. For some data, your phone's screen lock PIN, pattern, or password is also used to encrypt your data so it can be backed up safely.
Back up your device - Android - Google One Help
Where your phone data is stored Backups are uploaded to Google servers and they're encrypted with your Google Account password. For some data, your phone's screen lock
support.google.com
Click to expand...
Click to collapse
Yeah, that's what I saw in Android when I decided not to use it. This suggested to me that some data was ONLY encrypted with my PIN/Pattern, and that didn't seem like strong protection. (Once it's in the cloud, you have to assume it will be there forever... and who knows if my PIN is still considered secure in X years from now.)
I still have to do more research, but so far my sense is that the sensitive data is encrypted at least with my (much more complex) account password.
Try Swift Backup. You need ADB for backing up system apps, but you don't need root lol

Categories

Resources