SDcard encryption as a portable container with cross-compatibility - Security Discussion

Question: Is there a way (e.g. an app) that allows for PORTABLE encryption of the COMPLETE sdcard and/or specific directories on the sdcard while providing CROSS-COMPATABILITY with Truecrypt/Veracrypt on a Computer? The solution should best be proven to work (no implementational bugs).
--------------------------------------------
Background: In Android M (and I think N) you have the option to either us your sdcard as portable storage or as extended internal. While the first option provides no security what so ever, the latter does render the sdcard useless in case you loose your smartphone (e.g. stolen) or simply want to work with it on a computer from time to time.
For me, neither having a useless sdcard without my smartphone or not being able to save the encryption-container headers myself (like with truecrypt) is an option. Cause if desaster strikes all your data is gone, even if being safeguarded.
As I am sure that there a many security aware users I cannot be the only one looking for this? I've found several apps that offer encryption like sse, crypto ghost etc.... but they do not offer cross-compatibility with a computer.
Thanks.

Just be more specific here: I think cryptonite is an abandoned project (besides not working for me on Android 6) and I am not sure if EDS (Pro) can handle what I am asking for?

App called Fileseal might be what you're looking for. Will encrypt SD completely or just particular folders on sd card or internal storage. All automatically mind you.
It DOES have a windows application so you can use it on your computer to decrypt your files.
The only downside to app is it a bit on the pricey side, but totally worth it in my opinion.
Sent from my STV100-3 using XDA-Developers mobile app

Related

[GUIDE] MTP and PTP (Media Transfer Protocol) vs UMC (Mass Storage Class)

Here I will post the advantages and disadvantages of the two.
Advantages of UMC
UMC works at block level. It means that you access the partition from the operating system like if were local, and you have complete control of it.
For the previous reason, UMC keeps timestamps for files and folders. This is specially important for pictures, photos or videos that don't have EXIF, where you rely on file creation or modification time to arrange them and to know when were taken. MTP sets for all transferred files current system time, thus overwritting the real creation or modification time and ruining your gallery.
UMC allows the use of recovery software (Recuva) or partition software (Easeus Partition Master) and even format with a different filesystem. Without UMC you have to use android side software that usually is less powerful, needs a rooted phone, etc.
As you have total access to the partition, you can access all files there, even hidden, system, etc. With MTP you only have access to the files that the controlling operating system (android) wants. For example, with MTP, files starting with dot (.file) are not accessible. Some file formats are not allowed.
UMC is compatible with any operating system that allows connecting a FAT32 / exFAT pendrive, while MTP requires specific support. Linux and OS X may have built-in support or not.
With UMC you directly access the files, so modification is instant, and viewing. On the other side, with MTP you download it, modify it and re-upload the edited version, but you never do it directly. Even to play files you need to completely download it first. Imagine downloading a 5 GB MKV.
UMC is always the same, while for MTP there are several implementations: MTP, MTPZ (Microsoft Zune), Sony SonicStage, Apple DMAP.
UMC is faster than MTP because requires less time to initialize transfer, but isn't that big difference for an average user. The higher the number of files to be transferred and the lower the size of each file, the higher the ratio MTP/UMC.
Advantages of MTP or PTP
In MTP mode, the android device controls the input/output to the filesystem, so there is no risk of data loss because of cold disconnecting the device from USB. You work on a layer over the filesystem. With UMC you must be careful.
MTP allows you to use the sdcard from both the android phone and the computer at the same time, even to any desired number of them. On the other side, with UMC you only can do it from a device at a time, meaning that you have to unmount the sdcard from the android to view it on the computer, stopping apps, etc. Of course there are software that can force viewing UMC from both sides, but is a highway to corruption.
MTP does not show the native filesystem to the computer (it uses a hierarchery simulated by the MTP driver), so it will always be compatible. For example, on devices with the same partition for data and sdcard (like Galaxy Nexus, Galaxy S3) you are writing from the computer to an ext4 partition and you don't need windows to support it. The same if the device partition were in any imaginable filesystem, the MTP will show you it in a standard hierarchy. On the other side, with UMC your local operating system (windows, linux, mac) must support natively the filesystem of the partition or download some software that allows you to do it.
With MTP you use all capabilities and disadvantages of the device filesystem. If the filesystem is in ext4 you can copy files over 4GB to the device, that you couldn't in UMC mode because usually it will come formatted in FAT32, that is the most compatible fs for all operating systems.
MTP enables Windows Media DRM, UMC doesn't.
MTP allows the use of password for accessing the files (on compatible devices). On the other side, with UMC, of course you could use powerful tools like TrueCrypt, but you need the corresponding software on android that reads it.
How to preserve timestamps
- Use File Timestamp app. Root is required, and works recursively too.
- Use Mass Storage Mode when possible.
- zip or tar the files when sending them to the phone or receiving from.
- If the device has external sd, you can use it as a man in the middle.
- samba (smb protocol) allows preservation of timestamps, however applications for android don't support it.
- FTP allows preservation of timestamps, however applications for android don't support it.
- NFS allows preservation of timestamps, however couldn't get any application for android working properly (Servers Ultimate Pro).
- Rsync allows preservation of timestamps, however couldn't get any application for android working properly (Servers Ultimate Pro).
- adb push and pull does not preserve timestamps. Furthermore doesn't work recursively with folders.
- MTP does not preserve timestamps.
- Cloud services like Google Drive, Dropbox, etc. usually never preserve timestamps.
Questions and answers
Is possible to implement MTP on "put here your device"?​Possibly yes, if has USB. MTP works on software side, so updating your rom or installing a new one will do the job
Is possible to implement UMC on "put here your device"?​That depends on hardware mainly. If the internal sdcard and the data folders belong to the same partition, you can't. The reason is that you can't enable access to a part of a partition at block level, the whole or nothing. This is the case for Galaxy Nexus and Galaxy S3, in order to take advantage of all space, and discard the case where you have filled a partition and the other plenty of space.
Dan Morill said:
It isn't physically possible to support UMS on devices that don't have a dedicated partition for storage (like a removable SD card, or a separate partition like Nexus S.) This is because UMS is a block-level protocol that gives the host PC direct access to the physical blocks on the storage, so that Android cannot have it mounted at the same time.
With the unified storage model we introduced in Honeycomb, we share your full 32GB (or 16GB or whatever) between app data and media data. That is, no more staring sadly at your 5GB free on Nexus S when your internal app data partition has filled up -- it's all one big happy volume.
However the cost is that Android can no longer ever yield up the storage for the host PC to molest directly over USB. Instead we use MTP. On Windows (which the majority of users use), it has built-in MTP support in Explorer that makes it look exactly like a disk. On Linux and Mac it's sadly not as easy, but I have confidence that we'll see some work to make this better.
Click to expand...
Click to collapse
Sources:
Easy UMS, USB Mass Storage and Media Transfer Protocol – XDA Developer TV
DifferenceBetween: Difference Between MTP and MSC
Directions on Microsoft: What is MTP?
CrackBerry: On startup - Media Transfer Protocol
Ice Cream Sandwich supports USB mass storage after all, Galaxy Nexus does not
Issues and questions:
[Q] Hidden folders through Android MTP
Nexus 4 not showing files via MTP
[Q][MTP] Certain files/directories hidden to windows file manager?
Connecting to PC files are different!
MTP and hidden files
[Q] Hidden files and MTP/Windows
[Q] Do the S3 still using 2gb partition for data and 12 as virtual sd?
Just got meself a Nexus 7... But!
Upload to dropbox: file timestamps should be preserved
Android File Transfer - For Mac users only
Thanks for this guide !
If I understand this correctly, then devices like the Asus Transformer Eee Pad (TF300T) which has a 16GB or 32GB internal storage, PLUS a microSD card (and standard SD card slot when docked) could use UMC, if the manufacturer made it so (which they haven't), right?
invertedskull said:
If I understand this correctly, then devices like the Asus Transformer Eee Pad (TF300T) which has a 16GB or 32GB internal storage, PLUS a microSD card (and standard SD card slot when docked) could use UMC, if the manufacturer made it so (which they haven't), right?
Click to expand...
Click to collapse
The UMC should appear then for the microsd, which you can physically remove from the phone, plus the dock if existent.
For the 16/32 GB internal storage it depends if there is a dedicated partition for internal sdcard. Check it for the Eee Pad.
Well, then I assume(?) Asus were lazy or just didn't think to give us the choice, cos I only have MTP or PTP mode. I miss UMC.
invertedskull said:
Well, then I assume(?) Asus were lazy or just didn't think to give us the choice, cos I only have MTP or PTP mode. I miss UMC.
Click to expand...
Click to collapse
Well, assuming that you have your device rooted and with busybox, can you post the output of these three commands
Code:
ls -lR /dev/block
Code:
mount
Code:
su
parted /dev/block/mmcblk0
print
scandiun said:
Well, assuming that you have your device rooted and with busybox, can you post the output of these three commands...
Click to expand...
Click to collapse
Sorry, I don't have it rooted. I have been asking around if rooting / unlocking the TF300T would give me the option for UMC, but pretty much everyone told me chances are zip.
invertedskull said:
Sorry, I don't have it rooted. I have been asking around if rooting / unlocking the TF300T would give me the option for UMC, but pretty much everyone told me chances are zip.
Click to expand...
Click to collapse
Rooting can't change that because it's hardware implemented. You can't do anything about it. Probably the Eee pad transformer doesn't have a dedicated partition for sdcard.
A quick way to check it is see if the free space for the sdcard and the userdata is exactly the same, and is always like that no matter on which of the two partitions you write.
About the issue anyway, modern phones like Galaxy S3, Galaxy Nexus, Galaxy Note and probably newer like Nexus 2 and Note 2 won't have it anymore, it's just the way to go because takes all the advantage of the free space on the device. It will be the standard from now on.
EDITED:
If you want UMS on devices that don't have it, you can use DriveDroid from market (there's both free and paid). With it, create a blank file that will be used as "partition". Then you can connect your phone to your computer and put there the songs you want. Then do the same in the car. For example, in my Nexus 7 I've created a 2 GB file which serve for that purpose (takes a while when is big).
http://forum.xda-developers.com/showpost.php?p=39203658&postcount=21
I have 20.71GB free internal, and 1.89GB free on the mSD card. :/
invertedskull said:
I have 20.71GB free internal, and 1.89GB free on the mSD card. :/
Click to expand...
Click to collapse
Because the mSD is another sdcard, different than the internal, in case it has it.
Would be great if you could get the partition scheme as I requested before, or ask for it, to definitely rule it out.
scandiun said:
Because the mSD is another sdcard, different than the internal, in case it has it.
Would be great if you could get the partition scheme as I requested before, or ask for it, to definitely rule it out.
Click to expand...
Click to collapse
Is this what you need?
when i connect my device with computer(MTP conection), i saw 1drive appear, then i go inside, i saw 2drive(iternal&external with how many free space left), go inside again always empty... how to use it?
I get that also. Just go into either one (internal or external) that you want to copy your files to and do your stuff.
invertedskull said:
Is this what you need?
Click to expand...
Click to collapse
More or less. The internal sdcard and the external (microsd) are different, one has 27.15 GB and the other 29.80 GB.
Click in the More... and see if you have UMC for the external microsd
scandiun said:
More or less. The internal sdcard and the external (microsd) are different, one has 27.15 GB and the other 29.80 GB.
Click in the More... and see if you have UMC for the external microsd
Click to expand...
Click to collapse
Nope, I only have MTP or PTP. This makes me sad.
Of UMC, MPT, and PTP, which is the most benigh?
I don't know if this is the best place to ask my question, but at least you all seem to understand this all pretty well.
I plug my phone into my PC to just use ADB. Under Gingerbread, I would select "Charge only" as my USB connection type.
With ICS, there is no longer the "Charge Only" option for an USB connection to a PC. I have to pick UMC, MTP, or PTP.
Given I really don't want to use any of those, just ADB, which of the three is the most benign one?
WaltA said:
I don't know if this is the best place to ask my question, but at least you all seem to understand this all pretty well.
I plug my phone into my PC to just use ADB. Under Gingerbread, I would select "Charge only" as my USB connection type.
With ICS, there is no longer the "Charge Only" option for an USB connection to a PC. I have to pick UMC, MTP, or PTP.
Given I really don't want to use any of those, just ADB, which of the three is the most benign one?
Click to expand...
Click to collapse
Either the MTP or PTP are the safer ones. There is no possibility to select "none" like was possible in previous version as you say. The UMC has the disadvantage that if you activate the Mass Storage usually the /sdcard won't be available from ADB commands.
Anyway, the ADB is separate from those options. The ADB option is usually found under Developer options. You can use adb with any of the options you say.
Thanks a lot very very helpfull!
oops, delete post. wrong window lol
scandiun said:
Rooting can't change that because it's hardware implemented. You can't do anything about it.
...
About the issue anyway, modern phones like Galaxy S3, Galaxy Nexus, Galaxy Note and probably newer like Nexus 2 and Note 2 won't have it anymore, it's just the way to go because takes all the advantage of the free space on the device. It will be the standard from now on.
Click to expand...
Click to collapse
I thought I would let you (and anyone else reading this thread) know that your post here is wrong. It's not "hardware implemented" in the sense that these two protocols are software implementations of data transfer. In fact, in many cases, even where there is NOT a microSD card that is mounted as a separate partition from system/data, the UMS/MSC (USB Mass Storage Transfer/Mass Storage Class) can still be implemented by this procedure:
1. Root (and optionally flash a custom ROM, that can be easily modded)
2. boot into alt OS, such as Recovery or OS from alt. source (USB OTG?)
3. Partition such that you have the required "separate partition"
4. add kernel modules/libraries you want and will need for UMS/MSC
5. Boot up and enjoy UMS/MSC as well as MTP (if you don't mind crappy speed)
Done.
Also, regarding MTP/PTP (Media Transfer Protocol, which is actually different from Picture Transfer Protocol), being a future replacement for all "modern phones", I am not so sure. It is designed for that indeed, but the Android community is different from most others. I will personally be going out of my way in the future, to ensure all phones I buy have removable uSDcard slots, as long as I can still find them, because it makes recovery in a bind, much easier (like, if there's a problem establishing communications with a computer, and numerous other possibilities). There's nothing like popping in a 32 or 64 Gig card of movies, training videos, eBooks, etc., within 10 to 20 seconds, vice the hours it will typically take to transfer even 5 Gigs of videos over the MTP protocol. Again, I don't like programs handling all my media for me. I prefer to see the files where they live (a higher fidelity simulation, is afterall, a hallmark property of how sharper minds represent reality, and abstractions from it are always mere shortcuts we use in a hurry). You got an easier method to rapidly check file hashes on your phone, from your laptop? Think of it this way, saying that MTP will "replace" UMS, is like saying Apple will replace Linux.
Regards,
Paul
:good:

Secure Deletion

A few weeks ago there was something on the UK news about smart phone data and how when you sell/recycle your phone most people leave accessible data on the phone after a factory reset. There was lots of trying to shock people (reading out text messages and browser history) but the solutions were barely discussed, all that was said was something like "There are programs that can overwrite your data"
So what do people do when they sell their android phone? I've seen an app in the play store called nuke my device, it basically overwrites the internal SD card then does a factory reset, I'm still not sure that would totally erase all data though?
I know all about methods for PC hard drives, but I too wouldn't mind knowing how android systems should be handled.
Yeah I know about PC Hard drives too. I have bought the nuke my device app from the play store, its cheap, I haven't used it yet!
To block undeleters it's sufficient to fill space with "generic" data then delete the file
As for removing the chip and using an external programmers, some indeed expose raw memory over the pins (MTD chips) and there's no reasonable way to wipe the hidden areas (well, assuming you want a device that still works - otherwise there's the Cobra 6 method), others have on-chip mappers (all SD cards including eMMC) which can have a TRIM command -- which however has historically been a major cause of bricks on some controller firmwares...
When I posted I was looking at some similar threads, someone made a program that deleted everything on the phone except the recovery (then you could flash another rom - I don't know if it overwrote or just deleted) I think it was for an Asus transformer tablet.
Whenever I've sold something before I have just connected it to my computer and written large files to all the available space. I don't have any sensitive data but I like to make sure everything is deleted before I sell something.
I'm surprised there's not more information/apps or whatever on this subject (wiping android) there's lots of programs for PC's to securely wipe drives. Some sites mention about encrypting the phone then wiping it, I guess that's the way to go.
My first thought was too, that it must be different from hard drives.
My initial idea would be to encrypt everything. Luckily since Honeycomb, Android supports this out of the box(but it's not hardware based) So even if data can be restored, it'd be nonsense(if the manufactorer implemented it correctly). You could choose a strong password, because you won't need to remember it anyway since you wipe the phone afterwards.
I found this article that agrees with me androidcentral.com/securely-wiping-your-android-phone-makes-it-just-fine-sell-fud
Then there is this article on lifehacker: lifehacker.com/5808280/what-should-i-do-with-my-phone-before-i-sell-it
Money quote:
Alternatively, there's the ultimate security tool if you're worried about someone pulling data from your phone: don't sell it.
Click to expand...
Click to collapse
A little off topic: Another solution would be to just store sensitive data on a SD card and remove it before selling. Plus you could use tools like EDS(Lite) to store sensitive data in container. Sync them via a cloud service and open them on your computer with TrueCrypt.
Any updates how to do this?
Boot into recovery and dd /dev/urandom over the /data, /cache and /sdcard partitions, then from the GUI reformat them...
Not perfect but well enough to prevent someone imaging from those partitions to their PC and running an undeleter (or hex editor) on the partition images!
Thanks

[Q] Why does no Mod Rom or Custom ROM allow official ext4 external?

Dear All,
I have a simple question to open a discussion here. We all know that modern android phones are having the ability to understand ext4 (and if my research is right - the internal storage in most Android 4.x phones is formatted in ext4). Why is dev or mod build like Cyanogenmod or even a OEM like Xiaomi which develops MIUI not removing emulated sdcard functionality (optionally) and instead allow users choose to reformat their actual sd to ext4 when inserted (and mark that as internal SD - to allow standard App2sd)? Thereby enabling secure app + media storage a reality? And in the same way as Internal Storage, I think we can use MTP to read the external storage (ext4) when connected to PCs.
Furthermore, we can have a setting to warn the users about this compatibility change (that once they take up/choose this method)- they will not be able to read cards in normal way when connected directly via card reader to Windows PCs because of no direct ext4 support in Windows.
Additionally, can't we at least have this as an advanced or developer only setting, if we want novice users to not mess with the functionality?
Do you all agree? Or am I having a over-simplified understanding of making such a change?
Lastly, given an option, I would definitely choose such a change at the cost of compatibility rather than paying tons of extra money for higher internal flash storage
Nobody wants to answer this? We have so many experts here - I am really surprised to see no replies

VZW GS5 Adoptable storage, how to access.

I have adoptable storage working per the S7 command line method with ADB. Now, as for how I can access it.. Since its encrypted the PC can't read it directly. Is it possible to use linux commands to create a linked folder on the phone's actual internal storage to the root of the adopted sd card? Wouldn't this cause the phone to handle the encryption work and let us have access to it? The other question is would this created link survive a reboot? I remember when I did a linked folder I had to have a script autorun on boot of the Android 3.0 tablet to recreate the link.
Nova5 said:
I have adoptable storage working per the S7 command line method with ADB. Now, as for how I can access it.. Since its encrypted the PC can't read it directly. Is it possible to use linux commands to create a linked folder on the phone's actual internal storage to the root of the adopted sd card? Wouldn't this cause the phone to handle the encryption work and let us have access to it? The other question is would this created link survive a reboot? I remember when I did a linked folder I had to have a script autorun on boot of the Android 3.0 tablet to recreate the link.
Click to expand...
Click to collapse
Since adopted storage becomes internal, it's best to think of it as you would a hard drive in your PC. You don't physically connect PCs or remove hard drives to transfer files; you networking or apps. There are a myriad ways to do this: FTP, SMB, BitTorrent Sync (my preferred way), SendAnywhere, SuperBeam, etc.
WiFi is far slower than USB3. USB3 would be my preferred method to load up music on it vs wireless methods.
Nova5 said:
WiFi is far slower than USB3. USB3 would be my preferred method to load up music on it vs wireless methods.
Click to expand...
Click to collapse
The interface is only theoretically faster. The S5 uses MTP to connect to your PC over USB, which means writes are made at the file level, not the block level. Translation: if a file has changed on the S5, your PC rewrites the entire file instead of just the changes. This makes routine USB file transfer extremely inefficient.
OTOH, using BitTorrent Sync with an 802.11ac router gives me block level write speeds of up to 16 MB/s, which is pretty good for the S5's notoriously slow SD card R/W performance. And if you have a slower router you can just let the network transfer run overnight anyway.
All fine and dandy, but not important to the answer sought. What im looking at doing is creating a symlinked "folder" that I can drop large amounts of data on, and have it sent directly to the card. Permissions are currently the issue on looking into the "private" directory on the phone for its storage. I just have to look up the command structure for the permissions changes when I get time to dig into it. Might not work depending on what protections google put in place to prevent those changes as they could compromise security.

SD card mirror / symlink (like ts-bind, but w/o Magisk)

Hi.
This general question has been asked a several times and has a several different and (mostly) acceptable answers, but I have a separate requirement I'd like to address. As far as I can tell, the closest tool to what I need is the ts-bind Magisk module, but since it requires the SD card to be present at boot it will not work for me.
Here's my scenario:
I've added an SD card to my device, and I'd like to use it as "Adoptable storage". However, I can't do that directly since I'd like to be able to manipulate the driver (in this case, specifically to manually suspend the device when it's not being used). ts-bind allows you to unbind the storage via a terminal, which is what I would need, but as my device is only loaded after boot that specific module will not work.
What I'm after is a way to emulate Adoptable storage via a script / symlink, but I need to be able to control it over the command line. The catch is that the mirrored drive needs to stick around, as the "source" folder is effectively unmounted when it's suspended until it's accessed again.
Ideally there would be a way to create a "replica" of the storage device (again, like symlink) and the use that with the built-in adoptable storage function.
Is there some kind of combination of symlinks / swapping apps or anything you can think of that might accomplish the above?
Cheers,
Rafael

Categories

Resources