Android Encryption Basics
Jan 29, 2023 | 42Gears Team
Encryption of data is the process of encoding the information to ensure that it is not readable by anyone who is not authorized to read it. Core idea of Android encryption is to protect business or personal data from being stolen or accessed by any unauthorized person or entity. Encryption can be done using symmetric or asymmetric cryptography, but it depends on the level of security required. Symmetric cryptography is usually faster to use but less secure, while asymmetric cryptography provides better security but is slower.
Android provides built-in security technologies to protect and secure data residing on Android devices.
All CTS validated and GMS (Google Mobile Services) licensed devices that come installed Android 6 out of the box are encrypted. Any devices which are managed with Android Enterprise (earlier called Android for Work) are also required to be encrypted.
File-based Encryption (FBE)
Starting with Android 10, Android supports File-based Encryption (FBE) whereby each file is separately encrypted using AES-256 based encryption.
FBE implementation allows certain apps to choose their storage location depending on their operation requirements.:
- Device Encrypted (DE) storage is accessible once the device boots, as well as after the user unlocks the device.
- Credential Encrypted (CE) storage is only available after the user enters their credentials and unlocks the device.
Full-disk Encryption (FDE)
Earlier versions of Android supported Full-disk Encryption (FDE) which involves encrypting the entire user data partition with a single primary key.
Hardware-backed Security in Android
Verified Boot is a secure boot process in Android, which performs various checks to ensure that it is safe to continue booting into the main OS, e.g. any attempt to reinstall an older vulnerable version of the OS is detected by Verified Boot, and OS boot is halted.
Trusted Execution Environment (TEE)
Android devices with lock screen support an isolated environment known as Trusted Execution Environment or TEE. This ensures no one can decrypt user data before the device is unlocked by the user by entering their passcode or security credentials.
Android runs every app inside a sandbox to prevent harmful or malfunctioning app code from jeopardizing other applications or system components. Entire apps are sandboxed irrespective of how they were developed (APIs, programming language, etc). Apps cannot interact with each other or exchange data, unless they use “official” or “supported” APIs.
Starting with Android 9, some Android devices support backup encryption, which is used to ensure backed up application data is first encrypted, and then stored on Google data centers. Restoration of data requires a key that is generated only on the user's device, and even Google can't decrypt or read the application data without this key.
Using MDM for Android Encryption
If you are an organization and looking for a solution to secure your fleet of enterprise devices, you can use an Android Device Management platform such as SureMDM to setup Android encryption features. SureMDM supports comprehensive features of Android Enterprise and thereby enables you to take advantage of Full Disk Encryption (FDE) or File Based Encryption (FBE), perform remote device wipe, enforce strong password policies, separate work and personal apps and data, and more.
- On Android 10 and later, only the File-based Encryption (FBE) method is allowed on Android devices.
- Android Supports 256-bit encryption.
- Newer versions of Android devices provide many hardware-backed security features.
- Android Enterprise ensures work data (managed by work profile) is encrypted separately (using different encryption keys) from personal data residing on the Android device.
- SureMDM supports strong encryption capabilities as part of Android Enterprise feature set.