Android and data loss protection.

Mobile devices contain an increasing amount of sensitive information. An average Android device will contain the owner's entire email history, all of their text messages, their call logs, their chat history, and their browsing history, as well as sensitive documents, passwords, and other credentials. Keeping all of this data safe is important on something that's so easy to lose or steal.

Let's look a little further into what mechanisms are useful for tackling data loss prevention on Android, some current pitfalls, and what Whisper Systems is doing to improve the situation.

The basic recipe.

The core premise for protecting data against physical access is to combine online acccess controls with offline access controls. On Android, the common general-purpose online access control mechanism is the screenlock, which can either be a pin, a passphrase, or a pattern. The problem is that an online access control mechanism alone isn't enough, because an attacker could always just turn your phone off and pull the data off the disk directly.

WhisperSystems provides an offline access control mechanism in the form of device-level encryption. All data on the device is encrypted using a passphrase that you must enter on boot, preventing an attacker from simply accessing the data directly. Stock Android has also started providing device-level encryption in their Honeycomb tablet release, but they've made some design decisions which will likely weaken its efficacy (more on that later).

Screen lock problems.

The core problem with the Android screenlock is that it's entered via the touchscreen, which leaks a considerable amount of information through the greasetrail that your fingers leave behind. The paper "Smudge Attacks on Smartphone Touch Screens" examines the efficacy of this attack in great detail. Even after using a phone for several minutes after an unlock, as well as after having the phone in your pocket, smudge trails still remain usable.

For example, can you guess what this screen unlock pattern on th left might be? Or what this PIN code on the right might be?

Smudge attack prevention.

WhisperCore offers some alternative screen unlock patterns that remediate this problem. First is the "vertical PIN" unlock screen. The PIN digits are arranged in a vertical line, and once you enter the correct code, the final action is to drag a puck from the top of the screen to the bottom of the screen, which wipes the keypresses you made.

With the addition of one simple gesture, the difference between the default PIN and vertical PIN screens in the aftermath of an unlock is very clear:

WhisperCore also includes an option for the "pattern unlock" screen, which prompts the user to wipe the screen after the pattern has been entered successfully. This is normally not possible, because once the screen unlocks, touch events will effect the running applications. The unlock screen measures the amount of wiping you've done, and when it is likely that the smudge trail is no longer usable, unlocks the screen. In practice, this can normally be accomplished with two big passes of the thumb, and only adds two quick gestures to the unlock process.

Again, the difference between the default pattern unlock and the smudge-protected version is stark. These two images are taken from the same unlock pattern:

Design Goals.

While there are other obvious solutions such as randomizing the layout of the PIN entry pad for each unlock, we feel that ease of use is critical for effective security features. In our testing, we found that users unlocking screens rely heavily on "muscle memory," and were greatly frustrated by strategies such as randomized layouts, which required them to hunt for the unlock code.

Online vs. Offline Attacks.

Online attacks are different from offline attacks. Online attacks can be rate limited (a 30 second timeout after five incorrect unlock attempts), and normally require someone to physically enter guesses. This makes the low number of permutations across a uniform distribution of 4 digit PINs or screen lock patterns acceptable. And in WhisperCore, 20 failed screen unlock attempts will reboot the phone.

Offline attacks, however, can be performed much more quickly. These are fully automated, and an attacker can leverage as much computing power that they have access to. The number of permutations in a 4 digit pin can be attempted in less than a second. It is for this reason that Whisper Systems uses separate unlock codes for the screenlock and device-level encryption. A device-level encryption passphrase needs to withstand an offline attack, and thus be very long. But you don't want to (and shouldn't need to) laboriously enter that long passphrase every time you pull your phone out of your pocket to unlock your screen.

In the stock Android device-level encryption for Honeycomb, they made the poor choice to use the screen unlock code for the device-level encryption key, thus weakening the device-level encryption to the point of being almost completely ineffective.

Try it out.

Try out WhisperCore 0.4, a free download for individual use.