Hi all, I recently installed MobileIron on my Xperia Z to get work emails etc. I am running Android 4.2.2 When i had done testing, i decided to remove Mobileiron and deactivated it and uninatslled it, this was ll fine. As part on the setup of MobileIron, my phone had to be Encrypted and this went through fine also. The issue now is that if i go into Security and look under Owner Info>Encryption, it says Encrypt phone (Encrypted) and i have no option to decrypt. If i tap on "Encrypt phone (Encrypted)" nothing happens. anyone any ideas on this? Thank you!
The reason why you had to encrypt in the first place was because your corporate policy required it ... i.e., your IT department configured your MobileIron server to require encryption on your device, so once registered with MobileIron, you had to adopt the corporate policy.
I don't know of any Android devices that allow for decryption. That said, there's no good reason to decrypt. You are getting a security advantage with no real negatives. In theory there could be a micro-penalty in the battery consumption or i/o speed but in reality it's not going to be noticeable.
If you really can't stand the idea of encryption, you need to do a full factory reset. You'll lose all your data during that process so you'll want to backup first and restore once complete.
jsirota said:
The reason why you had to encrypt in the first place was because your corporate policy required it ... i.e., your IT department configured your MobileIron server to require encryption on your device, so once registered with MobileIron, you had to adopt the corporate policy.
I don't know of any Android devices that allow for decryption. That said, there's no good reason to decrypt. You are getting a security advantage with no real negatives. In theory there could be a micro-penalty in the battery consumption or i/o speed but in reality it's not going to be noticeable.
If you really can't stand the idea of encryption, you need to do a full factory reset. You'll lose all your data during that process so you'll want to backup first and restore once complete.
Click to expand...
Click to collapse
Thank you for your response
The reason i was looking to do this is that i also have a Samsung Galaxy S4 and with an identical setup, there is the option to Decrypt so i was wondering if i missed something.
osheaj said:
Thank you for your response
The reason i was looking to do this is that i also have a Samsung Galaxy S4 and with an identical setup, there is the option to Decrypt so i was wondering if i missed something.
Click to expand...
Click to collapse
agree. i used samsung galaxy note before with mobilelron. the same setting for my new xperia z but i cannot find the decrytion command
Related
Up until recently, the corporation I work for only authorized blackberry devices to sync with the exchange servers. They've just recently started allowing iPhones and certain android devices to do the same.
On the corp intranet page that deals with this it explains that once you setup activesync a phone lock passcode is required, screen timeout of less than 15min is required, and 5 incorrect passcode attempts, lost/stolen, or something like leaving the company will result in a wipe that will affect non work related data loss as well. The next sentence then says that if it can't be wiped remotely it is the employee's responsibility to do so.
I don't know if some of that wording is from the blackberry only days or what.
If I were to go ahead and get authorization for this, would setting up an activesync with the corporation exchange server really allow them to wipe my phone, including personal data? Would it really make my phone require a passcode and limit my screen timeout all by just syncing?
I just don't know what kind of control simply setting up an activesync account is really possible.
I hate using our web access bc it requires and id and 2 passwords and even though I can use lastpass to make that easier its still slow/inconvenient.
I don't want to ask IT about all this bc I don't want them to think I'm trying to get around the system or give me an incorrect answer (fortune 100 company, they deal with a lot and don't know everything about everything ).
One of the features introduced in Froyo with Exchange/ActiveSync support was remote wipe. I believe they'll have no problem wiping your phone, unless you disconnect that account first.
Jack_R1 said:
One of the features introduced in Froyo with Exchange/ActiveSync support was remote wipe. I believe they'll have no problem wiping your phone, unless you disconnect that account first.
Click to expand...
Click to collapse
I'm actually less concerned with wiping than I am with being forced (by that I mean them somehow enforcing my settings such that I can't make my screen timeout longer than 15min or have to use a passcode to come out of sleep). I've never lost a phone and am willing to deal with consequences of not having a damn unlock code. I just don't want my phone to be locked into particular settings. Hope that makes sense.
What Decryption does? I know that It boosts the performance, but what else it does?
digitLIX said:
What Decryption does? I know that It boosts the performance, but what else it does?
Click to expand...
Click to collapse
Although you will see a lower overhead in read/write operations of the device, I don't think you'd notice it all that much and there are fixes if rooted, to increase that.
The other thing it does, is to not encrypt your data. The reason I decrypt is I do not like my data encrypted. I backup all my data regularly and although any operation moving data off the device should decrypt it, I never truly trust this. What I dont want to do is end up with a pile of backed up data that didn't unencrypt properly. For most people this won't be an issue but working in IT support, I have had many run ins with encryption so I prefer not to use it... Also I do not want to have to enter any passcode at boot, because I run automated procedures that involve rebooting the phone over night. Sure, I could set not to have a passcode, but that makes all data accessible via android or recovery, which makes encryption pointless.
It's just personal preference really. There's no genuine need for you to decrypt
rootSU said:
Although you will see a lower overhead in read/write operations of the device, I don't think you'd notice it all that much and there are fixes if rooted, to increase that.
The other thing it does, is to not encrypt your data. The reason I decrypt is I do not like my data encrypted. I backup all my data regularly and although any operation moving data off the device should decrypt it, I never truly trust this. What I dont want to do is end up with a pile of backed up data that didn't unencrypt properly. For most people this won't be an issue but working in IT support, I have had many run ins with encryption so I prefer not to use it... Also I do not want to have to enter any passcode at boot, because I run automated procedures that involve rebooting the phone over night. Sure, I could set not to have a passcode, but that makes all data accessible via android or recovery, which makes encryption pointless.
It's just personal preference really. There's no genuine need for you to decrypt
Click to expand...
Click to collapse
Thanks, I also heard decryption boosts the boot time? My nexus 6's boot time takes like 30-60 seconds Is It normal?
digitLIX said:
Thanks, I also heard decryption boosts the boot time? My nexus 6's boot time takes like 30-60 seconds Is It normal?
Click to expand...
Click to collapse
Yes it will boost boot because read / write operations occur during boot and the OS has to "decrypt" whilst doing so... It's not technically decrypting them, but thats the simplest way of explaining it.
http://lmgtfy.com/?q=What+are+the+Differences+between+Decrypted+and+Encrypted?
rootSU said:
Yes it will boost boot because read / write operations occur during boot and the OS has to "decrypt" whilst doing so... It's not technically decrypting them, but thats the simplest way of explaining it.
Click to expand...
Click to collapse
Last question, once I decrypt is it gonna be for hackers easy to hack into my data? or I shouldn't be worrying about decrypting
Most custom kernels already include patches to speed up I/O reads on encryption to the point where having your device encrypted or decrypted would not be that significant in terms of noticeability.
Last question, once I decrypt is it gonna be for hackers easy to hack into my data? or I shouldn't be worrying about decrypting
Click to expand...
Click to collapse
I don't think that you have a clear understanding what encryption is or what it actually does, no offense. Encryption has nothing to do with "hackers" having a easier time hacking your data, it's about hackers obtaining your information and then being able to see all the file contents; whereas, if your device is encrypted even though the hackers obtained your data, they have to go through a decryption process in order to make the "stolen data" useful to them as the files will appear to be jibberish to them. The decryption process requires high level math computations in order to obtain private, public keys (depending on the encryption method being used) that can takes large amounts of computing time in order to obtain the values to decrypt the files.
No one is going to hack your data, Android and iOS made encryption enabled by default for mainly NSA purposes.
My suggestions to you OP is to just remain encrypted and use a custom kernel with encryption patches (Lean Kernel, Franco Kernel are one of the many that include these patches already) just to make your life easier.
digitLIX said:
Last question, once I decrypt is it gonna be for hackers easy to hack into my data? or I shouldn't be worrying about decrypting
Click to expand...
Click to collapse
Encryption won't protect you against remote hackers. If Android is running, it is already seeing your data as you gave it your encryption password.
zephiK said:
Most custom kernels already include patches to speed up I/O reads on encryption to the point where having your device encrypted or decrypted would not be that significant in terms of noticeability.
I don't think that you have a clear understanding what encryption is or what it actually does, no offense. Encryption has nothing to do with "hackers" having a easier time hacking your data, it's about hackers obtaining your information and then being able to see all the file contents; whereas, if your device is encrypted even though the hackers obtained your data, they have to go through a decryption process in order to make the "stolen data" useful to them as the files will appear to be jibberish to them. The decryption process requires high level math computations in order to obtain private, public keys (depending on the encryption method being used) that can takes large amounts of computing time in order to obtain the values to decrypt the files.
No one is going to hack your data, Android and iOS made encryption enabled by default for mainly NSA purposes.
My suggestions to you OP is to just remain encrypted and use a custom kernel with encryption patches (Lean Kernel, Franco Kernel are one of the many that include these patches already) just to make your life easier.
Click to expand...
Click to collapse
Not offended, I'm sorry for being stupid I totally have no clue about this kind of stuff.
This answered my question, Thank you for the help.
rootSU said:
Encryption won't protect you against remote hackers. If Android is running, it is already seeing your data as you gave it your encryption password.
Click to expand...
Click to collapse
Thanks.
digitLIX said:
Not offended, I'm sorry for being stupid I totally have no clue about this kind of stuff.
This answered my question, Thank you for the help.
Thanks.
Click to expand...
Click to collapse
You're not being stupid. Don't be rude to yourself.
Encryption was something that was considered very secretive back in the days. You can read about that in the history of encryption.
Sent from my Nexus 6 using Tapatalk
Faux Kernel also has patches to speed things up. Thanks for asking this stuff. its good to have all the info in one spot.
Just to add, encrypted data only really protects the data if someone has physical access to the device who doesn't have the password. If they cannot unlock the phone, you'd expect they could boot into recovery or whatever and get your data that way, but like @zephiK said if it is encrypted - that data is useless.
However to clear, it doesn't protect you against remote theft of the data. When you enter your password into the device, you're giving the OS permission to do what it nerds with the data. If you unlock the phone and start copying data elsewhere, as it leaves the device, it becomes decrypted. If some remote "hacker" had got you to install an application on your phone and your phone allows data to be copied off the device, the encryption is useless because as its moving off the device, its being decrypted.
But yeah, no one will be trying to get the data anyway.
Did anybody try to encrypt the z3compact? Is the performance hit noticeable or negligible?
I'm very fought about encrypting my phone. Would I lose the smartlock feature?
Thanks in advance
I encrypted it, including SD card. There is no visible impact I would say. I think PIN and password is the only unlock option after encryption, the biggest drawback for me is that you can't manage it with Sony Companion after encryption (as Sony did not manage to implement support it seems).
PIN and password are the only options available after encryption and you'll probably lose smartlock.
In KK at least performance was about the same. Though it did reduce my battery life...
i9300usr said:
I was curious to know if this was true with Sony Bridge too (Mac app), and I found this thread on the Sony forums. The Sony mods there insist that this is a choice by Sony to maintain security. Apparently none of them have heard of encrypted backups (à la iPhones). So, possible this will never be implemented.
Click to expand...
Click to collapse
It's not that important, ADB backups work and are more complete, only drawback is the time they take
i9300usr said:
I was curious to know if this was true with Sony Bridge too (Mac app), and I found this thread on the Sony forums. The Sony mods there insist that this is a choice by Sony to maintain security. Apparently none of them have heard of encrypted backups (à la iPhones). So, possible this will never be implemented.
Click to expand...
Click to collapse
i9300usr said:
So, just to make sure I understand you correctly: ADB allows users to make backups of encrypted Sony Xperia phones? Are the backups encrypted or unencrypted? And is the restore process straightforward?
Click to expand...
Click to collapse
Yes ADB allows you to make a full encrypted backup of your phone (including apps installation files). The restore process is straightforward as well but it's not as complete as say an iPhone backup. ADB might not be able to access some files, especially ADB might restore all your apps but not your launcher settings, folders, etc...
Even though the backup is encrypted, keep in mind that if you use a four digits code it can be bruteforced in less than 10s so encryption does not mean much in this regard.
difto said:
...Even though the backup is encrypted, keep in mind that if you use a four digits code it can be bruteforced in less than 10s so encryption does not mean much in this regard.
Click to expand...
Click to collapse
This is interesting. Are you referring to a code ADB requires or the code used on the phone? I use a pattern on the phone.
scottjb said:
This is interesting. Are you referring to a code ADB requires or the code used on the phone? I use a pattern on the phone.
Click to expand...
Click to collapse
If you encrypt your phone you cannot use the pattern anymore. The ADB password is the same as your phone password so either 4 digits or a real password.
difto said:
If you encrypt your phone you cannot use the pattern anymore. The ADB password is the same as your phone password so either 4 digits or a real password.
Click to expand...
Click to collapse
I have my phone encrypted and use a pattern. I was not required to change it to a PIN when I encrypted it.
That's why I asked, I wonder how ABD would handle the pattern.
You can transfert files when the phone is mounted as mass storage and unlocked, that's why Sony isn't consistent. You can also transfert files using a third party ftp server like es file browser.
I encrypted my phone last week. Not really noticed any difference in terms of general performance and battery life. One thing I hate is that if you fail to enter the correct password 10 times your phone gets wiped. I hate this because it just makes it easy for people to troll you and makes a thief's job easier because your essentially getting your phone ready to be sold on and also locking yourself out so it can't be tracked.
Another negative is startup takes forever but, you don't really reboot phones much anyway
i9300usr said:
Sounds like something I might actually use. Thanks for the feedback.
So, this is by default and can't be disabled by the user? Hmm, Apple's iOS at least makes the wipe optional.
So much this. Makes backing up your phone every day a necessity just in case. But then:
a) how many people are actually aware the wipe is mandatory for encrypted phones,
b) how many would be mean-spirited enough to actually do this,
and
c) how can people tell if your phone's encrypted?
I think the likelihood is low, but I guess that depends on the company you keep. But if it's that kind of company, you're probably wise enough to keep the phone in your possession all the time anyway.
Unless you're running 5.1, and have enabled "Device Protection" - if Google have actually implemented it? Did the promised "kill switch" actually make it to our phones?
How useful is the tracking anyway? Do the Police even care? I've read articles where the owners themselves had to retrieve their phones, and that can be a very tricky prospect.
Yup, very infrequently these days.
Well, this is all better than the non-existent encryption on my S3.
Click to expand...
Click to collapse
Sadly, no you can't disable the wipe after 10 failed attempts. Well I'm uni student and you know what some people are like when it comes to trolling! I don't think z3 compact has the device protection. Not mine anyway. The police should track it. Well I've heard they help here in the UK
I think it's better to go without encryption, root with locked bootloader and install Cerberus to system partition, and use a strong lock pattern or password.
No worries of 10 try wipes, more secure lockscreen options, and can still track the phone even after a factory reset (unless they reflash the entire system.)
cschmitt said:
I think it's better to go without encryption, root with locked bootloader and install Cerberus to system partition, and use a strong lock pattern or password.
No worries of 10 try wipes, more secure lockscreen options, and can still track the phone even after a factory reset (unless they reflash the entire system.)
Click to expand...
Click to collapse
I think there's a tendency to speak too lightly of rooting. It invalidates warranty, which is a big deal for a US$400–600 phone such as this. Even after the warranty expires, I think it places far too much responsibility on the user to solve any problems that may arise, which can be onerous if the phone actually serves a purpose (as opposed to being merely a prestige item, which I'm sure it frequently is).
Rooting is a nice concept, but it presents real-world problems that can entirely negate any benefits gained; it's not the panacea it purports to be.
I ask because after installing stock MRA58R the contents of my N6 were still visible in Windows Explorer. So I reformatted userdata & cache, and then used the new NRT 2.0.7 to flash MRA58R again - wipe, no root, no recovery, no no-encrypt, just bog-standard install. The "Encrypting device" appeared for literally a few seconds, and now as it's sitting re-installing my apps from Google I can still see the contents of internal memory in Explorer. No USB debug, just a "Use USB for file transfer".
I have a multi-digit PIN on the phone, set up as part of the initialisation process.
I went through all this because my wife's phone was stolen last weekend and it was a wake-up call for me about my data security.
I'm sure I'm being particularly stupid. Can someone please educate me?
Thanks...
And maybe I'm answering my own question...
The contents are visible to me because I entered the device PIN?
Anyone without the PIN gets to see nothing?
And that includes any access via ADB/fastboot?
But is this any different from a non-encrypted device?
dahawthorne said:
Anyone without the PIN gets to see nothing?
Click to expand...
Click to collapse
It is a method to store data that is only readable with the key used for encryption.
Your pin is something different and is used for access permission of a device.
Thanks, but my understanding is that the device PIN is the encryption key. You can't set encryption without having a device PIN. What else could it possibly be using?
So I guess I still don't understand if having my device encrypted is any better than having a simple PIN-secured unencrypted device. If someone can see my data via bootloader mode or some other back door how secure is it?
If I look at an encrypted file I expect to see hieroglyphics. That's not what I'm seeing here. I see either nothing at all because the device isn't recognised by my PC, or I have full access to the data.
So what effect should I expect to see that is different/more secure than a simple PIN-protected device? What's the actual benefit of encryption?
dahawthorne said:
Thanks, but my understanding is that the device PIN is the encryption key. You can't set encryption without having a device PIN. What else could it possibly be using?
So I guess I still don't understand if having my device encrypted is any better than having a simple PIN-secured unencrypted device. If someone can see my data via bootloader mode or some other back door how secure is it?
If I look at an encrypted file I expect to see hieroglyphics. That's not what I'm seeing here. I see either nothing at all because the device isn't recognised by my PC, or I have full access to the data.
So what effect should I expect to see that is different/more secure than a simple PIN-protected device? What's the actual benefit of encryption?
Click to expand...
Click to collapse
Ill be honest. Your device is only as secure as the person that steals it. No amount of security has been 100% proven to prevent the data being attainable if they have access to the device its self. While I am not saying the average thieve will be bale to do it but, then all they care about is the device and end up wiping the device and reselling it without a care about the info inside it.
dahawthorne said:
Thanks, but my understanding is that the device PIN is the encryption key.
Click to expand...
Click to collapse
That wouldn't be a good encryption, you usually need at least 256 bits to encrypt a volume. The pin is only to unlock the encryption key that's stored on a separate partition. Also to unlock the phone.
If you stick a USB cable into a phone that's on, it switches to USB charging mode by default, so you need to unlock it to change it to MTP or Camera. If you want to connect as USB debugging, you first must allow the new computer's fingerprint to connect, so you need the pin to unlock the phone again.
If encryption is used correctly, then you must enter your pin to resume boot. But you can just set MTP as default connection in a custom ROM, build it as userdebug that doesn't require ADB fingerprint, and set pin for unlocking lock screen only
Thanks, people. It looks like encryption is pretty well pointless then if any Tom, **** or Harry can just install a new ROM or recovery and get access to the data... Burning my battery for nothing but a lot of security hot air...?
Speaking of which, I've just rebooted my phone and despite having checked the "Require passcode to start Android", which actually did work at least once (meaning I had to enter a PIN 3 times, for Android, SIM and device), this time there was no Android challenge, only SIM & device.
This security really isn't up to the job at all.
That is incorrect. With out knowing the key, as long as you select require pon at boot, the only thing they could do is reformat your phone and continue using it. No matter what, the key to your data is needed to access it.
dahawthorne said:
Thanks, people. It looks like encryption is pretty well pointless then if any Tom, **** or Harry can just install a new ROM or recovery and get access to the data... Burning my battery for nothing but a lot of security hot air...?
Click to expand...
Click to collapse
I really don't get where this comes from?!? It's a very serious security measure, and it's really not its fault if people dynamite holes into the phone's security like using userdebug builds, and having custom recoveries.
The point is, you have to decide if you want a phone open for modding and to use to store sensitive data on it. There isn't a system that really can accommodate both.
But if you don't have any sensitive data on your phone then encrypting is really pointless.
Thanks again, guys.
@scryan - "select require pin at boot" - does this mean the "require PIN before starting Android"? This is what I mentioned I had but now I don't. An extra layer of security disappeared for no reason I can think of, and I see no option to switch it back on, since the only time it was offered to me was during the initial setup. I still have SIM lock and device lock, but more is better, no?
@istperson - I get the trade-off between security and flexibility. I would consider my photos, for example, to be secure data - even if I'm happy showing them to people I know, I don't want strangers poking around in them.
So bottom line - I still see no argument that says that encryption provides something that the PIN doesn't. How exactly is a PIN-protected encrypted phone more secure than a PIN-protected unencrypted phone?
Edit: I found the "require PIN on boot" option in one of the security tabs, and it appears to work. Back to 3 levels of security, but still in the dark about encryption benefits.
dahawthorne said:
So bottom line - I still see no argument that says that encryption provides something that the PIN doesn't. How exactly is a PIN-protected encrypted phone more secure than a PIN-protected unencrypted phone?
Click to expand...
Click to collapse
If they hit you on the head, take your phone, tear it apart, and remove the sdcard, it won't be readable because of the encryption. If it's unencrypted they can access every data.
But don't store naked selfies on you phone. or in the cloud, then you're safe.
Also the pin to boot doesn't go away by itself without tinkering. Go back to Settings/Security and switch on the Require pin to boot, or whatever it's called.
Basically encryption is how the data is stored on the device. Instead of the normal readable format, its scattered all around in a pattern that requires a key to calculate how to put it all back together.
When you computer goes to read a file, it pulls out a chunk of data, looks at what the right pattern is, then ignores the pieces it doesn't need.
When you phone is running you dont see any of this, because your phone is always in the middle decoding.
If I tried to access your data by circumventing the OS and its checks, all I would see was scrambled randomness.
Decent little wiki entry from arch linux
https://wiki.archlinux.org/index.php/Disk_encryption#How_the_encryption_works
Its more aimed at computers, but its the same thing...
"it won't be readable because of the encryption."
That I understand - thanks. I suppose I was just a bit uneasy because it seems a bit too simple to get in, but obviously tinkering with my own device is far simpler than tinkering with someone else's.
I'll put this one to bed now. I'm very grateful for everyone's patience in answering my questions.
Been on KK until now, need quick update to current state of affairs.
Anyhow, is my phone fully encrypted? How do I check if it is? If it is can I make it decrypted?
The reason I'm asking, with MM Google made full encryption mandatory on most phones but IMO full phone encryption is useless, that's what secure folder and Knox is for and the fact that Crapple encrypts all its iphones is no reason, (so how long it took hackers to break into CA terrorist iphone, that supposed to be unbreakable even by Crapple engineers?).
N7 absolutely has the power to support full encryption, but Samsung being the biggest phone maker thankfully don't follow all Google's bad ideas (physical home button and SD card support come to mind as examples).
So what's the story here or is it a taboo, or maybe nobody cares?
What's the encryption story in Android 7?
It appears that it's encrypted out of the box. The SD card can be encrypted in settings.
I don't think their method of decrypting it will work on Snapdragon variants.
Thank you for quick answer.
That really sucks.
I guess it depends on how badly you want to decrypt it. I'd like to decrypt mine as well and had I known about the encryption at the start I would have done this right off.
http://androiding.how/disable-dm-verity-forced-encryption-galaxy-note-7/