Storing Encrypted Plain Text Files Using Google Android



Similar documents
Analysis of advanced issues in mobile security in android operating system

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Michael Seltzer COMP 116: Security Final Paper. Client Side Encryption in the Web Browser Mentor: Ming Chow

1 Step 1: Select... Files to Encrypt 2 Step 2: Confirm... Name of Archive 3 Step 3: Define... Pass Phrase

Research Information Security Guideline

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Introduction to BitLocker FVE

Analyzing the Security Schemes of Various Cloud Storage Services

OOo Digital Signatures. Malte Timmermann Technical Architect Sun Microsystems GmbH

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Comodo Disk Encryption

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Thick Client Application Security

BlackBerry Enterprise Solution Security Release Technical Overview

Manual for Android 1.5

BlackBerry Enterprise Solution

Disk encryption... (not only) in Linux. Milan Brož

USB Portable Storage Device: Security Problem Definition Summary

AES Crypt User Guide

Final Year Project Interim Report

CSCE 465 Computer & Network Security

Software Tool for Implementing RSA Algorithm

best practices for encryption in android

File System Encryption with Integrated User Management

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

SeChat: An AES Encrypted Chat

General Security Best Practices

Understanding digital certificates

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Alaa Alhamami, Avan Sabah Hamdi Amman Arab University Amman, Jordan

USB Portable Storage Device: Security Problem Definition Summary

Firmware security features in HP Compaq business notebooks

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

VMware Horizon Workspace Security Features WHITE PAPER

SENSE Security overview 2014

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Snow Agent System Pilot Deployment version

Projectplace: A Secure Project Collaboration Solution

Dashlane Security Whitepaper

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

Secure Storage. Lost Laptops

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

Ensuring the security of your mobile business intelligence

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Chapter 17. Transport-Level Security

Installing Ubuntu LTS with full disk encryption

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

The Misuse of RC4 in Microsoft Word and Excel

File System Encryption in C#

1. a. Define the properties of a one-way hash function. (6 marks)

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Properties of Secure Network Communication

Using the Push Notifications Extension Part 1: Certificates and Setup

FileCloud Security FAQ

Secure USB Flash Drive. Biometric & Professional Drives

GostCrypt User Guide. Laboratoire de Cryptologie et de Virologie Opérationnelles - France

Blaze Vault Online Backup. Whitepaper Data Security

Client Side Filter Enhancement using Web Proxy

Pentesting Mobile Applications

How To Encrypt A Traveltrax Report On Gpg On A Pc Or Mac Or Mac (For A Free Download) On A Thumbdrive Or Ipad Or Ipa (For Free) On Pc Or Ipo (For An Ipo)

Tutorial on Smartphone Security

iphone in Business Security Overview

BYOD Guidance: BlackBerry Secure Work Space

Lecture 1 Introduction to Android

Mobile Operating Systems. Week I

EnergyAxis System: Security for the Smart Grid

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

Encrypt-FS: A Versatile Cryptographic File System for Linux

MaaS360 Mobile Enterprise Gateway

Enova X-Wall LX Frequently Asked Questions

How to Send Stealth Text From Your Cell Phone

SkyRecon Cryptographic Module (SCM)

COSC 472 Network Security

Key & Data Storage on Mobile Devices

Data Center Real User Monitoring

Application-Specific Biometric Templates

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim

A PERFORMANCE EVALUATION OF COMMON ENCRYPTION TECHNIQUES WITH SECURE WATERMARK SYSTEM (SWS)

Security in Android apps

Techniques of Asymmetric File Encryption. Alvin Li Thomas Jefferson High School For Science and Technology Computer Systems Lab

Vs Encryption Suites

Example of Standard API

SafeNet MSSQL EKM Provider User Guide

Creating and Using Databases for Android Applications

Cleaning Encrypted Traffic

Chapter 10. Cloud Security Mechanisms

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

International Engineering Journal For Research & Development

Sync Security and Privacy Brief

Forensic Decryption of FAT BitLocker Volumes

Working Together Managing and Securing Enterprise Mobility WHITE PAPER. Larry Klimczyk Digital Defence P:

Last modified: November 22, 2013 This manual was updated for the TeamDrive Android client version

Transcription:

Storing Encrypted Plain Text Files Using Google Android Abstract Jared Hatfield University of Louisville Google Android is an open source operating system that is available on a wide variety of smart phones from a variety of manufactures. While the core operating system uses encryption for phone calls, web browsing, and email, the local storage available on the phone is primarily unencrypted. Encryption can be deployed at the application level to protect data stored on the phone. On a typical device, the data for an application is stored on the onboard micro SD card which can easily be mounted on a computer. The files stored on the card can then be copied to another device for analysis. If an unauthorized party were to gain physical access to a phone, it would be possible to quickly create a copy of the onboard data, potentially without the phone s owner even noticing. A simple notepad application that uses an encryption algorithm and user provided password can be used to read and write plain text securely to a file on the SD card. The security of the information stored using this approach will be analyzed and the method deployed will be documented. 1. Security and the Android Platform Based on the Linux kernel, the Android Open Source operating system is a mobile phone operating system that has rapidly gained popularity following the success of Apple s iphone. With the first public release in late 2008, Android has undergone rapid development and has gained wide spread adoption by major phone manufactures and wireless carriers. Unlike other major mobile operating systems, Android is an open source operating system meaning every bit of the operating system s code is freely and publically available for inspection, modification, and reuse. The main goal, when it comes to security and the Android platform, is outlined on the developers web site, An application's process runs in a security sandbox. The sandbox is designed to prevent applications from disrupting each other, except by explicitly declaring the permissions they need for additional capabilities not provided by the basic sandbox. (Google, 2010) The threat model addressed focuses on preventing malicious applications from the market place or code downloaded from the internet from compromising the phone. For the purposes of describing the threat model addressed, we will assume that Alice has a phone running Android and Oscar is actively attempting to gain access to the content stored on Alice s phone. The specific threat addressed is securing information should Oscar obtain physical access to Alice s Android based phone, even if only for a short period of time. It would be possible to copy files off of the phone s storage using a standard computer, a task which can take only a few moments. While the online accounts that are likely authenticated on the phone could be targeted, they are not the focus of this study. 1

2. Storing Information Securely The typical Android based phone includes internal flash memory and a removable microsd card that provides additional storage on top of the built in storage. The information stored on the phone, in general, is unencrypted. Even if a password or unlock pattern is used, it is possible to remove the microsd card from the phone and mount the partition on a computer and gain access to the information stored on the card. However, Android provides a simple mechanism for mounting the microsd card using the phone s interface making the task even easier. Applications developed for the Android platform are written in Java and target the Dalvik virtual machine. This allows the applications to be independent of the underlying system architecture. Every application on the platform is sandboxed to prevent unauthorized cross application leakage. When an application is installed the permissions that the application requires to run are presented to the user and must be authorized before the installation will continue. The microsd card serves as a common storage location that is accessible from any application authorized to access the extended persistent memory. 3. Storage of Encrypted Text Files A simple Android application, OpenNoteSecure has been developed to illustrate a method for storing encrypted text files on the phone s microsd card. Android provides access to many of the standard Java libraries including javax.crypto which includes AES and DES symmetric encryption ciphers. 3.1 Encryption Implementation Figure 1 The method employed for encryption and decryption is a two stage process as outlined in Figure 1. The text field that is provided to the user is editable in a String representation. This plain text string is encrypted using the specified cipher and password before being encoded as a Base64 2

string and written to a file. For decryption the process is reversed and the file is read and converted into the raw cipher text from the Base64 encoding and then decrypted using the specified cipher and password before being displayed to the user. The Base64 encoding is not required from a technical standpoint, but allows the encrypted text to be viewed in its encoding form using the same editor that was used to encrypt the text. An example of an encrypted string is shown in Table 1. Plain Text String Password Encrypted AES String Encrypted DES String The encrypted text. mypassword k8xp+cnbq1xglwz9a0x5f2cw6hzxlev5zs7obil6pak= 7VEYR6414dZET24jh8Gx2VoCZqXdmHJe Table 1 3.2 Android Application GUI Figure 2 Figure 3 Figure 4 The graphical elements for the interface are simple and provide the necessary functionality to encrypt simple notes. Figure 2 depicts the initial interface that allows for the creation of new files and displays all *.txt files that currently exist in the root directory. When a file is selected the next interface as seen in Figure 3 is displayed. This allows the user to select the encryption algorithm and input the password for the file. For new files, the encryption algorithm and password will be used when the formerly empty file is saved. The last interface, as seen in Figure 4, provides the means to view, edit, and save the text back to the file. 3

4. Analysis of Security Software that uses encryption to store information must be carefully constructed so that it minimizes its surface for attack. Since it is necessary to decrypt the file on the device, it is unavoidable to have the decrypted text to be stored in RAM so the plain text can be viewed and manipulated. 4.1 Encryption Ciphers The Android platform s primary language for creating applications is Java. While the language for writing applications follows the Java syntax, the language itself does not strictly follow the standard Java implementation and not all of the standard libraries are available. However, the javax.crypto.cipher library is available and can be used to perform AES and DES encryption. The following code sample shows the constructor and encryption routines that are used to perform the AES encryption. The AESEncryptionProvider class provides a constructor that takes a string passphrase and then provides two methods encryptasbase64 and decryptasbase64 which are part of the IStringEncryptor abstract class that allows for the encryption algorithm to be interchangeable. /** * Constructor for AESEncryptionProvider for a specific passphrase * @param passphrase The phassphrase to protect the data with. * @throws EncryptionException public AESEncryptionProvider(String passphrase) throws EncryptionException { // Set up the cipher this.cipher_transformation = "AES/CBC/PKCS5Padding"; this.cipher_algorithm = "AES"; this.messagedigest_algorithm = "MD5"; // Create the password byte array byte[] passwordkey = encodedigest(passphrase); // Set up the algorithm try { cipher = Cipher.getInstance(CIPHER_TRANSFORMATION); catch (NoSuchAlgorithmException e) { Log.e(OpenNoteSecure.TAG, "No such algorithm " + CIPHER_ALGORITHM, e); catch (NoSuchPaddingException e) { Log.e(OpenNoteSecure.TAG, "No such padding PKCS5", e); // Finish setting up the encryption by making the secret key and iv parameters secretkey = new SecretKeySpec(passwordKey, CIPHER_ALGORITHM); ivparameterspec = new IvParameterSpec(rawSecretKey); The AESEncryptionProvider constructor takes a pass phrase and converts it to a secret key that can be used to encrypt or decrypt text using the appropriate methods. The primary responsibility of the constructor is to simply create the key; once the key is created, the encryption provide is able to function. 4

/** * Performs the encryption on a string of data * @param data The plain text to encrypt. * @return The encrypted text encoded as a Base64 string. public String encryptasbase64(string data) throws EncryptionException{ byte[] encrypteddata = encrypt(data.getbytes()); return Base64.encodeBytes(encryptedData); The public encryption method used to encrypt a string provides a simple mechanism that returns the encrypted cipher text as a string. To accomplish this the underlying encryption algorithm performs the manipulation on a byte array computed from the original plain text string. To convert this byte array back to a string after it is encrypted, it is encoded as a Base64 string using a freely available encryption library provided by http://iharder.net/base64. /** * Performs the AES encryption on a byte array. * @param cleardata The unencrypted byte array. * @return The encrypted byte array. * @throws EncryptionException private byte[] encrypt(byte[] cleardata) throws EncryptionException { try { cipher.init(cipher.encrypt_mode, secretkey, ivparameterspec); catch (InvalidKeyException e) { Log.e(OpenNoteSecure.TAG, "Invalid key", e); catch (InvalidAlgorithmParameterException e) { Log.e(OpenNoteSecure.TAG, "Invalid algorithm " + CIPHER_ALGORITHM, e); byte[] encrypteddata; try { encrypteddata = cipher.dofinal(cleardata); catch (IllegalBlockSizeException e) { Log.e(OpenNoteSecure.TAG, "Illegal block size", e); catch (BadPaddingException e) { Log.e(OpenNoteSecure.TAG, "Bad padding", e); return encrypteddata; The majority of the code surrounding the encryption and decryption routines is a try/catch block. The crypto routines are capable of throwing various exceptions in the case where the encryption or decryption fails. These routines catch these exceptions and then throw a new exception called EncryptionException. The EncryptionException is a new type of exception that simply indicates that the encryption or decryption routine was not able to be executed successfully. The main reason for throwing this exception is the instance where the wrong algorithms or password is used to attempt to decrypt a file. In this case the file is not decrypted and an error message is 5

displayed. The actual execution of the encryption is very simple to invoke and the complexity is masked by the underlying libraries. 4.2 Password and Key Distribution The simplest approach to securing the encrypted files is to not store the password on the device itself. Were the password to be stored on the device it would be possible to decrypt the file if the device would fall into Oscar s hands. The limitation to this approach is that the password must be memorized by Alice. Additionally, the password must be entered using a mobile on screen or physical keyboard which has limitations on the methods of data entry. These limitations may frustrate users. Assuming Alice uses a strong password to encrypt her information the encrypted information will be secure. When the file is being edited it is stored in memory as plain text along with the password that was used to for decryption. The Dalvik virtual machine relies on a garbage collector to free the allocated memory. Additionally, Android allows for multitasking so the application may still be running in the background after the user navigates away from it. This results in a period where the plain text is stored in the phones memory, even if the application is not in the foreground. However, steps can be taken to minimize these risks. 4.3 Limiting Exploitation Window The sensitive information that is stored in memory can be limited to the password and cipher text. The other information including the selected file and algorithm are not as sensitive. To limit these risks, the information needs to be removed from RAM as soon as it is no longer needed. Using the virtual machine s garbage collector, this can be, at least partially, accomplished with little effort. By removing all references to sensitive strings and then invoking the garbage collector the sensitive information in RAM would quickly be lost. However, there is no guarantee that the garbage collector will actually be invoked and that the contents of the RAM would be overwritten with new information. /** * Remove references to sensitive information and suggest the * garbage collector runs before finishing the activity. private void PerformCleanupAndClose(){ // Remove all of the references to the sensitive variables this.content.settext(""); this.password = ""; // Tell the system we want to run the garbage collector System.gc(); // Close this activity this.finish(); 5. Future Work The initial release of OpenNoteSecure is capable of performing symmetric encryption. The ability to perform asymmetric encryption would be very useful for securely encrypting 6

information that would be transmitted from user to user. The difficulty in implementing a system for performing asymmetric encryption arises from the vulnerability of the key store. The private keys that would need to be stored on the mobile device would need to be protected, which could be accomplished with a symmetric cipher and a pass phrase. 6. Conclusion The built in mechanisms for securing application data on the Android platform are currently limited, but the ability to secure information on an application by application basis has existing potential. The information stored on a mobile device depends on the security of the passphrase that is used to secure the information. The main issue is the compromise between security and convenience. In practice the convenience of easily accessible information wins over the ability to securely store this information. As a result, the main concern is using strong encryption keys that do not require memorization and manual entry from the user. OpenNoteSecure demonstrates that data security can be achieved, but still depends on memorization of keys by the user. Resources The source code for OpenNoteSecure is released under a General Public License Version 3. http://github.com/jaredhatfield/opennotesecure OpenNoteSecure is available to download for free from the Android Market. com.jaredhatfield.opennotesecure Works Cited Google. (2010, June 23). Security and Permissions. Retrieved from Android Developers: http://developer.android.com/guide/topics/security/security.html 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information