FYI this also happens on iOS: in fact this is basically how the recent string of american police demands to decrypt iPhones have happened. Few combinations, a little time, and you've got a decrypted device.
Not to say this isn't an issue (it definitely is), but it's not just unique to Android. Kris On Tue, May 21, 2013 at 5:47 PM, DrDenim <[email protected]> wrote: > Considering that a phone encrypted with a 4-6 character PIN has been cracked > in a matter of seconds the current scheme is worthless against any > determined attacker. Unless of course the user type in a 8+ character word > just to unlock the screen, dozen of times a day.. Personally I could not put > up with that. > > This leave Android with a pretty serious security flaw. This should be high > on the list of things to get fixed! > > > On Tuesday, May 21, 2013 5:30:54 PM UTC-4, seattleandrew wrote: >> >> If you haven't been following issue 29468 for Android, a couple of people >> are upset that the unlock passcode is tied to the encryption passcode. From >> a usability stance, this makes perfect sense, this way users don't have to >> memorize two passwords, the less the better. The issue is, once a FDE (Full >> Disk Encryption) Android has been unlocked the first time, the device is >> decrypted until it's powered off. This means once the device has been >> unlocked once, there isn't a need to continue requiring complex passcodes >> since all it does is unlock the device. >> >> With the current schema, I argue it actually impacts security and >> usability since users will either choose a complex passcode (for more >> entropy in FDE) and suffer every time the device re-locks or a user will >> choose a simpler passcode (PIN or 6 char) in order to make the unlock >> process easier (but now FDE has less entropy). >> >> With the addition of multiple-users in Android, I argue it wouldn't be too >> difficult to separate the FDE passcode from the user's unlock passcode (even >> on single user devices). >> >> What does the rest of Android Security think? Do you guys think separating >> FDE and the unlock passcode would be beneficial? > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
