Google is strengthening Android security and encourages vendors to strongly encrypt devices

Mobile devices are increasingly powerful and store user-sensitive content. However, it is not easy to ensure that devices are not attacked and cracked.

For security reasons, Google has taken the lead in implementing all-data encryption technology on its own Android devices and using security hardware to increase the protection level. As long as the attacker does not obtain the correct lock password for the device, it cannot be de-encrypted unless the device directly erases all data from the device.

Google uses high-intensity encryption algorithms to encrypt all data on the device, and it also generates encryption keys that are stored in the device’s secure area. The encryption key is kept by the secure hardware. Unless the user enters the correct lock password, the decryption key cannot be obtained through the secure hardware.

The high-security firmware of the secure hardware is responsible for checking the user’s lock password and has limited the speed of password entry to prevent attempts to brute force crack the password. If the attacker tries to directly attack the driver firmware of the secure hardware, it will also encounter a digital signature that is customized for the secure hardware to be verified.

Google claims that there are currently two ways to crack digital signatures. First, hackers find bugs in digital signature checking programs and use exploits to crack them. This kind of attack method is very difficult so it is not easy to want to crack, and the second is to get a signed read to forge a legitimate application to operate.

The implementation of this attack method is also quite difficult. Google claims that the digital signature verification process is very small and isolated, so it is very difficult to break through. The popular social worker attacks can use various methods to steal the user’s encryption key. It is obviously not a good idea for users to keep their own encryption keys.

Therefore, Google added a tamper-resistant module to the encryption key to defend against social worker attacks. Hackers could not implant malicious programs without the help of users.

Ultimately, unless the correct password is entered on the device, an attacker cannot perform a software update firmware update or fake a legitimate application bypass check.

Google has already released a technology blog to recommend that each manufacturer use such an encryption method. This approach can greatly improve the security of users.

Source: googleblog, android-developers