Phones forum

Question

Full device encryption on Android Nougat, e.g, SamsungS8?

Does Nougat allow for entire partition or device encryption?

My Samsung S8+ phone appears to have no settings which would enable encryption, but after a recent update one message on the screen told me I'd have to re-login because the phone was encrypted. A Samsung customer service rep said that the phone is not encrypted and that DirectBoot is the only option, unless there are 3rd party apps. I've not found any such apps.

Encryption of sensitive data is important requirement for professionals who are subject to HIPAA regulations. Of course, it's important for clients, too!

A number of articles recommend using Nougat's file encryption using DirectBoot for file or directory-level encryption. Unfortunately, contacts and the messaging app can't be placed in the encrypted area, which means that protected information (e.g., client names and contact information) would be exposed.

Prior versions of the Android OS allowed entire partition or device encryption. Perhaps the customer service rep was misinformed. Does Nougat on the Samsung S8+ still have entire device or partition encryption?

If not, are there apps or other options for protecting names and contact information?

Discussion is locked
You are posting a reply to: Full device encryption on Android Nougat, e.g, SamsungS8?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Full device encryption on Android Nougat, e.g, SamsungS8?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
Wrong steps?

In reply to: Full device encryption on Android Nougat, e.g, SamsungS8?

If you need HIPAA, your IT lead would research what has this before buying. After the fact, not going to end well and some may yelp.

But given what we know about smart phones, did you really think it's secure? Apple may have the better idea on this.

Collapse -
Wrong steps?

In reply to: Wrong steps?

Hi, R.,

I agree with you that Apple seems to have a better encryption solution. Unfortunately, other issues make it infeasible to get an Apple.

Lone practitioners don't have "IT leads." I assume that most of us will agree that no security options are 100% secure, whether for smart phones or anything else, so that comment was less than helpful.

Android and Samsung have not been sufficiently transparent in making it clear that they've shifted in their encryption approach and what they are offering is not a sufficient or even useful solution.. It's too bad they've failed in what is otherwise a very nice phone.

Collapse -
Yes. Wrong steps.

In reply to: Wrong steps?

I've lost count of how many times the product is bought before the requirements were laid down.

That out of the way, no maker must meet your requirements so it's going to be upsetting if you buy first then ask later.

I deal with medical practitioners and Apple products are used widely.

As to "they've failed" that appears to be untrue by the sheer volume of product they've sold. It looks to be very successful.

And something about USA really can upset the encryption. Import, export laws and more play a role here. Apple was in the news about it's "too good" security.

Do you want to bash Samsung in this discussion or find a working product?

Collapse -
Wrong

In reply to: Yes. Wrong steps.

Neither. I'll wait to see if someone has a helpful answer.

Collapse -
I'm just an Android and more developer.

In reply to: Wrong

I've dealt with many issues over the years. Including import/export controls on encryption. It's quite interesting how that affected products like this one.

What answer are you seeking? I worry you want a solution to whole disk encryption like we do on PCs today.

If you are stuck with the Samsung be sure to tell the forum this as everyone needs to know you are not just here to rant.

That out of the way, did you check out LineageOS to see if it can replace the Samsung OS that doesn't meet your goals? More at https://www.lifewire.com/what-is-cyanogenmod-121679

And again it appears your choice of Samsung was a total wipeout. Why? " Samsung devices, volumes encrypted when booted with the stock kernel cannot be used with non-stock kernels and vice versa." So this is a minefield topic.

You'll get blown up left and right. Time to cut bait.

Collapse -
Question restated

In reply to: I'm just an Android and more developer.

Hello, R.,

Thanks for your continued interest. Let me restate my question, give a little more background, and see if we can resolve it.

My concerns began when I realized that one can't use Samsung's Secure Folder to secure contacts and phone and text message data.

(For what it's worth, I think part of my original difficulty understanding encryption on the Samsung S8+ arose when I incorrectly conflated Android's Direct Boot with Samsung's SecureFolder because both were new and security-related. Duh. They're different!)

I've been researching this for a month. Several times I've run into articles and Android developer web resources that talk about two forms of encryption: credential encrypted data and device encrypted data.

Android has descriptions of its encryption here:
https://source.android.com/security/encryption/
https://source.android.com/security/encryption/full-disk
https://source.android.com/security/encryption/file-based
https://developer.android.com/training/articles/direct-boot.html

Probably the clearest article is this one, which states, "The best part is that it requires very little interaction from the user—on new devices that will be running Nougat out of the box, this should all be the default. And the level of security provided hasn’t decreased in any way—all the important, personal data is still fully encrypted until unencrypted by the user."

If that article is accurate and if I understand it correctly, personal data, like contact info, is still encrypted on new Nougat devices, such as the Samsung S8 and S8+.

This leads me to wonder if the Samsung customer support rep was somewhat misinformed when he told me that the S8+ is not device encrypted. I don't blame him because the details are very complicated and confusing, but I need to be sure!

What I'm thinking--and hoping--is that, although Nougat has changed the way security is implemented on Android devices, Nougat hasn't decreased the security of my contact information, phone call and message data, etc. Again, I'm not sure this is accurate.

It sounds as though you may have the expertise to verify or correct my current understanding. How do you understand the impact of Nougat's two forms of encryption on personal data, such as contacts and phone call and text message data?

Collapse -
Clarification on HIPAA encryption need

In reply to: I'm just an Android and more developer.

I should also state that I don't need a perfect encryption solution. My understanding is that HIPAA requires protected data to be reasonably (they say "appropriately") secure and that the requirements are technology neutral. The requirements allow for the evolution of technology and permit alternative solutions. My assumption is that 100% protection may be both unrealistic and unnecessary.
https://www.hipaajournal.com/hipaa-encryption-requirements/

Collapse -
Answer
OK so we're moving from Full device encryption to reality.

In reply to: Full device encryption on Android Nougat, e.g, SamsungS8?

RIGHT NOW I'm on the Motorola G5 Plus running Android 7.0. I don't have to encrypt but why?

Any app that wants access to say my contact list has to ask permission. So I can decide to let it or not.

Now this could be in an encrypted form as well but there's the rub. To gain access you had to give access rights and maybe a password so where does this stop the leaks which HIPAA is worried about?

Let's call a smart phone yet another PC so you as the owner/operator can install an app that will copy the Contacts and you give it access rights, the password if encrypted and how did encryption help here? (it didn't.)

So as it stands I think we're fine with the permission system and the entire idea of the encryption is only to stop say a direct attack such as the Android ADB connection copying out the unencrypted content. HOWEVER such an attack would have you unlock the phone and tell Android to allow connection and give the ADB rights to do all that. Encryption does not stop leaks. It only slowed it down.

I am only an Android programmer. If you can encrypt user data and you don't hit Allow all the time I think you're as good as it gets from a security standpoint. Only my friend who is in corporate security disagrees. He wants all smart phones confiscated and ground up.

Post was last edited on September 21, 2017 6:03 PM PDT

Collapse -
Your interpretation?

In reply to: OK so we're moving from Full device encryption to reality.

Hi, R. Thanks for the thoughtful reply.

Looking at the information I posted (or the links) about credential encrypted data and device encrypted data, do you interpret that info as saying that the user data is encrypted on Android?

Collapse -
It's only my view on this.

In reply to: Your interpretation?

I am not a HIPAA compliance engineer. I'm just an electronics designer, software author for way too long (ask but it's in decades now) and along the way from Linux to Windows to many OSes to Android you learn a few things.

1. Your first link https://www.hipaajournal.com/hipaa-encryption-requirements/ covers so much here. Not once did I see where the device was responsible at the end of the day. That is, if content is encrypted yet you sent an email in plain text, you didn't meet this criteria. That means SMPT POP3 EMAIL IS DOA. You could have a completely encrypted device and fail here with a single email.

Now to more interesting S8 readings.

2. "The setting that requires PIN on start up (aka after reboots) is the setting that encrypts the phone. So if you don't have PIN on boot, then you're not encrypted." is the usual answer. Samsung appears to by default encrypt but only you know if you have a PIN on boot.

Talk to Samsung about the PIN on start up. I do not own this model so all I can do is kick around the full encryption dead horse which can get annoying since it's dead and not very interesting at the end of the day.

-> Remember. If you need a ruling, you need to get your HIPAA compliance manager or engineer to sign off. But then send one email and it's broken again.

Collapse -
Thanks

In reply to: It's only my view on this.

Yep, the big picture is that data is vulnerable even with security measures. But HIPAA doesn't seem to be aimed at the big picture. Thank goodness they were more practical.

So, the issue for practitioners isn't whether the encryption is wholly effective. It's whether the data is encrypted. That's because the regulations absolve the device user/owner from significant responsibilities and liabilities should the device be lost or stolen--as long as the device is encrypted. And it makes sense. If the data is encrypted and you need a password to get at it easily, most people who find a flash drive or phone aren't going to put a lot of effort into trying to access the data. If, on the other hand, people were to find an unencrypted device, I'm pretty sure that curiosity would kick in for many!

Email and text are a different issue. You can use an encrypted connection or service for these and meet regulations. (Although I'm sure that many clients do not have an encrypted email connection and very likely don't have password protection on their PCs or phones.) This is why providers should inform clients of the risks and ask clients to sign a consent agreement indicating whether clients want to use email and text and assigning those risks to the client, if they state that they want to use those technologies. Most clients aren't overly concerned by the risks and will sign such an agreement. And why not? They're telling bigger secrets by email and text all day long.

You're reading of the Samsung information is very helpful. I haven't see anything in their literature that would indicate that the S8 phones are not encrypted, and I've spent hours searching. But I didn't want my own confirmation bias or wishful thinking to sway my thinking. The fact that you have a lot more Android and development experience and that you read their explanation to indicate that the phones are encrypted by default makes me feel pretty comfortable. So, thank you very much, R!

Collapse -
One more time. If you have the PIN setup. Could be done.

In reply to: Thanks

One more time. I hope you have the PIN implemented since it seems that the gateway to the encryption on this phone.

If all this helps, that's good. I know it's an annoying area and some makers just don't want to tell you it's HIPAA compliant since they can't cover the entire security issues. So makers have to bail.

Here we can kick it around until we get tired or think we have it covered.

Collapse -
Agreed

In reply to: One more time. If you have the PIN setup. Could be done.

Exactly, with the pin, we're good. Thanks, R!

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

DEALS, DEALS, DEALS!

Best Black Friday Deals

CNET editors are busy culling the list and highlighting what we think are the best deals out there this holiday season.