Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Full device encryption on Android Nougat, e.g, SamsungS8?

Sep 19, 2017 11:38PM PDT

Does Nougat allow for entire partition or device encryption?

My Samsung S8+ phone appears to have no settings which would enable encryption, but after a recent update one message on the screen told me I'd have to re-login because the phone was encrypted. A Samsung customer service rep said that the phone is not encrypted and that DirectBoot is the only option, unless there are 3rd party apps. I've not found any such apps.

Encryption of sensitive data is important requirement for professionals who are subject to HIPAA regulations. Of course, it's important for clients, too!

A number of articles recommend using Nougat's file encryption using DirectBoot for file or directory-level encryption. Unfortunately, contacts and the messaging app can't be placed in the encrypted area, which means that protected information (e.g., client names and contact information) would be exposed.

Prior versions of the Android OS allowed entire partition or device encryption. Perhaps the customer service rep was misinformed. Does Nougat on the Samsung S8+ still have entire device or partition encryption?

If not, are there apps or other options for protecting names and contact information?

Discussion is locked

- Collapse -
Answer
Wrong steps?
Sep 20, 2017 11:38AM PDT

If you need HIPAA, your IT lead would research what has this before buying. After the fact, not going to end well and some may yelp.

But given what we know about smart phones, did you really think it's secure? Apple may have the better idea on this.

- Collapse -
Wrong steps?
Sep 20, 2017 10:08PM PDT

Hi, R.,

I agree with you that Apple seems to have a better encryption solution. Unfortunately, other issues make it infeasible to get an Apple.

Lone practitioners don't have "IT leads." I assume that most of us will agree that no security options are 100% secure, whether for smart phones or anything else, so that comment was less than helpful.

Android and Samsung have not been sufficiently transparent in making it clear that they've shifted in their encryption approach and what they are offering is not a sufficient or even useful solution.. It's too bad they've failed in what is otherwise a very nice phone.

- Collapse -
Yes. Wrong steps.
Sep 20, 2017 10:19PM PDT

I've lost count of how many times the product is bought before the requirements were laid down.

That out of the way, no maker must meet your requirements so it's going to be upsetting if you buy first then ask later.

I deal with medical practitioners and Apple products are used widely.

As to "they've failed" that appears to be untrue by the sheer volume of product they've sold. It looks to be very successful.

And something about USA really can upset the encryption. Import, export laws and more play a role here. Apple was in the news about it's "too good" security.

Do you want to bash Samsung in this discussion or find a working product?

- Collapse -
Wrong
Sep 20, 2017 10:49PM PDT

Neither. I'll wait to see if someone has a helpful answer.

- Collapse -
I'm just an Android and more developer.
Sep 20, 2017 11:26PM PDT

I've dealt with many issues over the years. Including import/export controls on encryption. It's quite interesting how that affected products like this one.

What answer are you seeking? I worry you want a solution to whole disk encryption like we do on PCs today.

If you are stuck with the Samsung be sure to tell the forum this as everyone needs to know you are not just here to rant.

That out of the way, did you check out LineageOS to see if it can replace the Samsung OS that doesn't meet your goals? More at https://www.lifewire.com/what-is-cyanogenmod-121679

And again it appears your choice of Samsung was a total wipeout. Why? " Samsung devices, volumes encrypted when booted with the stock kernel cannot be used with non-stock kernels and vice versa." So this is a minefield topic.

You'll get blown up left and right. Time to cut bait.

- Collapse -
Question restated
Sep 21, 2017 9:03AM PDT

Hello, R.,

Thanks for your continued interest. Let me restate my question, give a little more background, and see if we can resolve it.

My concerns began when I realized that one can't use Samsung's Secure Folder to secure contacts and phone and text message data.

(For what it's worth, I think part of my original difficulty understanding encryption on the Samsung S8+ arose when I incorrectly conflated Android's Direct Boot with Samsung's SecureFolder because both were new and security-related. Duh. They're different!)

I've been researching this for a month. Several times I've run into articles and Android developer web resources that talk about two forms of encryption: credential encrypted data and device encrypted data.

Android has descriptions of its encryption here:
https://source.android.com/security/encryption/
https://source.android.com/security/encryption/full-disk
https://source.android.com/security/encryption/file-based
https://developer.android.com/training/articles/direct-boot.html

Probably the clearest article is this one, which states, "The best part is that it requires very little interaction from the user—on new devices that will be running Nougat out of the box, this should all be the default. And the level of security provided hasn’t decreased in any way—all the important, personal data is still fully encrypted until unencrypted by the user."

If that article is accurate and if I understand it correctly, personal data, like contact info, is still encrypted on new Nougat devices, such as the Samsung S8 and S8+.

This leads me to wonder if the Samsung customer support rep was somewhat misinformed when he told me that the S8+ is not device encrypted. I don't blame him because the details are very complicated and confusing, but I need to be sure!

What I'm thinking--and hoping--is that, although Nougat has changed the way security is implemented on Android devices, Nougat hasn't decreased the security of my contact information, phone call and message data, etc. Again, I'm not sure this is accurate.

It sounds as though you may have the expertise to verify or correct my current understanding. How do you understand the impact of Nougat's two forms of encryption on personal data, such as contacts and phone call and text message data?

- Collapse -
Clarification on HIPAA encryption need
Sep 21, 2017 9:19AM PDT

I should also state that I don't need a perfect encryption solution. My understanding is that HIPAA requires protected data to be reasonably (they say "appropriately") secure and that the requirements are technology neutral. The requirements allow for the evolution of technology and permit alternative solutions. My assumption is that 100% protection may be both unrealistic and unnecessary.
https://www.hipaajournal.com/hipaa-encryption-requirements/

- Collapse -
Answer
OK so we're moving from Full device encryption to reality.
Sep 21, 2017 5:33PM PDT

RIGHT NOW I'm on the Motorola G5 Plus running Android 7.0. I don't have to encrypt but why?

Any app that wants access to say my contact list has to ask permission. So I can decide to let it or not.

Now this could be in an encrypted form as well but there's the rub. To gain access you had to give access rights and maybe a password so where does this stop the leaks which HIPAA is worried about?

Let's call a smart phone yet another PC so you as the owner/operator can install an app that will copy the Contacts and you give it access rights, the password if encrypted and how did encryption help here? (it didn't.)

So as it stands I think we're fine with the permission system and the entire idea of the encryption is only to stop say a direct attack such as the Android ADB connection copying out the unencrypted content. HOWEVER such an attack would have you unlock the phone and tell Android to allow connection and give the ADB rights to do all that. Encryption does not stop leaks. It only slowed it down.

I am only an Android programmer. If you can encrypt user data and you don't hit Allow all the time I think you're as good as it gets from a security standpoint. Only my friend who is in corporate security disagrees. He wants all smart phones confiscated and ground up.

Post was last edited on September 21, 2017 6:03 PM PDT

- Collapse -
Your interpretation?
Sep 21, 2017 7:45PM PDT

Hi, R. Thanks for the thoughtful reply.

Looking at the information I posted (or the links) about credential encrypted data and device encrypted data, do you interpret that info as saying that the user data is encrypted on Android?

- Collapse -
It's only my view on this.
Sep 21, 2017 7:58PM PDT

I am not a HIPAA compliance engineer. I'm just an electronics designer, software author for way too long (ask but it's in decades now) and along the way from Linux to Windows to many OSes to Android you learn a few things.

1. Your first link https://www.hipaajournal.com/hipaa-encryption-requirements/ covers so much here. Not once did I see where the device was responsible at the end of the day. That is, if content is encrypted yet you sent an email in plain text, you didn't meet this criteria. That means SMPT POP3 EMAIL IS DOA. You could have a completely encrypted device and fail here with a single email.

Now to more interesting S8 readings.

2. "The setting that requires PIN on start up (aka after reboots) is the setting that encrypts the phone. So if you don't have PIN on boot, then you're not encrypted." is the usual answer. Samsung appears to by default encrypt but only you know if you have a PIN on boot.

Talk to Samsung about the PIN on start up. I do not own this model so all I can do is kick around the full encryption dead horse which can get annoying since it's dead and not very interesting at the end of the day.

-> Remember. If you need a ruling, you need to get your HIPAA compliance manager or engineer to sign off. But then send one email and it's broken again.

- Collapse -
Thanks
Sep 21, 2017 8:31PM PDT

Yep, the big picture is that data is vulnerable even with security measures. But HIPAA doesn't seem to be aimed at the big picture. Thank goodness they were more practical.

So, the issue for practitioners isn't whether the encryption is wholly effective. It's whether the data is encrypted. That's because the regulations absolve the device user/owner from significant responsibilities and liabilities should the device be lost or stolen--as long as the device is encrypted. And it makes sense. If the data is encrypted and you need a password to get at it easily, most people who find a flash drive or phone aren't going to put a lot of effort into trying to access the data. If, on the other hand, people were to find an unencrypted device, I'm pretty sure that curiosity would kick in for many!

Email and text are a different issue. You can use an encrypted connection or service for these and meet regulations. (Although I'm sure that many clients do not have an encrypted email connection and very likely don't have password protection on their PCs or phones.) This is why providers should inform clients of the risks and ask clients to sign a consent agreement indicating whether clients want to use email and text and assigning those risks to the client, if they state that they want to use those technologies. Most clients aren't overly concerned by the risks and will sign such an agreement. And why not? They're telling bigger secrets by email and text all day long.

You're reading of the Samsung information is very helpful. I haven't see anything in their literature that would indicate that the S8 phones are not encrypted, and I've spent hours searching. But I didn't want my own confirmation bias or wishful thinking to sway my thinking. The fact that you have a lot more Android and development experience and that you read their explanation to indicate that the phones are encrypted by default makes me feel pretty comfortable. So, thank you very much, R!

- Collapse -
One more time. If you have the PIN setup. Could be done.
Sep 21, 2017 8:58PM PDT

One more time. I hope you have the PIN implemented since it seems that the gateway to the encryption on this phone.

If all this helps, that's good. I know it's an annoying area and some makers just don't want to tell you it's HIPAA compliant since they can't cover the entire security issues. So makers have to bail.

Here we can kick it around until we get tired or think we have it covered.

- Collapse -
Agreed
Sep 21, 2017 10:15PM PDT

Exactly, with the pin, we're good. Thanks, R!