Download [PDF 623KB]
The threat to data on mobile devices is a serious issue. Not only have the Android developers worked on security, but many application developers work to ensure the security of the user’s data before release. I will describe a new way to implement security for sensitive data based on eCryptfs (eCryptfs.org).
Existing Solutions
Currently there are several solutions to secure users’ data. Figure 1 classifies these solutions in different layers.
Figure 1: 3 layers for some of the current solutions
- Kernel Level
Full disk encryption (FDE) is supported on the Android* OS since release 3.0. It is a kernel level solution. FDE is the process of encoding all user data on an Android* device using an encrypted key. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk, and all reads automatically decrypt data before returning it to the calling process. Average developers do not need to know about it; if users use it in their phone, they can copy-protect all their data before they unlock the device. - Android* Framework Level
At this level, root privilege is needed. Hook is a significant method to ensure the applications which need to be protected can easily transfer/save data. - Application Level
Most current security solutions are at the application level. There are many existing libraries for developers to use, such as OpenSSL, secureSqlite, et al.. Developers can use the existing libraries to ensure proper encryption and security.
Introduction to eCryptfs
eCryptfs is a POSIX-compliant enterprise cryptographic stacked filesystem for Linux*. It stores cryptographic metadata in the header of each file, so that encrypted files can be copied between hosts. The file will be encrypted with the proper key in the Linux* kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself.
eCryptfs is widely used, serving as the basis for Ubuntu’s Encrypted Home Directory, used natively within Google’s ChromeOS* and transparently embedded in several network attached storage (NAS) devices.
Architecture of the eCryptfs-Based Solution
Encryption and decryption are automatic when using eCryptfs. Figure 2 shows the architecture of the proposal solution.
Figure 2: Architecture of the proposal (eCryptfs based) solution
As you can see, with eCryptfs in Linux* Kernel, we can add a service to response for all actions. The service receives the command from applications that use it and send the request to VOLD(Volume Daemon in Android*[2]) to achieve the real action.
The requests to VOLD are:
- Create secure directory
- Lock secure directory – VOLD will unmount the mount point
- Unlock secure directory – VOLD will mount the directory to a mount point, then applications can easily put their data into the mount point. The kernel will automatically encrypt/decrypt data.
- Remove secure directory
- Recover secure directory
- Change passwords
As shown as Figure 3, we can classify this solution and insert into a new layer.
Figure 3: Corresponding layer of this proposal solution
Create Your Own System
Figure 4: Changes of the proposal(eCryptfs based) solution
The red blocks shown in Figure 4 show the changes in implementing the eCryptfs solution.
- Make sure the Linux* Kernel has eCryptfs support.
- Add the utilities to support eCryptfs and the eCryptfs interface in VOLD.
- Add the main service, including a library for applications to use.
- Add the needed SELinux polices to make sure it can work in the new system.
You can find patches for integration in the third link shown in the Reference section.
Summary
eCryptfs is one secure feature in Linux* Kernel. Our method of implementing a secure storage service in Android* is based on this eCryptfs filesystem. After integration in the system, developers can easily use it in their applications, and the kernel will respond to encryption and decryption.
Reference
[1] FDE: https://source.android.com/devices/tech/security/encryption/
[2]VOLD: http://vold.sourceforge.net/
[3] Patches for Integration: https://github.com/catalinionita/Ecryptfs-Tools-for-Android
About the Author
Zhang Li is an application engineer in the Intel® Software and Solutions Group (SSG), Developer Relations Division, Mobile Enterprise Enabling team. He focuses on applications for Android*.