An eCryptfs-Based Solution for Securing Your Data on Android

Intel® Developer Zone offers tools and how-to information for cross-platform app development, platform and technology information, code samples, and peer expertise to help developers innovate and succeed. Join our communities for Android, Internet of Things, Intel® RealSense™ Technology and Windows to download tools, access dev kits, share ideas with like-minded developers, and participate in hackathon’s, contests, roadshows, and local events.

The threat to data on mobile devices is a serious issue. Not only have the Android developers worked on security, but many application developers work to ensure the security of the user’s data before release. I will describe a new way to implement security for sensitive data based on eCryptfs (eCryptfs.org).

Existing Solutions

Currently there are several solutions to secure users’ data. Figure 1 classifies these solutions in different layers.

1. Kernel Level
   Full disk encryption (FDE) is supported on the Android* OS since release 3.0. It is a kernel level solution. FDE is the process of encoding all user data on an Android* device using an encrypted key. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk, and all reads automatically decrypt data before returning it to the calling process. Average developers do not need to know about it; if users use it in their phone, they can copy-protect all their data before they unlock the device.
2. Android* Framework Level
   At this level, root privilege is needed. Hook is a significant method to ensure the applications which need to be protected can easily transfer/save data.
3. Application Level
   Most current security solutions are at the application level. There are many existing libraries for developers to use, such as OpenSSL, secureSqlite, et al.. Developers can use the existing libraries to ensure proper encryption and security.

Introduction to eCryptfs

eCryptfs is a POSIX-compliant enterprise cryptographic stacked filesystem for Linux*. It stores cryptographic metadata in the header of each file, so that encrypted files can be copied between hosts. The file will be encrypted with the proper key in the Linux* kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself.

eCryptfs is widely used, serving as the basis for Ubuntu’s Encrypted Home Directory, used natively within Google’s ChromeOS* and transparently embedded in several network attached storage (NAS) devices.

Architecture of the eCryptfs-Based Solution

Encryption and decryption are automatic when using eCryptfs. Figure 2 shows the architecture of the proposal solution.

As you can see, with eCryptfs in Linux* Kernel, we can add a service to response for all actions. The service receives the command from applications that use it and send the request to VOLD(Volume Daemon in Android*[2]) to achieve the real action.

The requests to VOLD are:

• Create secure directory
• Lock secure directory – VOLD will unmount the mount point
• Unlock secure directory – VOLD will mount the directory to a mount point, then applications can easily put their data into the mount point. The kernel will automatically encrypt/decrypt data.
• Remove secure directory
• Recover secure directory
• Change passwords

As shown as Figure 3, we can classify this solution and insert into a new layer.

Create Your Own System

The red blocks shown in Figure 4 show the changes in implementing the eCryptfs solution.

1. Make sure the Linux* Kernel has eCryptfs support.
2. Add the utilities to support eCryptfs and the eCryptfs interface in VOLD.
3. Add the main service, including a library for applications to use.
4. Add the needed SELinux polices to make sure it can work in the new system.

You can find patches for integration in the third link shown in the Reference section.

Summary

eCryptfs is one secure feature in Linux* Kernel. Our method of implementing a secure storage service in Android* is based on this eCryptfs filesystem. After integration in the system, developers can easily use it in their applications, and the kernel will respond to encryption and decryption.

Reference

[1] FDE: https://source.android.com/devices/tech/security/encryption/

[2]VOLD: http://vold.sourceforge.net/

[3] Patches for Integration: https://github.com/catalinionita/Ecryptfs-Tools-for-Android

About the Author

Zhang Li is an application engineer in the Intel® Software and Solutions Group (SSG), Developer Relations Division, Mobile Enterprise Enabling team. He focuses on applications for Android*.