Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

An eCryptfs-Based Solution for Securing Your Data on Android

14 Jan 2016 1  
I will describe a new way to implement security for sensitive data based on eCryptfs (eCryptfs.org).

This article is in the Product Showcase section for our sponsors at CodeProject. These articles are intended to provide you with information on products and services that we consider useful and of value to developers.

Intel® Developer Zone offers tools and how-to information for cross-platform app development, platform and technology information, code samples, and peer expertise to help developers innovate and succeed. Join our communities for Android, Internet of Things, Intel® RealSense™ Technology and Windows to download tools, access dev kits, share ideas with like-minded developers, and participate in hackathon’s, contests, roadshows, and local events.

The threat to data on mobile devices is a serious issue. Not only have the Android developers worked on security, but many application developers work to ensure the security of the user’s data before release. I will describe a new way to implement security for sensitive data based on eCryptfs (eCryptfs.org).

Existing Solutions

Currently there are several solutions to secure users’ data. Figure 1 classifies these solutions in different layers.

Figure 1: 3 layers for some of the current solutions
  1. Kernel Level
    Full disk encryption (FDE) is supported on the Android* OS since release 3.0. It is a kernel level solution. FDE is the process of encoding all user data on an Android* device using an encrypted key. Once a device is encrypted, all user-created data is automatically encrypted before committing it to disk, and all reads automatically decrypt data before returning it to the calling process. Average developers do not need to know about it; if users use it in their phone, they can copy-protect all their data before they unlock the device.
  2. Android* Framework Level
    At this level, root privilege is needed. Hook is a significant method to ensure the applications which need to be protected can easily transfer/save data.
  3. Application Level
    Most current security solutions are at the application level. There are many existing libraries for developers to use, such as OpenSSL, secureSqlite, et al.. Developers can use the existing libraries to ensure proper encryption and security.

Introduction to eCryptfs

eCryptfs is a POSIX-compliant enterprise cryptographic stacked filesystem for Linux*. It stores cryptographic metadata in the header of each file, so that encrypted files can be copied between hosts. The file will be encrypted with the proper key in the Linux* kernel keyring. There is no need to keep track of any additional information aside from what is already in the encrypted file itself.

eCryptfs is widely used, serving as the basis for Ubuntu’s Encrypted Home Directory, used natively within Google’s ChromeOS* and transparently embedded in several network attached storage (NAS) devices.

Architecture of the eCryptfs-Based Solution

Encryption and decryption are automatic when using eCryptfs. Figure 2 shows the architecture of the proposal solution.

Figure 2: Architecture of the proposal (eCryptfs based) solution

As you can see, with eCryptfs in Linux* Kernel, we can add a service to response for all actions. The service receives the command from applications that use it and send the request to VOLD(Volume Daemon in Android*[2]) to achieve the real action.

The requests to VOLD are:

  • Create secure directory
  • Lock secure directory – VOLD will unmount the mount point
  • Unlock secure directory – VOLD will mount the directory to a mount point, then applications can easily put their data into the mount point. The kernel will automatically encrypt/decrypt data.
  • Remove secure directory
  • Recover secure directory
  • Change passwords

As shown as Figure 3, we can classify this solution and insert into a new layer.

Figure 3: Corresponding layer of this proposal solution

Create Your Own System

Figure 4: Changes of the proposal(eCryptfs based) solution

The red blocks shown in Figure 4 show the changes in implementing the eCryptfs solution.

  1. Make sure the Linux* Kernel has eCryptfs support.
  2. Add the utilities to support eCryptfs and the eCryptfs interface in VOLD.
  3. Add the main service, including a library for applications to use.
  4. Add the needed SELinux polices to make sure it can work in the new system.

You can find patches for integration in the third link shown in the Reference section.

Summary

eCryptfs is one secure feature in Linux* Kernel. Our method of implementing a secure storage service in Android* is based on this eCryptfs filesystem. After integration in the system, developers can easily use it in their applications, and the kernel will respond to encryption and decryption.

Reference

[1] FDE: https://source.android.com/devices/tech/security/encryption/

[2]VOLD: http://vold.sourceforge.net/

[3] Patches for Integration: https://github.com/catalinionita/Ecryptfs-Tools-for-Android

About the Author

Zhang Li is an application engineer in the Intel® Software and Solutions Group (SSG), Developer Relations Division, Mobile Enterprise Enabling team. He focuses on applications for Android*.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here