Android Encryption - Awkward!

edanto

I'm looking into encrypting android devices (the boss would like to be in a position to say that all devices with corporate data are encrypted), and it's more than a little annoying! The context is allowing colleagues to have work email (Office 365) on their personal devices. Office 365 allow enforcement of a rule that the device is encrypted. There is a dedicated O365 app coming for Android, but the data in it probably won't be encrypted except where the whole phone is, as above.

It's looking like that might be very inconvenient for people.

I'm testing on Android 4.3, stock on a Galaxy S3. Once encrypted, the phone insists on being locked with a password (min 6 characters including a number) - the really annoying bit is that the encryption password is now the screen lock password. So, to unlock your phone.... instead of an easy PIN code you can do one-handed, you are now putting the password with a keyboard, many times per day.

There's plenty of discussion about this online....

http://security.stackexchange.com/questions/10529/are-there-actually-any-advantages-to-android-full-disk-encryption

including some options to change the screen lock to something more convenient:

(1) From : http://nelenkov.blogspot.ie/2012/08/changing-androids-disk-encryption.html

So as long as your phone is rooted, i.e., you have a SUID su binary installed, you can send the following cryptfs command to change the disk encryption password. Can use Cryptfs Password tool

(2) From Google Group discussion : https://groups.google.com/forum/#!topic/android-security-discuss/G4N5pBreyhM

I found an Interesting solution to this excessive password typing, at least it seems to work on Xoom with ICS, no custom rom, and full device encryption. The solution is to download a third party lock screen.

I just downloaded "Holo Unlocker", the lock screen for Jelly Bean, and when enabled, it disables the regular PIN unlock screen. When I disable Holo Unlocker, it re-enables the PIN lock. Wonderful! Hope this helps other people workaround this problem until it is officially remedied.

I can't really hang my hat on any solutions that rely on rooted android, or else something that's a tentative work around like 2 above.

Has anyone tried either of these solutions or found a better one?

subway

Is it not more feasible to pay for a suitable smb mdm service?
Users won't sign up to Byod that restricts their device usage

kierank01

if you don't want to go down the rooted route, then you are probably looking at something like 'good for enterprise'

its going to cost ya, though...and I don't think it will get around the long password issue.

the cheap/easy way would be to not encrypt, but to use the remote wipe functionality within exchange, or the android device manager:
https://www.google.com/android/devicemanager where you can also remote wipe the phone. you need to tick a couple of boxes in the 'google settings' app on the phone first.

edanto

We actually have access to a type of MDM - Windows Intune, which will allow remote wipe, but of course only if the device is online.

Both Intune and Office 365 give an option for FULL remote wipe if the device is online, but we're not confident that will go down well, if they are BYOD, and particularly if the person has just left the organisation and we want to wipe the corporate data.

We would prefer to be able to say that the device is fully encrypted, and do a partial wipe of corporate data if the device is lost/stolen/person leaves using the partial wipe in the O365 apps. If the device owner would like a full wipe, it would be nice to be able to offer that option, but not in the first instance.

horgan_p

As KieranK says above - Good for Enterprise fulfills your needs. Pricey though.