Android security: how secure is the app private data?

Question

I have an application that stores confidential information in a file located in the application's private data folder.

I would like to know how secure it is to do so.

As far as I know on an android device other applications cannot access that file.

Supposing:

• the device is not rooted
• there is a password protection on the lock screen
• a hacker has stolen that device and he is really forced to get that file

What kind of tricks are there to get that file somehow? I mean:

• Is it possible to get the device rooted (in this scenario) and then get that file?
• Can the hacker physically take out the flash chip from the device and then he analyzes it using any tool. Does Android make any encryption preventing this way to happen?
• Other ways to get that file maybe?

Is it possible at all to fully protect that file somehow? Maybe the application could have an autostart service that monitors the rooted status. If the device gets rooted the service deletes the file immediately.

Thank you!

Answer 1

Is it possible to get the device rooted (in this scenario) and then get that file?

Yes, assuming:

• the hacker can brute-force the password, and
• the device is rootable in general (not every device has a known recipe for gaining root)

Can the hacker physically take out the flash chip from the device and then he analyzes it using any tool.

In theory, though that would not be easy to do without physically damaging it.

Does Android make any encryption preventing this way to happen?

Android offers full-disk encryption, and it is enabled by default on new Android 5.0 devices. Older Android devices' full-disk encryption could be brute-forced; Android 5.0's seems stronger in this regard, though only time will tell if it too has flaws.

Is it possible at all to fully protect that file somehow?

Do not put the file on the device in the first place.

Or, encrypt it yourself, with a passphrase known to the user that is sufficiently strong. You eventually get to a point where a $5 wrench is a more viable approach than is trying to hack the device.

Maybe the application could have an autostart service that monitors the rooted status. If the device gets rooted the service deletes the file immediately.

Your application is not running in some of these circumstances, in part because the OS is not necessarily running in normal mode.

Furthermore, even if your application is running, the attacker will simply force-stop it from Settings after getting past the lockscreen and before attempting to set up root access.

And, this assumes that your app knows all possible ways of detecting root access, which seems unlikely.

My application needs to read and write that file, so encryption is useless from a hacker point of view

Only if your application needs to "read and write that file" without the user supplying the passphrase. In this scenario, your only absolute defense is to not have the file. Everything else just slows attacks down but cannot stop them.

Answer 2

On a non-rooted device, applications are sandboxed at the process and filesystem level. Each app gets its own filesystem space that only it can access. An application can choose to make a file world read/write, but by default they are not. However, as noted in some of the comments and your original post, if a device is rooted then the attacker can access files virtually anywhere in the filesystem. Android 5.0 mitigates this by enabling full enforcing Linux SE policies, so if a privileged system process is exploited it will be confined by SE policy.

That being said, it is a best practice to assume that as soon as your data hits the filesystem it can be read if not protected. You can utilize the javax crypto packages to encrypt file data. It's best to make it protected via password which is properly hashed (PBKDF2) to create a key for the file rather than hard code it in your application. There are numerous articles on the best approach to doing this.

Note that the Android 5.0 "encrypted filesystem" is not a failsafe for this. What the encrypted filesystem provides you with is protection of the data partition when the device is powered on. The user provided password is used at boot time to mount the encrypted partition (just like on desktop OS encrypted volumes.) Once it is mounted, it looks just like any other mounted filesystem.