Friday, July 20, 2012

What is SecretVaultpro

While TrueCrypt is my personal choice, it is not available on Android. SecretVaultpro provides 2nd best alternative to safe keep your office's documents, price list and other sensitive files. It is also a Password Manager and an Encrypted Notepad encrypted with military grade AES algorithm.

Latest version

The latest version is 2.9 c57, cipher update from c56 to support JellyBean.
(In JellyBean, SecureRandom and Cipher.RSA uses OpenSSL instead of the previous Crypto provider)


What is the algorithm use for encryption?
SecretVaultpro adopt AES encryption. AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard or DES. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level.

Where is my data?
Android has sandbox technology and each application can only access their own data area. The data stored by SecretVaultpro in the data area are encrypted with AES strong encryption.

Do I have to wait for SecretVaultpro to finish encryption?
Android is a multitasking OS ans SecretVaultpro is coded to support multi-threading. While SecretVaultpro is performing the encryption, you can switch to other app and SecretVaultpro will continue it's task in the background.

What is NG encryption in the paid edition?
NG encryption is an enhanced encryption engine that potentially improve performance up to 5x or even more.

Full disk encryption and SecretVaultpro
Not all Android version support full disk encryption and because it is not reversible, not everyone is comfortable using it. No doubt full disk encryption is most secured and can provide protection against "Chip-Off" technique, documents will be accessible once the smartphone is unlock. Documents encrypted in SecretVaultpro remain encrypted until you open the vault with a valid password. It can be useful if you occasionally allows your colleagues or family members to use your smartphone but do not want them to see any of your sensitive documents.

How Secure?
No security system is 100% guaranteed but we can lock it down as much as we can. Choose a strong password, lock your phone and remember not to enable USB debugging mode in your Android setting. With no USB debugging mode, an intruder cannot connect your smartphone to another computer to even consider a brute force attack. This is also a security reason why I recommend storing sensitive documents in the smartphone internal storage and less sensitive documents in the external memory card. To protect your sensitive documents and my own is SecretVaultpro main priority, many more capabilities are in plan to ensure we sleep better if we ever lost our smartphone.

Thoughs on mobile security

A survey of smartphone use found that almost 70% of users do not encrypt confidential data stored on them. Consider that, how many smartphone users has log in credential to their private emails, social networking account and cloud storage configured with auto-login? Some one who found your phone with weak security can easily read your confidential emails, reset and request new password to your social networking site, transfer money from your PayPal account or post your confidential photograph online. Your company might even get sued for leaking confidential data or email corespondent between you and the client.

How secure is secure?
When ask "How secure?", do you mean: "how secure" for your kid, for your spouse, for an Android guru or for an intelligence agency? The truth is, given enough resource and motivation no security system is 100% guaranteed. Then, it is not to say we should not do anything about it.

My recommendation
Password protect your smartphone, use a unguessable password or pin should be a no brainier. Enable full disk encryption is your device support it (Gingerbread, Honeycomb, ICS). However, a intruder cannot access your smartphone if your phone is password protected even without full disk encryption. Full disk encryption is useful to protect against forensic desoldering, commonly referred to as a "Chip-Off" technique within the industry - this is the last and most intrusive method to get a memory image is to desolder the non-volatile memory chip and connect it to a memory chip reader.

Next, install a remote wipe app so you can remotely wipe a phone if you ever need to do it. One problem is, remote wipe can be easily beaten if the SIM card has been removed from the smartphone. You need the smartphone to be connected in order to receive the remote wipe instruction.

The one most important of all in my opinion for Android devices is to turn off USB debugging mode. If USB debugging mode is turn on, a intruder can connect an Android device to a PC via a USB and pull files from the phone using adb shell even if it's locked or protected with full disk encryption. If the phone is rooted, application databases and configuration files (/data folders) will be freely accessible.

Factory resets
Factory reset will erase your smartphone data and reset it to it's manufacturer configuration. However, factory reset usually do not erase your storage area for your personal files such as photo album or folders you download documents and files. Consider encrypting your sensitive documents and store them in the smartphone internal storage. An external memory card can be retrieve and attack using brute force methods with another computer.

While we protects our corporate network and our home computer, your smartphone can be the weakest link in your computing security. Being mobile also means it is more likely to be misplaced and with all the credential we carried with it, it is not a subject to be taken lightly.