How mobile device encryption works to protect sensitive data

Mobile device encryption -- of both the hardware and software varieties -- is one of the best ways to secure data on smartphones and tablets.

Mobile device encryption offers an easy fix for the problem of data breaches, which are the top threat posed by lost or stolen smartphones and tablets.

Encryption is a reversible process that scrambles data into ciphertext, so anyone trying to read the data finds nothing more than jibberish. According to a study by the Ponemon Institute, two out of three lost smartphones contained sensitive or confidential business information, which makes mobile device encryption especially important. Of course, encrypting data wouldn't be helpful if the legitimate owner couldn't read it, so ciphertext can also be converted back into its original form by applying the same algorithm (cipher) and key (bit sequence). It is important to understand that ciphertext can be decrypted not just by the device's owner, but by anyone that knows -- or can guess -- the key.

Encryption is conceptually similar to locking a bicycle to deter theft. A flimsy padlock with the combination 1-2-3 will deter casual misappropriation, but will do little to stop a real thief. Stronger ciphers and longer keys are recommended for robust data protection. An example of a recommended cipher is the Advanced Encryption Standard (AES) with 256-bit keys.

Hardware encryption

So, how does mobile device encryption work? Let's start with Apple iOS devices. Every Apple device since the iPhone 3GS has had an encrypted file system. This file system is written to flash memory and contains both operating system and user data. Apple iOS devices scramble everything written to flash, then unscramble anything later read back into main memory. The keys Apple's hardware encryption uses combine factory-assigned unique device and group IDs with each device's current passcode. When your iPhone or iPad is locked, data and applications remain encrypted until your passcode is entered, after which anything you access is auto-decrypted for use or display, until the device relocks itself due to inactivity.

More on mobile device encryption

Data and device encryption on four popular OSes                

Two mobile data encryption techniques

Overview: Mobile device security

Many other mobile devices also support hardware encryption, including newer Android devices (tablets running at least version 3.0 and smartphones running at least 4.0), all BlackBerry phones and all Windows Phone 7 and Windows tablets. The details of hardware encryption vary by OS and device make and model, however.

For example, although the Android OS supports hardware encryption, most of the Android devices that are currently in use are physically incapable of hardware encryption. Android devices that are capable of encryption ship with it disabled by default. Moreover, to enable Android hardware encryption, you must first lock your Android with a PIN or passcode, because one of those values is necessary to create encryption keys.

Software encryption

Today's smartphones and tablets support software encryption in addition to hardware encryption. With software encryption, an individual program -- such as an email client, a secure browser, a secure data locker or another application -- invokes OS-supplied application program interfaces or third-party crypto library functions to encrypt and decrypt selected data. Unlike hardware encryption, which automatically scrambles everything written to or read from flash memory, software encryption scrambles only the data that a given application decides to protect. And hardware encryption uses the same cipher and key to lock or unlock all of that data, whereas software encryption can apply different protection to various pieces of data.

Why would you want to use software encryption? For starters, it is the only encryption available to protect data stored on devices that lack hardware encryption, such as Android 2.3 and Windows Phone 8 devices. Self-encrypting applications that fall into this category include NitroDesk Touchdown and Good for Enterprise. When using these programs, employees have to not only unlock their phones or tablets to decrypt data, but also respond to application prompts and enter a secondary PIN or password.

Even if a device supports hardware encryption, self-encrypting applications can offer extra protection of sensitive data, such as enterprise mail messages, attachments, contacts and documents. For example, if several workers use the same tablet, each worker must enter his or her own individual application PIN or password to unscramble software-encrypted data. If the tablet is lost, software-encrypted data can be wiped by simply "forgetting" the keys a self-encrypting application used, without having to render the entire user data partition or file system unreadable.

You may also want to use software encryption if hardware encryption fails to meet security needs. For example, someone in physical possession of an iOS device can dump file system contents using a tool such as F/OSS Lantern Lite, try to crack the device's passcode and then use it to recover hardware-encrypted data. If all sensitive information in that file system was doubly protected with software encryption, the data remains protected from prying eyes. Similarly, when an Android device is remote-wiped, the device is simply reset to factory default, leaving behind data that someone could forensically recover. Adding a layer of robust software encryption neutralizes that risk.

Best of both worlds  

Given that hardware encryption can be fallible, why not just use software encryption? Alas, software encryption is by definition inconsistent and incomplete. Some applications encrypt their own sensitive information, but the vast majority does not. Furthermore, since each application developer may apply encryption differently, some well-intentioned applications leak data or do a poor job of protecting their own encryption keys. Hardware encryption can provide baseline protection for everything stored on a mobile device, independent of software encryption.

Think of it as locking the front door to your building. If every employee has a badge to enter the building, a lost badge could allow for unauthorized access. But individual offices may still be protected by locked doors, and high-security areas may be protected by more robust locks. These extra locks deter theft and restrict access to each area, just as software encryption adds layered protection to individual applications.

Of course, there are many public buildings left open, with only specific areas locked off. Similarly, mobile device encryption policies can vary depending on mobile device type, use and ownership.

Balancing usability and strength

For example, you might require long, strong passcodes and hardware encryption on corporate-owned devices carrying highly sensitive data, while permitting basic Internet access from users' unencrypted personal devices. You might shore up weak or absent hardware encryption on those personal devices with a single self-encrypting email client or secure browser, focusing policy enforcement on corporate data and letting workers decide how to protect their own devices. You may even have some cases where hardware encryption is unwanted, such as kiosk-mode tablets intended for customer use.

The bottom line is that you should consider each device and use case, identify all data that must be protected and then choose the most effective mobile device encryption method(s). Keep in mind that PIN or password length, strength and auto-lock timeouts directly affect how easy it is for a thief in physical possession of a lost or stolen device to recover encrypted data. Where possible, increase strength through layered encryption -- which preserves the usability of frequently accessed data -- and apply more stringent protection to data that poses real business risk.

Dig Deeper on Mobile security

Unified Communications