Mobile device encryption: How it works and how to enable it

Mobile device encryption alters any data present on a mobile device, using one of several mathematical algorithms to scramble data based on a selected variable. These variables, called keys, include information such as a PIN, password or pattern. Once encrypted, data on the mobile device is inaccessible until the appropriate key reverses the mathematical process, restoring the data to its unencrypted state.

Corporations use mobile device encryption to:

• Protect data and ensure it is inaccessible – either purposefully through theft or accidentally through loss – to anyone without a suitable key.
• Improve device management by bolstering device security beyond conventional usernames and passwords.
• Prevent malware from accessing, changing or copying sensitive data from an encrypted device.
• Enhance an organization's regulatory compliance posture by ensuring sensitive data is protected regardless of its location.

Corporate IT employs encryption in one of three general approaches:

• File-based encryption (FBE) encrypts different files with different keys.
• Full-disk encryption (FDE) uses a single key to encrypt all data.
• End-to-end encryption (E2EE) encrypts data on the sender's device and only decrypts the data on the recipient's device.

Consequently, file-based encryption is typically viewed as more secure, ensuring a single key cannot compromise all a device's data. Full-disk encryption, on the other hand, is simpler to use. Further, not all mobile operating systems support all approaches.

Mobile device encryption attempts to protect any personal data on an encrypted device. Since mobile devices are deemed "personal," there's usually no distinction between data associated with a work app and a personal app. This encompasses emails, texts, contacts, account data such as Google account data for Android devices, application data, downloads, images and media such as music or videos. Nonpersonal data, including file metadata, is typically not encrypted.

Enabling mobile device encryption is quick and easy. Of course, it's important to review specific instructions for each OS version and device, but a typical process is summarized below.

By default, virtually all Android devices – Android 10 and later – enable mobile device encryption when a screen lock code, such as a password or PIN, is invoked. This lock code is the basis for the encryption key. Nothing else is needed. To deter attackers, though, select a long, strong lock code that's difficult to guess.

To verify encryption status on the Android device:

1. Open the device's Settings application.
2. Select Security & privacy settings or Security & location settings, depending on the version.
3. Select More security & privacy.
4. An Encryption & credentials entry near the bottom of the report should state, "Encrypted."

If the device does not state, "Encrypted," either there's an option to enable the feature, or the feature is searchable through the device's Help function.

Apple Data Protection automatically enables encryption on an iPhone or other current iOS device whenever a user chooses a passcode or biometrics, such as Face ID or Touch ID, to unlock the device. No additional steps are needed, but strong passcodes and biometric options are encouraged.

To verify encryption status on the iOS device:

1. Open the device's Settings application.
2. Select Face ID & Passcode or Touch ID & Passcode settings.
3. Look for an entry at the bottom of the page that should read, "Data Protection is enabled."

If Apple Data Protection is not enabled, there's either an option to enable it or the instructions are searchable through the device's Help function.

As mentioned above, there are three primary approaches to mobile device encryption. In greater detail, they are:

• Full-disk encryption. FDE encrypts all user and application data on the device, along with other major data elements including the OS and apps. FDE provides comprehensive device protection and is standard on most smartphones and tablets. It requires user-based authentication to access the device and its data, from biometric authentication such as fingerprint or facial recognition to more traditional mechanisms such as passwords, passcodes or PINs.
• File-based encryption. FBE provides more granular control over data protection, encrypting individual files or folders on the mobile device. Different keys protect and unlock different files at different times, delivering both improved security and greater independence. FBE is particularly handy for encrypting sensitive data such as documents or images. Android supports both FDB and FBE.
• End-to-end encryption (E2EE). E2EE encrypts data on the sender's device, ensuring it remains encrypted until reaching the recipient's device, where it is available for decryption. This prevents third parties, including service providers, from accessing the data and makes E2EE ideal for secure personal and business communication. E2EE is routinely used in messaging apps such as WhatsApp and Signal.

Encryption at the software level is a feature of Android or iOS. However, devices now include a hardware security module that performs encryption and decryption tasks. Hardware encryption, in general, offers better performance than software-based encryption and stores encryption keys with enhanced security. Both iPhones and Android devices have long supported hardware encryption.

Enabling mobile device encryption is a strong step toward device security, but it's only a start. Among the many other best practices that help secure mobile devices, consider these:

• Use strong keys. As with any authentication, strength is often a matter of complexity and uniqueness. Select strong passwords, passcodes and PINs with six digits rather than four. If the device supports biometrics, enable and use them to tie the device more closely to the user.
• Update software. Routinely update any mobile device's operating system and apps to ensure the latest patches are installed and limit software vulnerabilities. Download patches and updates only from trusted sources, including the Apple App Store and Google Play.
• Enable auto lock. Most mobile devices time out after a short idle period, saving energy by turning off the backlight. However, if enabled, auto lock also prevents device usage unless it's unlocked again. Enable auto lock and set a short timeout.
• Employ remote wipe. Mobile device configuration includes the ability to lock and wipe data remotely. Using a device finder, a web service tied to a particular device, locates and performs functions on it once it's lost or stolen—but before its data is compromised.
• Disable unused Bluetooth. While convenient, short-range Bluetooth connectivity opens the real possibility of pairing from a malicious device. Turn off Bluetooth connectivity whenever any related device is not in use.
• Avoid open, unknown or unsecured networks. Public Wi-Fi is also convenient, but malicious actors are likely to access unencrypted data, possibly compromising the device. Use only trusted networks. If a public or unknown network is necessary, use a VPN when connecting.
• Limit app permissions. Apps often request broad device permissions, subsequently accessing the device's data, camera, microphone and location. Limit these permissions if possible. For example, a user prevents an app from accessing location data when it's unnecessary, or user settings force the app to ask permission each time before use.