The personal data that’s stored on your Android device is not as secure as you may think once it gets into the wrong hands. Sure, your lost/stolen smartphone is protected by some sort of unlock code, but that kind of security does not guarantee that your data won’t fall into the wrong hands.

AllThingsD talked to Viaforensics’ director of research and development Thomas Cannon at the Defcon hacker conference, who revealed that the actual passwords that people use to protect their Android devices are the weak link that can be exploited to bypass the device’s encryption.

Apparently hackers won’t try to find a flaw in the “Linux-based encryption,” but rather go for the passwords that protect it, which are pretty weak:

That’s because Android uses the same password to decrypt the data on the phone as is used to unlock the device. People tend to use either short PIN numbers, simple patterns or easy-to-remember words. As a result, the encryption is fairly easily broken, through what is known as a brute-force attack.

One way to fix this security exploit is to have Google implement a two-password security system, one password for booting the device, which would be used to decrypt the phone during boot, and another one that can be used to unlock the device.

The publication points out that only Android devices running Android 3.0 or later come with encrypted data, while previous Android versions don’t offer this security feature to users.

This is the second report in as many weeks that details security deficiencies of Android, with a previous story revealing that devices running any Android version up to Jelly Bean are prone to malicious attacks – the good news here is that Jelly Bean is more secure than its predecessors, but then again, not all Android devices out there will be able to run it

  • derekross

    Not really an issue. More of a password issue. All they are saying is weak passwords can be brute force exploited. If a user picks a strong password, they’re fine. As with all other services in the world, use a strong password, you won’t reqgret it.

  • The phone has to be unlocked for this attack to work. An important fact you miss completely. Also, if you talk about the NFC attack, this only works with older browsers. Why can’t you bloggers give Android the benefit of doubt from time to time to compensate for the constant badmouthing by the media?! Can you imagine an Apple blog that posts about iOS deficiencies without fact checking?!

  • George

    Stupid blog! The title should be: attacking weak passwords, not “Android phone encryption can be bypassed”.
    All weak passwords can be brute forced, may it be email passwords, fb passwords, etc.
    If a password is strong enough (has capital letters, numbers, symbols), it is very hard to brute force, and may even take years to do it.
    Brute forcing even just a 7 character password would take more than two months to achieve, and that’s only for passwords with letters and numbers. Putting symbols on your query would take a lot longer.

  • Scout

    Iphone has one feature: erase all data after 10 times failed passcode attempts. Android doesn’t have this feature