Recently, we've had a few questions about encryption. We've talked about how Android incorporates encryption and the changes that Nougat brings, and to get the most from those discussions an understanding of the basics is a must. Let's talk about those basics for a bit.
What exactly is encryption?
In its simplest sense, encryption is changing the way information is displayed, so that it is masked, and the only way its true form can be viewed is with a clear set of instructions.
There are plenty of ways to do this, especially when that information is digital and stored on a computer or a phone. If you've ever received a zip file or Microsoft Office document that needed a password to view, it was encrypted. The data you wanted to see was placed inside a container (think of it as a folder on your phone or computer) and the container was password protected. This method can be scaled up, even to include an entire disk or partition. To access anything on the encrypted partition, you need to unlock it with a password.
Another way to encrypt data is to physically alter what is displayed when you view it unless you can decode it. Think about an app that you could type a phrase in, and it would convert all the letters into numbers from 1 to 26. You would type a sentence, and what you would see was a bunch of numbers.
But the app knows that 1 equals a, that no number higher than 26 is valid, and has access to the operating system's dictionary to check spelling because 11 could equal "aa" or "k" depending on what word it's used in. When someone else uses the app to read what you typed, it looks normal.
Now imagine if the order of the numbers were reversed, 13 was added to numbers between 11 and 15, the whitespace between words was deleted and random data that won't be read was inserted every few letters. The file would be impossible to read without using the app, unlike the first example that could be figured out if someone wanted to try. That's what an encryption algorithm does. It helps a program turn data of any kind into a jumbled mess that can be easily decoded by the algorithm itself but would take a lot of effort and time to crack without it.
Computer algorithms can do things that are far more complicated than my simple example and take a lot less time than it did for me to count on my fingers. Encrypting a folder or a whole disk is an example of an encrypted container, and encrypted data like our example above can also be placed inside an encrypted container.
Taking our data and encrypting it, then making sure the apps and services that need to have access can decrypt and use it is extremely complicated. Thankfully, those complicated parts are handled by the hardware and operating system and all we need to do is have the right password or use the right service.
Encryption and Android
Android supports file level and container (full disk) encryption. As an application platform, it can also support encryption methods from third-parties for things like secure folders or encrypted messaging and email. Android also supports hardware backed encryption. That means there is a component inside the SoC (System on Chip — where the CPU and GPU live) that exists to help encrypt and decrypt data on the fly. The actual key to decrypt files is stored on this device and any user interaction — a password, a fingerprint, a trusted device, etc — that is used to access encrypted data is really asking the Secure Element in the hardware to do the job. Since Android 6.0 Marshmallow, all cryptographic function can be done using this Secure Element and the private key (the token used to encrypt and decrypt data) is never exposed to software. This means that without a token to present to the hardware, the data stays encrypted.
In your Android settings, you might also be able to keep the system encrypted every time it boots up until a password is entered. Having a phone running that's filled with encrypted data is pretty safe, but halting the boot process until a password is entered prevents access to the files and acts as a double-layer of protection. Either way, your login password (or PIN or pattern or fingerprint) still accesses data through the secure element and you don't have a way to get the actual private encryption key, which is the only thing that knows exactly how the data was scrambled and how to put it back together.
Your messages and web browsing can be encrypted, too. You've probably seen many sites in your browser use the HTTPS header instead if HTTP. HTTP stands for Hypertext Transfer Protocol and is the protocol (think rules) that is used to send and receive data over the internet. HTTPS stands for HTTP over SSL (Secure Sockets Layer), which adds an encryption standard to the protocol. Anything you enter into the web browser is "scrambled" with a public key you downloaded from the website when you got there, and only the private key — which the web server has — can unscramble it.
Data sent back to you is scrambled in a way that only your unique version of the public key can unscramble. You don't need to do anything except visit a secure page that has the HTTPS header. Your phone makes sure the server is really who it claims to be, using a certificate, and encrypts and decrypts data on its own through the browser app.
Messages that are encrypted usually require an app you need to download from Google Play. Apps like Signal (opens in new tab) or What'sApp offer what's called end to end encryption, which means that the app assigns keys for individual contacts or groups and only the person who it's addressed to can read a message. BlackBerry Messenger (opens in new tab) is considered secure by many, but since there is only one global key and every BlackBerry device has it, there's debate about how secure it is. BBM Protected is available for groups who require higher encryption or end to end encryption. Apple's iMessage is also encrypted end to end, but only when everyone is using an iPhone.
You use these apps like you would any other messenger — add a contact and send messages. The only difference is that those messages can be encrypted so only the two parties involved can read them.
Is encryption bad?
Some folks in some governments claim that having encryption technology available to the end user (that'd be you and me) is dangerous because it makes it impossible to monitor communications of "persons of interest". The argument can sound convincing when we're told that terrorists communicated for months using a service like Facebook or WhatsApp. But encryption itself is not a danger to anything and without it, none of our online transactions would be secure and we would have no guarantee that our chats are private. At the same time, all the private information on our phones would be easily accessible by anyone with the right tools and motivation.
If we give up any right to have encryption, we are giving up our privacy. Privacy is scary to the government because they want to know when we're not being completely law-abiding. The notion that potential criminals can be caught and some crime prevented is great, but it requires that the law-abiding citizens who want to do something as simple as buy from Amazon give up that right, too.
Only you can decide if you think encryption should be taken away from the private sector for the greater good, but you do need to know that the technology itself does no harm. Like most things, it can be abused by the user.
This really only scratches the surface of what encryption is and how it works. there are plenty of online resources that go in-depth with all the technical details. But this should give you a basic understanding of it all, and the next time you see someone talking about the merits of end to end encryption or advantages of a particular platform, you'll be able to understand and participate.
Update: February 2018: this post was checked for freshness and updated so people with questions about the basics of encryption can get started on the road to understanding it.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.
Yes, it is a moral dilemma really. I want to be safe from terrorism but I don't want authorities snooping in my affairs... This isn't going away any time soon...
You should be less concerned about authorities looking at your stuff (they don't care about you) and more concerned about non-authorities looking at your stuff like thrives (these people care about you and your stuff).
I have nightmares about thrives.
The decision is an easy one. Setting the booga booga of the fright mask of terrorism aside, history, and recent revelations at the highest levels make it clear to all but the most obedient and naive Bugman who and where the real threats are.
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.