3

I recently bought a OnePlus Two. The first thing I did after getting the new phone was a full encryption under security settings.

But even after that, the files in my internal SD card, such as WhatsApp media files, images and more are accessible via a PC.

How to prevent this? Am I missing something?

Firelord
  • 25,084
  • 20
  • 124
  • 286
varun
  • 133
  • 4

1 Answers1

4

You can't prevent that. It is because your device is mounted to the computer via MTP. It's supposed to be visible. However, whenever you boot up, a password will be required to decrypt your device before any data can be accessed, so you need not worry. Also, MTP connections won't display any data if the device is locked. This is a security measure. In Lollipop, not even a factory reset can remove your lock.

Tamoghna Chowdhury
  • 3,185
  • 2
  • 27
  • 41
  • 1
    do you mean to say the the data is already encrypted and MTP is decrypting it on the fly and so i am able to view it on my PC..?In that case setting the default USB mode to charging will cater to my concern, I believe. One cannot ensure that the phone is switched off while its being stolen. – varun Sep 18 '15 at 11:52
  • 3
    Very close, varun: it's not MTP doing the decryption, but Android itself (otherwise your apps couldn't read their data either, or even start). As Tamoghna already pointed out, to access your data via MTP requires the device to be unlocked first (i.e. a "unauthorized person" had to bypass your lockscreen in the first place); so changing the default USB mode doesn't matter here anyhow: having unlocked the screen, that person could also change the USB mode again. Just take care to "secure" your lockscreen (PIN/pattern/password). – Izzy Sep 18 '15 at 17:56
  • 1
    A curiosity. What would happen if I dirty flash my ROM with a custom one now. The data on the internal SD card would not be accessible, I suppose. – varun Nov 02 '15 at 04:06
  • No, the new system will recognize the partition as encrypted and ask you for the password to decrypt it on bootup. – Tamoghna Chowdhury Nov 02 '15 at 12:22
  • okey....great..that clears all my doubts..:-) – varun Nov 20 '15 at 04:22
  • @TamoghnaChowdhury which password do you refer to? Since the unlock can be done with different methods I guess the password doesn't correspond to the PIN code. So, how do one manages to mount the encrypted partition on another device? (being it an Android phone or any other linux machine with SD-card reader) Who generates the encrypting password? – Kamafeather Dec 17 '17 at 15:27
  • @Kamafeather, you're correct on the first part. Only the Android device will ask you for the correct password/PIN/pattern (this information is retained); other devices will think the SD card is corrupted or unreadable. You can mount the card via your Android device with MTP, though. There might be software which can decrypt the SD card offline, I wouldn't know. – Tamoghna Chowdhury Dec 18 '17 at 05:41
  • That was my worry: totally loose access to the SD if the device (acts as unique dongle) breaks. It invalidate the SD feature of being a removable/portable disk. At this point I wonder if the /data/misc/vold file would be created even with a non-adopted encrypted storage; then one could root temporary the phone just to copy it and back it up for (maybe) mounting the SD to other devices . – Kamafeather Dec 19 '17 at 11:27
  • My 2 cents: the moment you encrypt some storage via the default mechanism, you adopt it. Makes sense that the data becomes invalid otherwise (true of any device using hardware security for encryption, like TPM for BitLocker on Windows). They might have changed this in the meantime from Lollipop to Nougat - none of my devices accept SD cards so I can't check. – Tamoghna Chowdhury Dec 19 '17 at 15:57