TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1 Mobiflage: Deniable Storage Encryption for Mobile Devices Adam Skillen and Mohammad Mannan Abstract—Data confidentiality can be effectively preserved through encryption. In certain situations, this is inadequate, as users may be coerced into disclosing their decryption keys. Steganographic techniques and deniable encryption algorithms have been devised to hide the very existence of encrypted data. We examine the feasibility and efficacy of deniable encryption for mobile devices. To address obstacles that can compromise plausibly deniable encryption (PDE) in a mobile environment, we design a system called Mobiflage. Mobiflage enables PDE on mobile devices by hiding encrypted volumes within random data in a devices free storage space. We leverage lessons learned from deniable encryption in the desktop environment, and design new countermeasures for threats specific to mobile systems. We provide two implementations for the Android OS, to assess the feasibility and performance of Mobiflage on different hardware profiles. MF-SD is designed for use on devices with FAT32 removable SD cards. Our MF-MTP variant supports devices that instead share a single internal partition for both apps and user accessible data. MF-MTP leverages certain Ext4 file system mechanisms and uses an adjusted data-block allocator. These new techniques for storing hidden volumes in Ext4 file systems can also be applied to other file systems to enable deniable encryption for desktop OSes and other mobile platforms. Index Terms—File system security, Mobile platform security, Storage Encryption, Deniable encryption ✦ 1 INTRODUCTION AND MOTIVATION plaintext can be recovered by decrypting with the true key. In the event that a ciphertext is intercepted, and the Smartphones and other mobile computing devices are user is coerced into revealing the key, she may instead being widely adopted globally. For instance, accord- provide a decoy key to reveal a plausible and benign ing to a comScore report [2], there are more than decoy message. The Rubberhose file system for Linux 119 million smartphone users in the USA alone, as (developed by Assange et al. [4]) is the first known of Nov. 2012. With this increased use, the amount of instance of a PDE-enabled storage system. personal/corporate data stored in mobile devices has Some real-world scenarios may mandate the use of also increased. Due to the sensitive nature of (some PDE-enabled storage—e.g., a professional/citizen jour- of) this data, all major mobile OS manufacturers now nalist, or human rights worker operating in a region include some level of storage encryption. Some vendors of conflict or oppression. In a recent incident [5], an use file based encryption, such as Apple’s iOS, while individual risked his life to smuggle his phone’s micro others implement “full disk encryption” (FDE). Google SD card, containing evidence of atrocities, across inter- introduced FDE in Android 3.0 (for tablets only); FDE national borders by stitching the card beneath his skin. is now available for all Android 4.x devices, including Mobile phones have been extensively used to capture tablets and smartphones. and publish many images and videos of recent popular While Android FDE is a step forward, it lacks deniable revolutions and civil disobedience. When a repressive encryption—a critical feature in some situations, e.g., regime disables network connectivity in its jurisdiction, when users want to provide a decoy key in a plausible PDE-enabled storage on mobile devices can provide a vi- manner, if they are coerced to give up decryption keys. able alternative for data exfiltration. With the ubiquity of Plausibly deniable encryption (PDE) was first explored smartphones, we postulate that PDE would be an attrac- by Canetti et al. [3] for parties communicating over a tive or even a necessary feature for mobile devices. Note, network. As it applies to storage encryption, PDE can be however, that PDE is only a technical measure to prevent simplified as follows: different reasonable and innocu- a user from being punished if caught with contentious ous plaintexts may be output from a given ciphertext, material; an adversary can always wipe/confiscate the when decrypted under different decoy keys. The original device itself if such material is suspected to exist. This work is the extension of an NDSS 2013 publication [1]. Several existing solutions support full disk encryption • A. Skillen is currently with the Carleton Computer Security Lab at with plausible deniability in regular desktop operating Carleton University, Ottawa, Canada, and was at Concordia University, systems. Possibly the most widely used such tool is Montreal, Canada when performing this research. TrueCrypt [6]. To our knowledge, no such solutions E-mail: [email protected] • M. Mannan is with the Concordia Institute for Information Systems exist for any mainstream mobile OSes, although PDE Engineering at Concordia University, Montreal, Canada. support is apparently more important for these systems, E-mail: [email protected]. as mobile devices are more widely used and portable than laptops or desktops. Also, porting desktop PDE 2 TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING solutions to mobile devices is not straightforward due intensive applications. We also perform file system to the tight coupling between hardware and software benchmarks to determine the impact of our mod- components, and intricacies of the system boot proce- ified Ext4 driver. In a Nexus S device, our imple- dure. For example, in Android, the framework must be mentation appears to perform almost as efficiently partially loaded to use the soft keyboard for collecting as the default Android 4.x encryption for the ap- decoy/true passwords; and the TrueCrypt bootloader is plications we tested. However, the Mobiflage setup only designed to chainload Windows. phase takes more time than Android FDE, due to a We introduce Mobiflage, a PDE-enabled storage en- two-pass wipe of the storage (our Nexus S required cryption system for the Android OS. It includes coun- almost twice as long; exact timing will depend on termeasures for known attacks against desktop PDE the size and type of storage). implementations (e.g., [7]). We also explore challenges more specific to using PDE systems in a mobile envi- 2 THREAT MODEL AND ASSUMPTIONS ronment, including: collusion of cellphone carriers with an adversary; the use of flash-based storage as opposed In this section, we discuss Mobiflage’s threat model and to traditional magnetic disks; and file systems such as operational assumptions, and few legal aspects of using Ext4 (as used in Android) that are not so favorable to PDE in general. The major concern with maintaining PDE. Mobiflage addresses several of these challenges. plausible deniability is whether the system will provide However, to effectively offer deniability, Mobiflage must some indication of the existence of any hidden data. be widely deployed, e.g., adopted in the mainstream Mobiflage’s threat model is mostly based on past work Android OS. As such, we implement our Mobiflage on desktop PDE solutions (cf. TrueCrypt [6]); we also prototype to be compatible with Android 4.x. include threats more specific to mobile devices. Threat model and operational assumptions. Our contributions include: 1) Mobiflage must be merged with the Android code 1) We explore sources of leakage inherent to mobile stream, or a widely used custom firmware based on devices that may compromise deniable storage en- Android (e.g., CyanogenMod1) to ensure that many cryption. Several of these leakage vectors have not devices are capable of using PDE. Then an adversary been analyzed for existing desktop PDE solutions. will be unable to make assumptions about the pres- 2) We present the Mobiflage PDE scheme based on ence of hidden volumes based on the availability hidden encrypted volumes—the first such scheme of software support. We do not require a large for mobile systems to the best of our knowledge. user base to employ PDE; it is sufficient that the 3) We introduce two variants of Mobiflage to address capability is widespread, so the availability of PDE several challenges specific to different Android will not be a red flag. Similar to TrueCrypt [6], all hardware profiles. Mobiflage for devices with re- installations of Mobiflage include PDE capabilities. movable SD cards (MF-SD) avoids PDE-unfriendly 2) The adversary has the encrypted device and full features of the Ext4 file system by storing hidden knowledge of Mobiflage’s design, but lacks the PDE volumes within the FAT32-based external partition. key and password. The existence and location of the Devices, such as the Nexus S, which use an internal hidden volume is therefore also unknown. eMMC partition to emulate removable SD storage 3) The adversary has some means of coercing the are also supported by MF-SD. Newer devices, such user to reveal their encryption keys and passwords as the Nexus 4 and HTC One, have neither physical (e.g., unlock-screen secret), but will not continue to nor emulated external storage. Instead, they rely on punish the user in vain. To successfully provide the media transfer protocol (MTP) and share a single deniability in Mobiflage, the user is expected to Ext4-formatted partition for both the (internal) app refrain from disclosing the true key. storage and (external) user data storage. To support 4) The adversary can directly access the device’s stor- these devices, we present MF-MTP, by making sub- age, and can have root-level access to the device tle changes to the Ext4 file system. For the remainder after capturing it. The adversary can then manip- of the document, the term Mobiflage will refer to the ulate disk sectors, including encryption/decryption high level design. The terms MF-SD and MF-MTP under any decoy keys learned from the user; this can will refer to the specific implementation variants.