Privacy and security? I fear not...

Marcin Dabrowsky

New member
Jan 19, 2015
303
0
0
Visit site
Hey all. The 950 XL is almost here. I've got a dilemma.

Before I begin, a little background.

Used feature phones, then BlackBerry, then droids (just about every flagship), every nexus, bla bla. Then used and loved my blackberry passport. Got rid of the passport once I realized that bb10 is dead.

Somewhere in the middle of all that I used and fell in love with the lumia 1520. Loved everything about the phone except the whacky screen that always acted Up (went through about 5 units of the 1520.3 variety).

Went back to my g4 but also spent last week with the iPhone 6s plus.

I loved the built in crypto processor on the iPhone. I feel the iPhone offers the best security with the fingerprint scanner (also encrypted on device) and never stored encryption keys to the phone on any server.

I simply couldn't keep the iPhone because I feel it isn't worth the $950 dollars I paid for it. It isn't that I can't afford it, is a Principe thing.

Anyyyyyway, on to my question...

I am either going to go with the 950XL or the new BlackBerry priv (slider, terrible name).

The deciding factor will be security.

By nature, Android is much less secure simply because of its own design. I don't like the idea of Google storing my encryption keys to the phone on their servers.

My question is, doesn't Microsoft do the same?

With Windows 10 on my computer, I was almost terrified when I read the privacy policy. They basically have full access to all your private files at will.

Will the win 10 950 XL be the same way?

As far as I know, win phone 8.1 didn't even have encryption unless you turned it on through office 360. Then those keys would be saved on msft servers.

Anyone have an idea whether this will continue?

Thanks!

Posted via the Windows Central App for Android
 

Aquila

Alienware Rogue
May 14, 2013
122
0
0
Visit site
Yes, the key is stored online in your Microsoft OneDrive Account.

The Privacy Statement doesn't change, it is a Microsoft policy, not a Windows 10 policy.
 

horseybob

New member
Apr 17, 2013
538
0
0
Visit site
Incidentally, Microsoft is the ONLY cloud services provider compliant with EU data privacy directives:
Privacy authorities across Europe approve Microsoft?s cloud commitments - The Official Microsoft Blog

HP may be as well since MS has authorized them to offer Azure and Office 365. Don't know about certification, though. Regardless, please note that MS is taking on the US Government in regards to privacy:
https://www.lawfareblog.com/second-circuit-oral-argument-microsoft-ireland-case-overview

Haven't seen Google or Apple do that. I'm not a MS employee or affiliate.
 
Last edited:

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
Disclaimer: What I'm offering here is just what I remember off the top of my head. I'm sure about my information on iOS and WP, but my information on Android may be incomplete.

Firstly, I'm sorry to say that most of the original post sounds like rubbish to me. I'd suggest finding alternative sources for your tech information :wink: I hope you find the following helpful:

By nature, Android is much less secure simply because of its own design. I don't like the idea of Google storing my encryption keys to the phone on their servers.

It would help if you mentioned what type of encryption you're interested in, as there are many. Assuming you're talking about "full disk encryption", then none of the current solutions store their keys remotely.

Android decrypts their on-device disk encryption-key using the device's passcode. Apple bakes iOS' unique encryption-key directly into the SoC which can not be read by any software. WM/WP stores the encryption key in a TPM microchip which disallows any software but the OS from accessing it, and even that is only possible after the TPM verifies that the relevant parts of the OS are untampered with, and as with Android, the encryption key is also first decrypted using the user's passcode. Both Apple and Microsoft use hardware assisted "full disk encryption", whereas Android's is software based.

Either way, at least for "full disk encryption", all keys are stored on the device.

I loved the built in crypto processor on the iPhone. I feel the iPhone offers the best security with the fingerprint scanner (also encrypted on device) and never stored encryption keys to the phone on any server.

A lot of people feel that TouchID makes the iPhone particularly secure. The reality is that TouchID was bypassed by CCC mere days after the 5S launched, and they provided a DIY guide which anyone with a few tools and glue can follow. The hardest part is getting access to a glass surface the TouchID victim recently touched, but that is rarely impossible. Seriously, the idea that a device should be secured by a fingerprint, something none of us can ever change and which we inevitably leave behind in public places a hundred times a day is... let's say... curious.

With Windows 10 on my computer, I was almost terrified when I read the privacy policy. They basically have full access to all your private files at will.

This is BS. MS unfortunately always attracts a lot of click-bait trash journalism, and most of that garbage is still floating around the web.

Microsoft says Windows 10 does not infringe on your privacy | Windows Central

In a nutshell, W10 does exchange a lot more information with MS than previous versions of Windows did. Practically all of that is a result of more and more cloud based services being integrated into the OS however. People have been using e-mail for 20 years now, which is no different. For that to work somebody must host your personal e-mails on their servers. The technically illiterate tech-media just hasn't yet grasped that there is no difference to the newer services like Cortana, OneDrive, and Outlook. If you don't want MS to have access to your contacts, you can't store them in the cloud on Outlook. If you don't want MS to have access to your files, then you shouldn't store them on OneDrive. If you don't want MS or Google or whoever to have access to your e-mails, then you can't use their e-mail servers. Same thing.

Despite all these new cloud based services, MS never has access to any of the files you store on your device locally, and nothing contrary to that is stated in their privacy policy. In contrast to other companies, they also mention some things they even consider strictly off limits, even if you do store your information on their servers (scanning your e-mail for monetizable information being one example).

As far as I know, win phone 8.1 didn't even have encryption unless you turned it on through office 360. Then those keys would be saved on msft servers.

W10M will support device encryption without requiring access to corporate management software, but I don't know more than that yet. I think it's relatively safe to assume this will also be based on Bitlocker however, so that too would mean keys are not stored on MS' servers.
 
Last edited:

Marcin Dabrowsky

New member
Jan 19, 2015
303
0
0
Visit site
That was a very in depth and informational reply. Thank you for that. Yes I meant full phone encryption

So all 3 solutions should not store the device password backed up anywhere?

In other words, if I theoretically forget a device unlock password to my phone that's 30+ random characters of all types, no one can tell what it is without brute forcing the password? Explain how and where, is the encryption key stored please.

Posted via the Windows Central App for Android
 

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
So all 3 solutions should not store the device password backed up anywhere?

In other words, if I theoretically forget a device unlock password to my phone that's 30+ random characters of all types, no one can tell what it is without brute forcing the password? Explain how and where, is the encryption key stored please.

Posted via the Windows Central App for Android

That you were certain Android stores some cypher key on Google's servers still makes me sceptical we're really talking about the same thing here. A link to that statement would be appreciated.

Everything I have ever read on full disk encryption, for all three OSes, has always explicitly stated that the keys are stored on the device and on the device only.

As stated, the encryption keys are either directly baked into the SoC and not accessible at all (iPhone), in the TPM chip (WP), or they are saved normally in storage (Android).

As stated, for WP and Android, the keys themselves are also encrypted. The key is decrypted using your PIN or passcode (4+ characters, not 30+) and the unencrypted key is never stored anywhere but in RAM. The unencrypted key is then used to decrypt your data.

There are ways to circumvent full disk encryption, but it requires the participation of expert cryptographers and engineers with access to a lot of sophisticated and expensive equipment who (for WP and iOS) must also have your entire device. Without that, brute forcing is the only alternative, which is pretty much hopeless.
 
Last edited:

Pete

Retired Moderator
Nov 12, 2012
4,593
0
0
Visit site
Yep. When you forget the PIN code on a Windows Phone for more than a few times, you'll be locked out for x amount of minutes. Every time you get the PIN wrong after that, the handset is locked for longer and longer periods. Therefore a brute-force attack (while on the face of it simple for a 4 digit code) could easily entail multiple years of attempts and is a pointless exercise.
 

Marcin Dabrowsky

New member
Jan 19, 2015
303
0
0
Visit site
Thanks again for the replies. Sorry I was a bit tired last night and probably didn't come across clear in my questions. I did mean full disk encryption. What you said about the cloud connection makes perfect sense. If I want to keep something private, I simply keep it on a local storage or sd card (encrypted) and lock the phone with a strong passphrase. My passphrase to access the DEVICE itself is not stored anywhere else other than my brain.

I think your statement on click-bait and scare tactics of some websites is correct.

BTW the Live event was awesome. I can't wait to get my hands on the new phones.
 

Marcin Dabrowsky

New member
Jan 19, 2015
303
0
0
Visit site
Sorry to bring this back up, but it looks like the official specs list consumer grade security with a lock screen and only Enterprise grade with hardware backed encryption. What gives?

Posted via the Windows Central App for Android
 
Last edited:

a5cent

New member
Nov 3, 2011
6,622
0
0
Visit site
Sorry to bring this back up, but it looks like the official specs list consumer grade security with a lock screen and only Enterprise grade with hardware backed encryption. What gives?

Posted via the Windows Central App for Android

Would be really nice if you could start providing links so there are no misunderstandings about what you are referring to... thanks...
 

Pete

Retired Moderator
Nov 12, 2012
4,593
0
0
Visit site
Sorry to bring this back up, but it looks like the official specs list consumer grade security with a lock screen and only Enterprise grade with hardware backed encryption. What gives?

Basically speaking, when you have a phone that's attached to a corporate account (usually Microsoft Exchange), the device can be administered via MDM (Mobile Device Management). This allows the corporation to define how people use their devices and can lock down various features. It can also enforce a more rigid password (alphanumeric, or as in my case, more numbers in the PIN code). This is probably overkill for most consumer users.
 

Members online

Forum statistics

Threads
322,910
Messages
2,242,884
Members
428,005
Latest member
COME ON WIN ANDROID (ADI)