1. Marcin Dabrowsky's Avatar
    Hey all. The 950 XL is almost here. I've got a dilemma.

    Before I begin, a little background.

    Used feature phones, then BlackBerry, then droids (just about every flagship), every nexus, bla bla. Then used and loved my blackberry passport. Got rid of the passport once I realized that bb10 is dead.

    Somewhere in the middle of all that I used and fell in love with the lumia 1520. Loved everything about the phone except the whacky screen that always acted Up (went through about 5 units of the 1520.3 variety).

    Went back to my g4 but also spent last week with the iPhone 6s plus.

    I loved the built in crypto processor on the iPhone. I feel the iPhone offers the best security with the fingerprint scanner (also encrypted on device) and never stored encryption keys to the phone on any server.

    I simply couldn't keep the iPhone because I feel it isn't worth the $950 dollars I paid for it. It isn't that I can't afford it, is a Principe thing.

    Anyyyyyway, on to my question...

    I am either going to go with the 950XL or the new BlackBerry priv (slider, terrible name).

    The deciding factor will be security.

    By nature, Android is much less secure simply because of its own design. I don't like the idea of Google storing my encryption keys to the phone on their servers.

    My question is, doesn't Microsoft do the same?

    With Windows 10 on my computer, I was almost terrified when I read the privacy policy. They basically have full access to all your private files at will.

    Will the win 10 950 XL be the same way?

    As far as I know, win phone 8.1 didn't even have encryption unless you turned it on through office 360. Then those keys would be saved on msft servers.

    Anyone have an idea whether this will continue?

    Thanks!

    Posted via the Windows Central App for Android
    10-05-2015 07:23 PM
  2. Aquila's Avatar
    Yes, the key is stored online in your Microsoft OneDrive Account.

    The Privacy Statement doesn't change, it is a Microsoft policy, not a Windows 10 policy.
    10-05-2015 07:32 PM
  3. horseybob's Avatar
    Incidentally, Microsoft is the ONLY cloud services provider compliant with EU data privacy directives:
    Privacy authorities across Europe approve Microsoft?s cloud commitments - The Official Microsoft Blog

    HP may be as well since MS has authorized them to offer Azure and Office 365. Don't know about certification, though. Regardless, please note that MS is taking on the US Government in regards to privacy:
    https://www.lawfareblog.com/second-c...-case-overview

    Haven't seen Google or Apple do that. I'm not a MS employee or affiliate.
    Last edited by horseybob; 10-05-2015 at 08:52 PM. Reason: Clarification
    10-05-2015 08:48 PM
  4. a5cent's Avatar
    Disclaimer: What I'm offering here is just what I remember off the top of my head. I'm sure about my information on iOS and WP, but my information on Android may be incomplete.

    Firstly, I'm sorry to say that most of the original post sounds like rubbish to me. I'd suggest finding alternative sources for your tech information I hope you find the following helpful:

    By nature, Android is much less secure simply because of its own design. I don't like the idea of Google storing my encryption keys to the phone on their servers.
    It would help if you mentioned what type of encryption you're interested in, as there are many. Assuming you're talking about "full disk encryption", then none of the current solutions store their keys remotely.

    Android decrypts their on-device disk encryption-key using the device's passcode. Apple bakes iOS' unique encryption-key directly into the SoC which can not be read by any software. WM/WP stores the encryption key in a TPM microchip which disallows any software but the OS from accessing it, and even that is only possible after the TPM verifies that the relevant parts of the OS are untampered with, and as with Android, the encryption key is also first decrypted using the user's passcode. Both Apple and Microsoft use hardware assisted "full disk encryption", whereas Android's is software based.

    Either way, at least for "full disk encryption", all keys are stored on the device.

    I loved the built in crypto processor on the iPhone. I feel the iPhone offers the best security with the fingerprint scanner (also encrypted on device) and never stored encryption keys to the phone on any server.
    A lot of people feel that TouchID makes the iPhone particularly secure. The reality is that TouchID was bypassed by CCC mere days after the 5S launched, and they provided a DIY guide which anyone with a few tools and glue can follow. The hardest part is getting access to a glass surface the TouchID victim recently touched, but that is rarely impossible. Seriously, the idea that a device should be secured by a fingerprint, something none of us can ever change and which we inevitably leave behind in public places a hundred times a day is... let's say... curious.

    With Windows 10 on my computer, I was almost terrified when I read the privacy policy. They basically have full access to all your private files at will.
    This is BS. MS unfortunately always attracts a lot of click-bait trash journalism, and most of that garbage is still floating around the web.

    Microsoft says Windows 10 does not infringe on your privacy | Windows Central

    In a nutshell, W10 does exchange a lot more information with MS than previous versions of Windows did. Practically all of that is a result of more and more cloud based services being integrated into the OS however. People have been using e-mail for 20 years now, which is no different. For that to work somebody must host your personal e-mails on their servers. The technically illiterate tech-media just hasn't yet grasped that there is no difference to the newer services like Cortana, OneDrive, and Outlook. If you don't want MS to have access to your contacts, you can't store them in the cloud on Outlook. If you don't want MS to have access to your files, then you shouldn't store them on OneDrive. If you don't want MS or Google or whoever to have access to your e-mails, then you can't use their e-mail servers. Same thing.

    Despite all these new cloud based services, MS never has access to any of the files you store on your device locally, and nothing contrary to that is stated in their privacy policy. In contrast to other companies, they also mention some things they even consider strictly off limits, even if you do store your information on their servers (scanning your e-mail for monetizable information being one example).

    As far as I know, win phone 8.1 didn't even have encryption unless you turned it on through office 360. Then those keys would be saved on msft servers.
    W10M will support device encryption without requiring access to corporate management software, but I don't know more than that yet. I think it's relatively safe to assume this will also be based on Bitlocker however, so that too would mean keys are not stored on MS' servers.
    Last edited by a5cent; 10-08-2015 at 06:31 AM. Reason: spelling and additional info on MS privacy policy.
    10-05-2015 09:17 PM
  5. Marcin Dabrowsky's Avatar
    That was a very in depth and informational reply. Thank you for that. Yes I meant full phone encryption

    So all 3 solutions should not store the device password backed up anywhere?

    In other words, if I theoretically forget a device unlock password to my phone that's 30+ random characters of all types, no one can tell what it is without brute forcing the password? Explain how and where, is the encryption key stored please.

    Posted via the Windows Central App for Android
    10-05-2015 11:29 PM
  6. a5cent's Avatar
    So all 3 solutions should not store the device password backed up anywhere?

    In other words, if I theoretically forget a device unlock password to my phone that's 30+ random characters of all types, no one can tell what it is without brute forcing the password? Explain how and where, is the encryption key stored please.

    Posted via the Windows Central App for Android
    That you were certain Android stores some cypher key on Google's servers still makes me sceptical we're really talking about the same thing here. A link to that statement would be appreciated.

    Everything I have ever read on full disk encryption, for all three OSes, has always explicitly stated that the keys are stored on the device and on the device only.

    As stated, the encryption keys are either directly baked into the SoC and not accessible at all (iPhone), in the TPM chip (WP), or they are saved normally in storage (Android).

    As stated, for WP and Android, the keys themselves are also encrypted. The key is decrypted using your PIN or passcode (4+ characters, not 30+) and the unencrypted key is never stored anywhere but in RAM. The unencrypted key is then used to decrypt your data.

    There are ways to circumvent full disk encryption, but it requires the participation of expert cryptographers and engineers with access to a lot of sophisticated and expensive equipment who (for WP and iOS) must also have your entire device. Without that, brute forcing is the only alternative, which is pretty much hopeless.
    Last edited by a5cent; 10-08-2015 at 06:33 AM. Reason: spelling
    10-06-2015 06:57 AM
  7. Pete's Avatar
    Yep. When you forget the PIN code on a Windows Phone for more than a few times, you'll be locked out for x amount of minutes. Every time you get the PIN wrong after that, the handset is locked for longer and longer periods. Therefore a brute-force attack (while on the face of it simple for a 4 digit code) could easily entail multiple years of attempts and is a pointless exercise.
    10-06-2015 07:12 AM
  8. Marcin Dabrowsky's Avatar
    Thanks again for the replies. Sorry I was a bit tired last night and probably didn't come across clear in my questions. I did mean full disk encryption. What you said about the cloud connection makes perfect sense. If I want to keep something private, I simply keep it on a local storage or sd card (encrypted) and lock the phone with a strong passphrase. My passphrase to access the DEVICE itself is not stored anywhere else other than my brain.

    I think your statement on click-bait and scare tactics of some websites is correct.

    BTW the Live event was awesome. I can't wait to get my hands on the new phones.
    a5cent likes this.
    10-06-2015 10:37 AM
  9. Marcin Dabrowsky's Avatar
    Sorry to bring this back up, but it looks like the official specs list consumer grade security with a lock screen and only Enterprise grade with hardware backed encryption. What gives?

    Posted via the Windows Central App for Android
    Last edited by Marcin Dabrowsky; 10-07-2015 at 02:19 PM.
    10-07-2015 12:01 PM
  10. a5cent's Avatar
    Sorry to bring this back up, but it looks like the official specs list consumer grade security with a lock screen and only Enterprise grade with hardware backed encryption. What gives?

    Posted via the Windows Central App for Android
    Would be really nice if you could start providing links so there are no misunderstandings about what you are referring to... thanks...
    10-07-2015 02:31 PM
  11. Marcin Dabrowsky's Avatar
    Taken directly from Microsoft's website for the 950xl spec sheet off Microsoft.com

    Posted via the Windows Central App for Android
    10-08-2015 02:25 AM
  12. Pete's Avatar
    Sorry to bring this back up, but it looks like the official specs list consumer grade security with a lock screen and only Enterprise grade with hardware backed encryption. What gives?
    Basically speaking, when you have a phone that's attached to a corporate account (usually Microsoft Exchange), the device can be administered via MDM (Mobile Device Management). This allows the corporation to define how people use their devices and can lock down various features. It can also enforce a more rigid password (alphanumeric, or as in my case, more numbers in the PIN code). This is probably overkill for most consumer users.
    Laura Knotek likes this.
    10-08-2015 02:35 AM

Similar Threads

  1. Not upto date. Error code 8007490
    By TusharG in forum Microsoft Lumia 640
    Replies: 6
    Last Post: 10-10-2015, 03:03 PM
  2. Replies: 1
    Last Post: 10-05-2015, 10:36 PM
  3. Out This Week on Xbox One: Rock Band 4, Transformers: Devastation, and more!
    By WindowsCentral.com in forum Windows Central News Discussion
    Replies: 0
    Last Post: 10-05-2015, 07:00 PM
  4. How can I get Edge to open?
    By Windows Central Question in forum Edge
    Replies: 1
    Last Post: 10-05-2015, 06:57 PM
  5. Replies: 1
    Last Post: 10-05-2015, 05:30 PM
LINK TO POST COPIED TO CLIPBOARD