One major difference is that it is so much easier to lock yourself out of the desktop TPM chip compared to mobile device security chips because they’re not tightly coupled.
and phones make you use your unlock pin often, so people are forced to remember it. on the other hand windows lets you use a short pin instead of your full account password pretty much forever which results in people forgetting the password completely.
That isnt even the part it is encrypted, the TPM encryption is either “Automatic” or over a password (any length) on startup so far i know it from my work with Bitlocker (tpm 2.0) on windows 10. Idk if this is different on windows 11.
Android I think just uses same credentials you use to unlock account, at least I am not aware of any recovery key. And you are prompted for credentials from time to time so it is harder to forget. I use fingerprint as main unlock + pattern and I have to enter pattern roughly once a week I think.
On Windows if you set up Windows Hello (fingerprint or PIN usually), you are not reminded to enter password afterwards so eventually you can forget it. And if you do not know your password and cannot recover account, you will not be able to retrieve BitLocker recovery key. So fix to this problem could be another annoyance to users if it would be implemented as Android does it.
All devices launching with Android 10 and higher are required to use file-based encryption.
To use the AOSP implementation of FBE securely, a device needs to meet the following dependencies:
Kernel Support for Ext4 encryption or F2FS encryption.
Keymaster Support with HAL version 1.0 or higher. There is no support for Keymaster 0.3 as that does not provide the necessary capabilities or assure sufficient protection for encryption keys.
Keymaster/Keystore and Gatekeeper must be implemented in a Trusted Execution Environment (TEE) to provide protection for the DE keys so that an unauthorized OS (custom OS flashed onto the device) cannot simply request the DE keys.
Hardware Root of Trust and Verified Boot bound to the Keymaster initialization is required to ensure that DE keys are not accessible by an unauthorized operating system.
Yeah, nothing important. Just your banking apps, personal documents, photos, government apps, emails, all the services linked to your phone via mobile number, personal chats, work chats, 2fa codes, some other not important stuff. But at least it doesn’t have your games. Unless you play games on your phone, then you are fucked.
You’re assuming they actually understand proper data protection procedures. You have a very misplaced amount of faith in the knowledge of the average person. Plenty of people just expect stuff to work and are horrified when they realize they’re not.
I saw that all the time when I worked in mobile phone sales/support.
Isn’t that what Iphone and Android already do?
One major difference is that it is so much easier to lock yourself out of the desktop TPM chip compared to mobile device security chips because they’re not tightly coupled.
and phones make you use your unlock pin often, so people are forced to remember it. on the other hand windows lets you use a short pin instead of your full account password pretty much forever which results in people forgetting the password completely.
That isnt even the part it is encrypted, the TPM encryption is either “Automatic” or over a password (any length) on startup so far i know it from my work with Bitlocker (tpm 2.0) on windows 10. Idk if this is different on windows 11.
Huh … I never noticed. Probably because my phone OS never failed to boot, requiring me to pull data off the HDD directly.
Samsung is notorious for this.
Android I think just uses same credentials you use to unlock account, at least I am not aware of any recovery key. And you are prompted for credentials from time to time so it is harder to forget. I use fingerprint as main unlock + pattern and I have to enter pattern roughly once a week I think.
On Windows if you set up Windows Hello (fingerprint or PIN usually), you are not reminded to enter password afterwards so eventually you can forget it. And if you do not know your password and cannot recover account, you will not be able to retrieve BitLocker recovery key. So fix to this problem could be another annoyance to users if it would be implemented as Android does it.
The only phone manufacture that does that is Google with pixel. Any other phone is for my knowledge either “weakly” encrypted or not at all.
Still your Mobile OS isnt just upgrading and encrypting your SD card and main drive. Thats the point.
https://source.android.com/docs/security/features/encryption/file-based?hl=en
Different threat model and usage scenario. See the spilled milk comment.
Most people don’t have anything of importance on their phones. And the tuning options are almost absent on phones, so it is less problematic bug-wise.
For many, a mobile device is their sole computer, and things of importance to them are stored on it.
deleted by creator
Le banking app.
But THAT is recoverable EASILY, not like lost forever if you dont recover data from that phones storage.
Something like OTP are rather more important.
Well, I wasn’t talking about recovery, but need for encryption.
I guess thats true.
Yeah, nothing important. Just your banking apps, personal documents, photos, government apps, emails, all the services linked to your phone via mobile number, personal chats, work chats, 2fa codes, some other not important stuff. But at least it doesn’t have your games. Unless you play games on your phone, then you are fucked.
No you’re right, nobody has precious photos or videos on their phone 🙄
If they don’t save those photos somewhere else from time to time, it means those photos aren’t that important.
You’re assuming they actually understand proper data protection procedures. You have a very misplaced amount of faith in the knowledge of the average person. Plenty of people just expect stuff to work and are horrified when they realize they’re not.
I saw that all the time when I worked in mobile phone sales/support.
I backup my precious dick pics at several offsite locations by sending them to as many people as possible as often as possible.
8-
This is a post about people who don’t understand encryption.
https://en.m.wikipedia.org/wiki/False_equivalence