TWRP custom recovery project lead developer Ethan "Dees Troy" Yonker discovered that Android 7 stores a file that shows information about how encryption passwords are composed. This file could make it easier for someone to brute-force their way into phones running the mobile operating system, code named Nougat.
Yonker found a “device_policies.xml” file in the /data/system/ folder that reveals encryption password information such as:
<active-password quality="131072" length="4" uppercase="0" lowercase="0" letters="0" numeric="4" symbols="0" nonletter="4" />
This means someone who has your phone and is trying to unlock it by brute-forcing its encryption password could do it significantly faster now. The attackers would not only be able to configure their password cracking tool to avoid searching for uppercase letters and symbols, for example, but they’d also know not to bother searching for shorter or longer passwords than necessary. Thus, the process could be less time-consuming and more precise.
Android 7’s More Vulnerable File-Based Encryption
Google introduced file-based encryption in Android 7, arguably for little benefit. The company said file-based encryption is necessary to help alarms survive a random phone reset or to let some apps display information even when a device is locked. However, when Google introduced this change, I expressed skepticism about it because it could allow for new ways to unlock a device and bypass its encryption thanks to new security vulnerabilities.
It seems that we may now be seeing the first kind of these vulnerabilities, and more may appear in the future. According to Yonker, the password information can be accessed on devices that use the password-less file-based encryption. However, if the old-style full disk encryption was used, this information would only be available after the password has already been entered.
According to pseudonymous security expert The Grugq, both of Android’s encryption methods are weaker than what you can find on iOS, because all of the phone's data is unlocked even if you use full disk encryption. On iOS, the accessible data is more limited even after the phone is unlocked.
Latest iOS Version Also Vulnerable To Fast Password Cracking
However, the latest version of iOS also made it much easier to brute-force its passwords for encrypted backup data when it switched to a new password verification mechanism. Apple promised a fix once the revelation was made public by Elcomsoft, a mobile forensics tool company.
It’s unclear whether the problem in Android 7 was a simple blunder on Google’s part or if there's another reason for it. However, there are probably few good reasons for storing information about the encryption password's composition in the OS. We’ve contacted Google for an explanation and we’ll update this post when we get a reply.