File-Based Encryption Vulnerability Reported by DeesTroy is Fixed in May’s Security Update
With the introduction of Android 7.0 Nougat, Google switched to a file-based encryption method instead of the full disk encryption that we were using in Marshmallow. There are benefits and drawbacks to each of these methods, but Google’s security team felt Android was better suited using file-based encryption due to the level of hardware most flagship smartphones are shipping with these days. While this does make some things more secure, there were some remnants laying around that were not updated.
Specifically, there was a device_policies.xml file in /data/system/ that contained stats about your password. This included information such as the active quality of the password, how long it was, and how many uppercase, lowercase, numbers, symbols and special characters were present. So while it didn’t exactly give away your password, a hacker who knew this type of information would have an easier time trying to brute force into the device than without it.
On devices with full disk encryption, this file was only accessible after you had entered your PIN, pattern or password successfully. However, this changes completely when a device is using a file-based encryption system. With a phone using file-based encryption, that file is readily accessible after completing the password-less Device Encryption process. DeesTroy from the TWRP fame discovered this back in November while tinkering with a Nexus 5X before they began TWRP development on the Pixel phone.
Yesterday, Google published the details for May’s security update and this vulnerability has finally been patched up in the AOSP code. You can find details about the specific patch here and see that Google had rated the vulnerability as moderate. This was due to the fact that while it didn’t give away the password, it did make it easier for an attacker to bypass the lock screen after a successful brute force attack.Source: +DeesTroy