[Thorrez]

> the near impossible task of defending a physical device in the hands of an attacker.

If you assume the device is off and the user chose a strong password, it's pretty easy to defend. You simply encrypt the data with a key which is encrypted with the user's password.

If you want to protect devices that are on, or want to protect devices with less than stellar passwords, then it becomes harder.

[DagAgren]

That is not very strong protection - it lets you perform dictionary attacks at high speed.

It is often more secure to generate a random, high-entropy key and storing it in secure storage, which is what the iPhone does.

[Thorrez]

If you assume a strong password you don't need to worry about dictionary attacks.

There are 2 ways to slow down the attacks: key stretching and secure storage. Key stretching is a good idea.

I recommend not relying fully on secure storage, because I've heard of tons of hardware vulnerabilities (side channel attacks, undervoltage, electron microscopes, buggy implementation). I trust math more than a physical object. In fact it seems impossible to me to build fully secure storage, because if someone has a delicate enough measurement tool to measure the atoms inside the storage, the data inside can be extracted. If you store the password (or hashed password) as well as the key in the secure storage, and have it only return the key if the input password is correct, you run the risk of someone finding a bug in the storage to extract the key without the password. Then you're compromised.

But you build a system so that the secure storage is no worse than regular crypto. You do the encryption using a combination of the user's password and the output of the secure storage. That way even if the secure storage is fully compromised, the password is still needed.

[DagAgren]

You can't really assume a strong password, because if you have to type in 12 characters, letters and punctuation marks every time you want to look at your phone, you're going to give up on the whole thing pretty quickly.

To be usable, phones need to allow relatively weak passwords.

[Thorrez]

I've had a password like that on my (Android) phone for ~7 years and haven't given up. I don't use punctuation though, it's not worth the extra taps to get to the punctuation keyboard for the entropy you gain. I've never had fingerprint or face ID enabled either.

12 characters gives 62 bits of entropy. That's plenty if proper key strengthening is in place.

Linus Sebastian says that when his phone got slower to open up, he got happier, because it caused him to use his phone less, cutting out the useless stuff. https://youtu.be/WGZh-xP-q7A?t=305

[deadbunny]

> If you assume the device is off

When was the last time a regular person turned their phone off? Not counting reboots or out of battery incidents I'm going to guess not since it was purchased.

[afthonos]

“if you assume the device is off”?

I suppose if you assume the user never puts data on the device, it also becomes easier.