cryptonite
cryptonite copied to clipboard
neurodroid
EncFS and TrueCrypt mounted volumes not visible to other apps in Android 4.2
From [email protected] on November 28, 2012 20:32:45
What steps will reproduce the problem? 1. Create a TrueCrypt volume on Windows formatted as FAT32 containing several files and place this on your phone (say in /sdcard/test.tc) 2. Start cryptonite; Launch terminal with Expert->Start root terminal 3. Issue the following command: truecrypt --fs-options="uid=1000,gid=1000,umask=0002" /sdcard/test.tc /mnt/sdcard/tc NOTE: I had to create the mount point /mnt/sdcard/tc before issuing this command or truecrypt would issue a mount error message. Enter password, etc. Then the command and mount succeeds. 4. Examine the mounted directory using: ls -al /mnt/sdcard/tc Files are present there. 5. Launch ES File Explorer (root or otherwise). Navigate to /mnt/sdcard/tc or /sdcard/tc and there are no files listed there. The directory appears empty. What is the expected output? What do you see instead? I expected to see the files in the TrueCrypt volume at the mount location. In fact I did see them from the terminal window started from cryptonite. However, they're only visible in that terminal window. Other apps can't see those mounted files. What version of the product are you using? On what operating system? 0.7.6 with the updated truecrypt binary recently created for Android 4.2 compaitibility (see issue #46 ). Please provide any additional information below. I don't think this really a bug in cryptonite's TrueCrypt binary. Feel free to close this issue as you see fit. However, it significantly limits the usefulness of mounting TrueCrypt volumes under Android 4.2 since the files aren't visible to other apps.
I've seen this problem with another Android encryption tool called LUKS Manager. The issue is discussed here: http://nemesis2.qx.net/forums/index.php/topic,143.0.html There is apparantly a new Android 4.2 feature which makes mounts appear to be process or app bounded and not visible to other processes or apps. This has been worked-around by the author of StickMount, but its not clear how he did that. The thread is here: http://forum.xda-developers.com/showthread.php?p=34417228#post34417228 Some kind of workaround or way to disable this new Android feature would be appreciated.
Original issue: http://code.google.com/p/cryptonite/issues/detail?id=47
From [email protected] on November 28, 2012 12:42:33
Thanks for reporting this. This will be difficult for me to fix until I get my hands on a 4.2 device. Do you get the same problem with EncFS mounts?
From [email protected] on November 28, 2012 13:58:54
Difficulty understood. Thanks for considering it.
I don't have any experience with EncFS, so I may not have the steps right. I tried using cryptonite's local tab to "Create local volume". This seemed to succeed. Then I mounted it using "Mount EncFS" and selected "View mounted" and used the built-in file browser. It showed an empty directory. I switched to ES File Explorer and navigated to that same location shown in the browser (/storage/emulated/0/csh.cryptonite/mnt) and tried to create a file foo. The file was created. I unmounted in cryptonite and the in ES File Explorer the file was still there, with the same contents (I expected it to be encrypted). I also tried the original directory location for the EncFS I created (it wasn't /storage/..., but was /sdcard/Data/encFS). Behavior was the same.
I'm not sure I amdoing this correctly. If you have other steps, I'd be glad to try them out.
From [email protected] on November 28, 2012 14:03:44
Thanks for testing this. Sounds like the same issue is present in EncFS. You're essentially creating "foo" on top of a mount point that ES File Explorer is not aware of. That's why "foo" is not encrypted. I bet the same thing happens when you create "foo" in a TrueCrypt mount point.
From [email protected] on November 28, 2012 14:04:38
Changed the title to include EncFS.
Summary: EncFS and TrueCrypt mounted volumes not visible to other apps in Android 4.2 (was: TrueCrypt mounted volumes not accessible by other apps in Android 4.2)
Status: Accepted
From [email protected] on December 02, 2012 11:37:09
Checked this with an encfs encrypted folder on a Galaxy Nexus with 4.2.1.
If I mount an encrypted folder as user root in a terminal I can access (in the same terminal session) the decrypted folder even as normal user without root rights.
I can see this folder with some apps (like OI File Explorer) but not others (like ASTRA File Explorer). But all other apps can't access the folder (i.e. read the files).
The spooky thing: if I mount this folder with the Cryptonite GUI I even can't see the decrypted folder if I don't use the built-in file browser (check mark in settings not set). If I set the check mark and use the internal file browser I see the decrypted folder content.
From [email protected] on December 15, 2012 04:05:00
Still waiting for Android 4.2 for either LG O2X or Asus TF700T. Shouldn't take too long now.
Anyone knows whether LUKS Manager has been fixed on 4.2 in the meantime?
From [email protected] on December 16, 2012 06:55:51
No - not sure about LUKS but Chainfire fixed Stickmount. Version 2.10 works now on 4.2.1 again. Mounts are visible and accessible from different apps-
From [email protected] on December 16, 2012 07:36:30
@piecha.se: Is "Stickmount" open source? Any ideas how they did that? Anyone I could contact?
From [email protected] on December 16, 2012 07:50:11
Sent an email to [email protected]. In the meantime: What are the ownerships and permissions on volumes that have been mounted with Stickmount on 4.2?
From [email protected] on December 16, 2012 07:52:39
Well, tried to contact Chainfire but got no feedback so far. Here's the thread about Stickmount: http://forum.xda-developers.com/showthread.php?t=1400034&page=51 . The interesting Android 4.2.1 related issues are around page 51 ff. Asked today again how to fix the issue with invisible mounts in Android 4.2+.
From [email protected] on December 16, 2012 07:56:24
@comment 10: a FAT formatted USB stick gets mounted in folder sda1 under /sdcard/usbStorage and has permissions 775.
From [email protected] on December 16, 2012 08:03:32
@piecha.se: Who's the owner? Try for example
ls -la /sdcard/usbStorage
Also, what does the relevant line in /proc/mounts look like? Try
cat /proc/mounts
Thanks!
From [email protected] on December 16, 2012 08:09:22
Forgot to look for the owner...
Owner and group are root:sdcard_rw
Relevant entry from /proc/mounts /dev/block/sda1 /data/media/0/usbStorage/sda1 vfat rw,nosuid,nodev,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro 0 0
From [email protected] on December 16, 2012 08:26:45
Thanks. What's the ownership of the mounted TrueCrypt volumes that are causing problems (from the root shell that you used to call truecrypt)?
From [email protected] on December 16, 2012 11:50:09
I don't use Truecrypt volumes but EncFS encrypted files.
From [email protected] on December 16, 2012 11:54:00
It seems SELinux is causing the troubles in Android 4.2. It's being discussed in the thread I recommended before on page 62 ( http://forum.xda-developers.com/showthread.php?t=1400034&page=62 ).
From [email protected] on December 17, 2012 04:18:59
Comment 16 by piecha.se:
What's the ownership of the mounted TrueCrypt volumes? I don't use Truecrypt volumes but EncFS encrypted files.
What's the ownership of the mounted EncFS volume then?
From [email protected] on December 17, 2012 06:11:01
Owner of mounted EncFS volume: root:sdcard_rw encfs options: --public -o allow_other,nonempty --stdinpass /proc/mounts: encfs /mnt/shell/emulated/0/docs/decrypted fuse.encfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other 0 0
If I mount the EncFS volume from a terminal under /sdcard/whatever other apps don't see any content in the mounted folder.
If I mount the same EncFS volume again from a terminal under /system/decrypted (/system doesn't have to be rw for mounting, just for creating the folder decrypted the first time) other apps do see the content and can access the files. If I try to mount under /system/decrypted from other apps like Tasker or Gscript again other apps don't see the content.
From [email protected] on January 01, 2013 11:45:57
I've added a workaround (e74d1c8b5c19) to mount EncFS volumes so that they are visible to all apps with root permissions. You will still need a file browser with root permissions to see the files. The builtin file browse ("View mounted") won't work! It's available in the latest alpha (0.7.7): https://code.google.com/p/cryptonite/downloads/list Please test.
Status: Started
From [email protected] on January 01, 2013 13:40:07
Tested! By using the V0.7.7-APK from your linked website, I can confirm that on my rooted Asus/Google Nexus 7 (Android 4.2) the decrypted content now also gets visible to my file explorer "Astro". (Which is great!) However, other applications such as Quickpic or the built-in image explorer see the mount point still empty. Keep up the good work, thanks a lot!
From [email protected] on January 02, 2013 03:59:54
Thanks for your time trying to fix. But it not worked for me so far. In using CM 10.1 on Galaxy S3 international version (I9300). My encrypted data was in my external SD card. I tried to mount and I could read lots of operations being executed like MV, cup, chmod and others. But at the end it says: Failed to mount. I tried a clean install o cryptonite deleting cache and configs. Problem persists. Can you help me ?
From [email protected] on January 02, 2013 13:17:44
I'll try the Alpha version as well.
What's the issue? What is the workaround? Could you please shed some light on that?
Could anyone else please check and mount an EncFS volume (both from a terminal and GUI) in some folder under /system (like /system/decrypted)? /system doesn't have to be rw for mounting, just for creating the new mount folder the first time. Other apps should see the content and should be able to access the files.
From [email protected] on January 03, 2013 00:36:47
To mount an EncFS directory from a terminal you can use the following command:
echo
Please use as mount point some directory in /system, like /system/decrypted.
From [email protected] on January 03, 2013 03:04:17
Comment 24 by piecha.se:
What's the issue?
In Android 4.2, a process needs to have privileges to perform a system-wide mount that is visible to all other apps. Apparently, these privileges are hard-coded.
What is the workaround?
The ugly workaround is to temporarily "hijack" a process with appropriate privileges (/system/bin/debuggerd) to perform the mount. I suspect that's what stickmount is doing as well. You can reproduce these steps from the command line. The code is here: https://code.google.com/p/cryptonite/source/browse/cryptonite/src/csh/cryptonite/ShellUtils.java?#133 In detail:
- Stop the debugger daemon ($ stop debuggerd)
- Remount /system rw ($ mount -o rw,remount /system /system)
- Copy the binary to a safe place ($ cp /system/bin/debuggerd /system/bin/debuggerd.bak)
- Write a shell script to perform the mount and save it as /system/bin/debuggerd. Rather than spawning a daemon, EncFS needs to run in the foreground (-f) with that method.
- Change the ownership (root:shell) and permissions (755) of that script
- Start the hijacked debugger daemon (which will now be an EncFS daemon).
- Once it's running, restore the original debuggerd binary ($ mv /system/bin/debuggerd.bak /system/bin/debuggerd)
- Remount /system ro ($ mount -o ro,remount /system /system)
To unmount the EncFS volume, you'll have to stop the debugger daemon ($ stop debuggerd) and then unmount the EncFS volume using the method described above.
From [email protected] on January 03, 2013 03:29:02
Comment 24 by piecha.se:
Could anyone else please check and mount an EncFS volume (both from a terminal and GUI) in some folder under /system (like /system/decrypted)? /system doesn't have to be rw for mounting, just for creating the new mount folder the first time. Other apps should see the content and should be able to access the files.
While this works, most non-root apps won't be able to access /system. Try the new CM file manager in "safe mode" for example.
From [email protected] on January 03, 2013 05:11:23
Re comment 27:
That's really an ugly workaround. Looks like Google will patch it within the next release, but hopefully they offer something to deal with privileges.
Re comment 28: I wasn't aware there's a difference in root and non-root apps. Thought that for some functions root rights are required and then any app just asks for root permission.
If I mount the EncFS folder under /system I can access it for instance with ASTRO, ezPDF and KeePass which all don't ask for root permissions.
If you mean with 'CM file manager' the Cryptonite 0.7.6 built-in file manager I could see the decrypted content mounted under /system.
From [email protected] on January 04, 2013 06:09:17
So I have tested 0.7.7 on 4.2.1 without success. I was able to create a new EncFS, mount it, but when I copy anything inside, it is not being encrypted. I tried Solid Explorer and Total Commander with option "Use Root functions everywhere".
From [email protected] on January 04, 2013 06:17:03
Given that root permissions are required anyway at this stage and the debuggerd hack doesn't work on all devices, it seems like piecha.se's solution of mounting under /system is a bit less ugly. It would be good to test piecha.se's solution on some more devices though. See his instructions ( https://code.google.com/p/cryptonite/issues/detail?id=47#c26 ).
From [email protected] on January 04, 2013 08:03:15
So the /system hack is kind of working. It seems that only problem is that when I encrypt some files, they get wrong permissions and cannot be read again. They seem to get only read permission by owner which is root. If I manually change the permissions then I am able to read the files again.
I run the command from ADB. Also when running the command from terminal emulator it does not work (but no error message, it looks the same).
I guess that is not helpful much, but I suck with Linux :-D.