Check if Android filesystem is encrypted

Question

We are developing secure application for Android. It's required for users to keep filesystems of their devices encrypted, but we have to check this fact and forbid to use app. Is it possible to check if filesystem is encrypted? Also there are some devices with Android < 3.0 that supports encryption, for example Motorola RAZR. It would be interesting to know about encryption on such devices.

Answer 1

Just to clarify CommonsWare's answer, you can read the device encryption status without any Android permissions.

/**
 * Returns the encryption status of the device. Prior to Honeycomb, whole device encryption was
 * not supported by Android, and this method returns ENCRYPTION_STATUS_UNSUPPORTED.
 *
 * @return One of the following constants from DevicePolicyManager:
 * ENCRYPTION_STATUS_UNSUPPORTED, ENCRYPTION_STATUS_INACTIVE,
 * ENCRYPTION_STATUS_ACTIVATING, ENCRYPTION_STATUS_ACTIVE,
 * ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY, ENCRYPTION_STATUS_ACTIVE_PER_USER.
 */
@TargetApi(11)
private static int getDeviceEncryptionStatus(Context context)
{
    int status = DevicePolicyManager.ENCRYPTION_STATUS_UNSUPPORTED;

    if (Build.VERSION.SDK_INT >= 11) {
        final DevicePolicyManager dpm =
                (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
        if (dpm != null) {
            status = dpm.getStorageEncryptionStatus();
        }
    }

    return status;
}

See the documentation for DevicePolicyManager and the encryption status flags.

It's also worth mentioning that Android has moved from full-disk encryption to file-based encryption to support Direct Boot, among other things. See File Based Encryption.

Answer 2

If your app is registered as a device admin, you can call getStorageEncryptionStatus() on DevicePolicyManager to find out the encryption status of the device, for API Level 11 and higher.

For any whole-device encryption on lower API levels, please contact the device manufacturer.