Encrypted overlay filesystems implementation for Android. Also available on GitHub: https://github.com/hardcore-sushi/DroidFS
Go to file
2022-04-18 14:55:59 +02:00
app Show a fingerprint icon when password hash is saved 2022-04-18 14:55:59 +02:00
fastlane/metadata/android Update Russian translation 2022-03-08 16:10:10 +01:00
gradle/wrapper Update dependencies & Add camera capture mode settings 2021-09-01 19:31:25 +02:00
libpdfviewer@8fe8b2f4b3 Update to libpdfviewer 13 2022-03-26 19:44:14 +01:00
.gitignore Inital commit 2020-07-17 22:12:20 +02:00
.gitmodules PDF viewer 2022-02-18 15:53:48 +01:00
build.gradle Explorer grid layout 2022-04-09 15:09:14 +02:00
gradle.properties Inital commit 2020-07-17 22:12:20 +02:00
gradlew Updating to gradle 6.6.1 2020-09-08 11:27:07 +02:00
gradlew.bat Updating to gradle 6.6.1 2020-09-08 11:27:07 +02:00
LICENSE.txt Inital commit 2020-07-17 22:12:20 +02:00
README.md Update to libpdfviewer 13 2022-03-26 19:44:14 +01:00
settings.gradle PDF viewer 2022-02-18 15:53:48 +01:00

DroidFS

DroidFS is an alternative way to use encrypted overlay filesystems on Android that uses its own internal file explorer instead of mounting virtual volumes. It currently only works with gocryptfs but support for CryFS could be added in the future.

Disclaimer

DroidFS is provided "as is", without any warranty of any kind. It shouldn't be considered as an absolute safe way to store files. DroidFS cannot protect you from screen recording apps, keyloggers, apk backdooring, compromised root accesses, memory dumps etc. Do not use this app with volumes containing sensitive data unless you know exactly what you are doing.

Unsafe features

DroidFS allows you to enable/disable unsafe features to fit your needs between security and comfort. It is strongly recommended to read the documentation of a feature before enabling it.

  • Allow screenshots:

    Disable the secure flag of DroidFS activities. This will allow you to take screenshots from the app, but will also allow other apps to record the screen while using DroidFS. Note: apps with root access don't care about this flag: they can take screenshots or record the screen of any app without any permissions.
  • Allow opening files with other applications *:

    Decrypt and open file using external apps. These apps could save and send the files thus opened.
  • Allow exporting files:

    Decrypt and write file to disk (external storage). Any app with storage permissions could access exported files.
  • Allow sharing files via the android share menu *:

    Decrypt and share file with other apps. These apps could save and send the files thus shared.
  • Keep volume open when the app goes in background:

    Don't close the volume when you leave the app but keep running it in the background. Anyone going back to the activity could have access to the volume.
  • Allow saving password hash using fingerprint:

    Generate an AES-256 GCM key in the Android Keystore (protected by fingerprint authentication), then use it to encrypt the volume password hash and store it to the DroidFS internal storage. This require Android v6.0+. If your device is not encrypted, extracting the encryption key with physical access may be possible.
* Features requiring temporary writing of the plain file to disk (DroidFS internal storage). This file could be read by apps with root access or by physical access if your device is not encrypted.

Download

You can download DroidFS from F-Droid or from the "Releases" section in the repo.

APKs available here are signed with my PGP key available on keyservers:

gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys AFE384344A45E13A
Fingerprint: B64E FE86 CEE1 D054 F082 1711 AFE3 8434 4A45 E13A
Email: Hardcore Sushi <hardcore.sushi@disroot.org>

To verify APKs, save the PGP-signed message to a file and run gpg --verify <the file>. Don't install any APK if the verification fails !

If the signature is valid, you can compare the SHA256 checksums with:

sha256sum <APK file>

Don't install the APK if the checksums don't match!

F-Droid APKs should be signed with the F-Droid key. More details here.

Permissions

DroidFS need some permissions to work properly. Here is why:

  • Read & write access to shared storage:

    Required for creating, opening and modifying volumes and for importing/exporting files to/from volumes.
  • Biometric/Fingerprint hardware:

    Required to encrypt/decrypt password hashes using a fingerprint protected key.
  • Camera:

    Needed to take photos & videos directly encrypted inside DroidFS. You can deny this permission if you don't want to use it.
  • Record audio:

    Required if you want sound on video recorded with DroidFS.

Limitations

DroidFS use some parts of the original gocryptfs code, which is designed to run on Linux x86 systems: it accesses the underlying file system with file paths and syscalls. However in Android, you can't access other apps files with file paths. Instead, you must use the ContentProvider API. And obviously, the original gocryptfs code doesn't work with this API. This is why DroidFS can't open volumes provided by other applications, such as cloud storage clients. You can only use DroidFS with volumes located on shared storage or in the app's internal storage (hidden volumes). External storage such as SD cards are only supported in read-only access for now.

Build

Most of the original gocryptfs code was used as is (written in Go) and compiled to native code. That's why you need Go and the Android Native Development Kit (NDK) to build DroidFS from source.

Install dependencies

On debian:

$ sudo apt-get install build-essential pkg-config libssl-dev

Install Go:

$ sudo apt-get install golang-go

You also need to install the Android SDK build tools and the Android NDK.

Download Sources

$ git clone --recurse-submodules https://github.com/hardcore-sushi/DroidFS.git
$ cd DroidFS

libgocryptfs needs OpenSSL:

$ cd app/libgocryptfs
$ wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz

Verify OpenSSL signature:

$ wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz.asc
$ gpg --verify openssl-1.1.1m.tar.gz.asc openssl-1.1.1m.tar.gz

Continue ONLY if the signature is VALID.

$ tar -xvzf openssl-1.1.1m.tar.gz

DroidFS also need FFmpeg to record encrypted video:

$ cd app/ffmpeg
$ git clone --depth=1 https://git.ffmpeg.org/ffmpeg.git

Generate a keystore

APKs must be signed to be installed on an Android device. If you don't already have a keystore, you can generate one by running:

$ keytool -genkey -keystore <output file> -alias <key alias> -keyalg EC -validity 10000

Build

Retrieve your Android NDK installation path, usually something like "/home/<user>/Android/SDK/ndk/<NDK version>". Now you can build libgocryptfs:

$ cd DroidFS/app/libgocryptfs
$ env ANDROID_NDK_HOME="<your ndk path>" OPENSSL_PATH="./openssl-1.1.1m" ./build.sh

Then FFmpeg:

$ cd app/ffmpeg
$ env ANDROID_NDK_HOME="<your ndk path>" ./build.sh ffmpeg

Finally, compile the app:

$ ./gradlew assembleRelease

If the build succeeds, you will find the unsigned APKs in app/build/outputs/apk/release/. You need to sign them in order to install the app:

$ apksigner sign --out droidfs.apk -v --ks <keystore> app/build/outputs/apk/release/<unsigned apk file>

Now you can install droidfs.apk on your device.

Third party code

Thanks to these open source projects that DroidFS uses:

Modified code:

Borrowed code:

Libraries: